What is Phishing?
Phishing scams are typically fraudulent messages appearing to come from legitimate organizations (e.g., your bank, any service provider, your insurance company). These messages usually direct you to a spoofed web site or otherwise get you to disclose private information (e.g., password, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.
Before the advent of email, a scammer had to contact each potential victim individually by post, fax, telephone, or through direct personal contact. These methods would often require a significant investment in time and money. Today, scammers take advantage of email and the booming of social networks, like Facebook, Twitter or LinkedIn that have become new massive phishing channels.
In order to clarify how phishing works, let’s talk about a few different phishing schemes (List not intended to be all inclusive):
– Emails or messages seemingly from your bank, or any other trusted institution you work with, require the receiver to submit sensitive personal information like SSN, phone number, passwords or credit cards information. The receiver can be prompted to call a fraudulent number or to click any link in the email that would direct the victim to a spoofed website.
– Sometimes, scammers just rely on user typos when accessing website addresses on the navigation bar of their browsers. Misspelling the address of your bank’s website could led you to a counterfeit site and your login info could be compromised.
Help desk or Service Deactivation
– Similar to the previous one, the victim receive a message supposedly from a trusted source asking sensitive information for verification to avoid service interruption (e.g. internet provider, PG&E, etc.)
Nigerian scams (or Advance Fees Fraud)
– Details vary, but share common patterns: a person in Nigeria (I’ll explain why they usually use Nigeria ) has access to a large amount of money (the source of the money vary from case to case), but to get it all, this person will need some financial help from the victim. In this case, victims are requested to transfer a fixed amount of money to the scammer under the promise of a great reward or percentage of the earnings once the scammer has access to the whole sum. Of course, after the victim’s transfer, no further communication will ever be received.
Fake job offers
– The goal of fake job offers and work from home scam usually is to gather sensitive information from the jobseeker that would be use to impersonate the victim with dishonest purposes. Sometimes, this alleged “recruiters” would ask for an application fee for open positions that might not even exist. Counterfeit job offers may be posted in newspapers or professional recruiting websites.
Why they work?
Phishing attacks, as other scam schemes tend to focus on the most vulnerable groups. Some studies show that gender and age are two key demographics that predict phishing susceptibility. Specifically, women click on links in phishing emails more often than men do, and also are much more likely than men to give information to phishing websites. From some part, this difference appears to be because women have less technical training and less technical knowledge than men. There is also a significant effect for age: participants aged 18 to 25 are much more likely than others to fall for phishing. This group appears to be more susceptible because members of this group have a lower level of education, fewer years on the Internet, and less of an aversion to risk.
How can I identify a phishing attempt?
As the average user is getting more trained and concerned about Internet scams, phishing attacks are becoming more and more sophisticated. Even though, some of the phishing schemes described above are specifically designed for non-technologically trained users, this is the case of the Nigerian scam. The main reason why scammers keep using obvious scam wording and email formats is because they want to focus on those especially undereducated groups (from a technical point of view) to ensure a maximum benefit with the lower effort. People responding to this particular scheme are far more prone to be victims of the scam than an average user.
The good news are that most scam cases could be avoided by using simple tools such as common sense and any widely available protection technique we have access to these days. By following these advise we should be able to drastically reduce the risk of successful phishing attacks.
Commercial email providers such as Yahoo, Gmail or Hotmail spend large amounts of resources improving their anti-spam filters, reducing the chances of getting one of these emails. In the same way, freely available firewalls and anti-virus software can help us detect some attacks.
Most legitimate businesses have a policy to not ask for your personal information through e-mail. Be very suspicious of a message that asks for personal information even if it might look legitimate.
The most powerful tool against phishing is education. Well-trained users will be able to automatically differentiate counterfeit from legitimate emails.