Phishing

What is Phishing? Be Wary of Fake Emails and Other Scams!

Last edited: June 19, 2020
Reading time: 17 minutes, 43 seconds

You’ve probably heard of phishing before. Almost constantly, companies, news outlets and other organizations try to warn against it. But what is phishing exactly? This article will tell you all about this form of cybercrime. We’ll talk about what it is, how to recognize it, and how you can protect yourself against it. We’ll also show you what to do if you’re a victim of a phishing attempt.

What is Phishing?

Phishing Fishhook with Password

Phishing is a kind of cybercrime that has victims unknowingly giving criminals access to their personal information or back account. Usually, this happens due to a phishing email being sent to the victim. This email appears to come from an official organization or business, but was actually sent by a criminal. These criminals will do anything to make their emails seem as authentic as possible. For example, they’ll use logos of official websites and companies. In said emails, victims are often asked to click on a link or open an attachment.

If you click on a link in a phishing email, you might find yourself on a page that looks like an official website, but is only a fake copy. The criminal hopes you’ll enter your personal details and sensitive information on this page by, for example, filling in a login screen. Once you do this, the criminal will have access to this information. Opening an attachment in a phishing mail, too, could cause a lot of problems. You might unknowingly be installing malware, such as a virus or spyware, on your computer. This can in turn result in the criminal gaining all sorts of personal information about you, such as your banking details. Sometimes they even install bots to create a Botnet and carry out DDOS attacks.

The eventual goal of a phishing criminal is to benefit from stealing your money or personal data. This is where the name ‘phishing’ comes from. Cybercriminals ‘fish’ for your information: they throw out their digital fishing rod (the email) and wait until a victim bites. They use a recipient’s fears and emotions to make their scam work. They might, for example, pretend you have an unpaid payment waiting for you, telling you you’ll be risking a fine if you don’t pay up right away. Victims often panic when reading this and do as they’re asked, falling for the criminal’s tricks. Don’t feel stupid if this has happened to you. It can be incredibly  hard to distinguish a fake message from the real deal.

Different Kinds of Phishing

Generally, email is a very effective medium for criminals, since it allows them to reach thousands of people in one go. Spending as little time as possible, they’re able to steal a lot of money, as long as a small part of the recipients falls for the scam. However, it doesn’t end with emails. Here are some other forms of phishing that you should watch out for, whether it’s about scams on social media or via traditional mail.

SMS and WhatsApp scams

Whatsapp LogoCybercriminals keep thinking of new ways to steal money from their victims. These techniques might be more effective and lucrative, because people simply don’t know about it yet. A text from your bank might not always be worthy of your trust. The same goes for a WhatsApp message from an official organization, asking you to pay an invoice you don’t remember anything about. Over the last few years, WhatsApp especially has been used more and more in phishing scams.

Have you received a suspicious message? It can be very hard to tell whether an invoice actually has to be paid or is simply an attempt to steal your money. The best thing to do is contact the organization that supposedly sent the message. Go to their official website by looking up the right contact information online, without clicking any links in the message or using information in there. Phishing criminals are often smart enough to change the company’s contact information to their own. If the company doesn’t know anything about the message, make sure they know someone’s sending out phishing messages in their name.

Fake invoices

Not just social media, but also more traditional forms of communication are being misused by cybercriminals. One of the more common scams, especially for those who have their own business, are fake invoices. Scammers send over a fake but very real looking invoice telling you to pay up quickly or suffer the consequences. You’re often told to send the money to a specific back account. Sometimes they’ll even claim you’re in debt and they’ll send a debt collector if you don’t transfer the money fast. While it’s possible to receive such a letter from official institutions (in extreme circumstances), it could also be a case of phishing. This means that, usually, the threats are false. If you transfer the money, it’ll just end up in the pockets of the scammers.

If you want to check whether an invoice or payment reminder is legitimate, call the company that sent it. Again, don’t use the contact information listed on the invoice, though. Always go to the official website of the company that’s shown on the invoice and call or email them. Ask for confirmation of the invoice, the amount of money mentioned, and the account it should be transferred to before paying anything.

Emails or social media messages from friends or relatives

If a criminal has gotten access to the email or social media account of a victim (through a previous phishing attack, for example), they could use that to find new victims. A criminal might try to get other people to send him money by sending out messages to friends of the hacked account. Often, these messages will start with a simple “Hi, how are you?”. Once people react, the criminal will ask for money. Here’s an example of such a phishing message, in which John’s account has been hacked and the cybercriminal approaches his friend Matthew via Facebook:

Facebook Phishing message

When you hear a friend’s in trouble, you’re probably eager to help them. Cybercriminals misuse this tendency by creating a sense of urgency: John’s stuck abroad and has to get home as soon as possible. If Matthew decides to help him out, he’ll unknowingly transfer money to a bank account that isn’t John’s, but a cybercriminal’s. The criminal might ask for the money to be transferred via PayPal, Western Union, Moneygram or Bitcoin. In some cases, criminals will take the effort to map out the full friend network of the hacked account and even read past messages. They’ll use this information to make their phishing attempt look as convincing as possible.

Have you received a message from a friend via email, Facebook or another social media platform asking for money? Be careful. Get in touch with the person you think you’re talking to by, for example, calling them. This way, you can check whether they’re actually in trouble. If not, their account has been hacked.

“Phishing” over phone

Smartphone with picture of ear

Sometimes phishing will happen by phone. This might happen when the criminals already have access to the victim’s bank account, but need other information as well. If the victim cooperates, they’ll unknowingly be transferring money to the criminals. This could happen in the following way:

  1. The criminal is logged into the bank environment of the victim and starts transferring money to his own account.
  2. The criminal calls the victim, pretending to be a bank employee, and asks for the TAN code the victim has received (for example via text).
  3. If the victim communicates the code (that’s actually been sent to verify a payment), the criminal uses it to complete the transaction to his own bank account.

Phishing criminals could also pretend to be an employee of Windows or the manufacturer of your computer or smartphone. They’ll claim to call in order to solve a technical problem. Instead, they make you log into a dangerous website, giving them access to your computer and personal information. In some cases, they’ll even install ransomware on your device. This means all your files will be encrypted and taken hostage: you won’t be able to access them unless you pay up. If you’ve become the victim of ransomware, make sure to contact the police.

Lately there have been reports of a different type of phishing over the phone. A criminal will call you from a strange, usually foreign, number. When you pick up, you hear nothing. Only later does your phone bill show that the phone call has cost you a big amount of money. To keep yourself safe from this kind of scam, don’t just pick up any call.

If you’re ever called by an employee from a certain bank or business, don’t give out your personal information, such as address or bank account number, right away. Always make sure you use the correct, official phone numbers of a business and check whether you’re actually calling with a representative of that company.

How to Recognize Phishing

Have you received an email, text, or other message from an official institution or a friend asking for money? Think twice before you do anything! Whether it looks like a message from the government, a web shop, the IRS, your bank, an insurance company, or a website like Amazon, you might be dealing with a criminal instead. Other types of phishing are the well-known email sent by a “Nigerian prince” or a distant relative pretending they have access to a large amount of money. Before they can send you anything, however, they need you to transfer something to them. Don’t fall for these kinds of traps. They aren’t real.

Because phishing can be difficult to spot, it’s important to know what to look for when checking whether a message is legitimate or not. Here are a couple of tips that’ll help you recognize a phishing attempt.

Tip 1: Greeting, language, spelling and grammar mistakes

Usually, phishing mails are sent out to a lot of people at once. This means they aren’t always personalized. Instead, you end up getting an email with a standard ‘Dear mr./mrs’ or something similar at the top. Always consider whether it’s strange not to be addressed properly by, for example, your bank before doing anything else with the email.

You can usually tell an email is fake when it contains a lot of spelling or grammar mistakes. More often than not, the cybercriminals sending out the mail aren’t the best at English and make obvious errors. Another technique often used in phishing messages is creating a sense of urgency. Language such as “URGENT”, “IMPORTANT” or “FINAL NOTICE” could indicate you’re dealing with a phishing email.

Still, this isn’t always the case. There are phishing emails and websites that don’t contain any errors and even start with some sort of personalized greeting. Luckily there are other things you can look out for, as we’ll tell you in our other tips.

Tip 2: Look at the email’s sender

List with magnifying glassPhishing emails are often sent out by fraudulent email addresses. Always look at the email address of the sender and check whether it’s legitimate. For example, if you’re a customer of the Bank of America, you might get official emails from addresses ending in @bankofamerica.com. Because cybercriminals don’t own this domain, they can’t use these email addresses. Instead, they’ll try to send it from a very similar domain or use a general email provider. They could, for example, use bankofamerica@gmail.com or something ending in @americanbank.com. Even intentional spelling errors aren’t unusual: by adding a letter or two to the original domain, criminals try to trick you into thinking the message is legitimate after all. Sometimes phishing email addresses consist of random numbers and letters. These are easy to spot and should never be trusted.

In some cases, a phishing message appears to have a trustworthy sender. Sometimes it even seems to be sent from your own email address. This is called ‘email spoofing’ and occurs a lot in phishing and business email compromise (BEC). Don’t fall for it. If you’re in doubt, always contact the sender by looking up the right contact information on their official website. If it’s an email from your own address, simply ignore it.

Tip 3: Don’t share personal information

If you receive an email, text, or other message asking for personal data, for example your login information, this could be a bad sign. Never share your personal or account information via email (or another textual medium) if you’re not sure it’s absolutely safe. Many legitimate businesses will never ask for your information directly. This is especially true when it comes to passwords, TAN codes, and other account-specific information. No matter how real an email or message might look, keep your information private. If you’re uncertain whether a message is real or not, contact the actual organization through their official website or call them. Never reply to shady messages and don’t click on links you don’t trust.

Tip 4: Watch out for suspicious attachments

A simple click on an attachment in a phishing message could already install spyware such as keyloggers and Trojans on your device. Only open files that you completely trust and expected to be sent. Be on the lookout for any file names and file types that seem to be out of the ordinary. Files ending in .zip or .exe should not be trusted at face value. Even PDF files aren’t always safe. You’ll find an overview of file extensions that could be used in phishing emails below.

  • .bat(Batch)
  • .com(command file)
  • .cpl(Control Panel)
  • .docm(Microsoft Word with macros)
  • .exe(Windows Executable file)
  • .jar(Java)
  • .js(JavaScript)
  • .pif(Program Information File)
  • .pptm(Microsoft PowerPoint with macros)
  • .ps1(Windows PowerShell)
  • .scr(Screensaver file)
  • .vbs(Visual Basic Script)
  • .wsf(Windows Script File)
  • .xlsm(Microsoft Excel with macros)
  • .zip (Compressed)

If you want to know what type of file a certain attachment is, simply check the letters of the file name after the full stop.

Cybercriminals might try to fool you by adding the file extension to the file name. For example, they might try to make you believe you’re dealing with a PDF file by calling it ‘InvoicePDF.exe’. Instead, it’s an .exe file used to install malicious software.

Computervirus LaptopHave you spotted a link in an email that you don’t trust? Don’t click on it. Not every link leads to the place it says it’ll lead you. Luckily, you can easily check this by hovering your cursor over the link (without clicking it!) and checking the bottom left corner of your browser. A small white bar will appear with the exact website the link leads to. Is this a website you don’t recognize or trust? Then you’re likely dealing with a phishing attempt.

The address might even look like a trustworthy website, but be made to fool you. Always check whether everything’s spelled the right way and the domain is correct (for example bankofamerica.com/info instead of bankofamerica.officialwebsite.com/info). Take extra care when you’re using your smartphone or tablet, as it’s very easy to accidentally click on something.

Tip 6: Stay in the loop

Technology and cybercrime are constantly evolving. New ways to protect yourself against phishing and other forms of online crime keep popping up, just like new ways for criminals to try and fool their victims. That’s why it’s important to keep on top of the latest news on phishing and everything connected to it. If you’re reading this article, you’re already well on your way. Make sure to keep an eye on our news section as well. There might be warnings about international phishing attempts issued by businesses or governments.

Tip 7: Trust your intuition

If you’re not exactly sure whether you can trust a message, email or website, then don’t. It’s better to be safe than sorry. Get in touch with the actual organization and ask them about it. If that’s not possible, you can also look up the email address of the sender online. If it’s a phishing attempt that’s been used for a while, other people will probably have dealt with it already and be able to tell you whether it’s safe or not.

How to Avoid Phishing

There are many ways to recognize a phishing email, but it’s even better if you don’t come across them to begin with. Here are a couple of tricks to help you stop phishing.

  • Use two factor authentication on your accounts: if you need to go through two steps when logging into important accounts (for example with a verification code), the chances of cybercriminals getting full access to your account are much slimmer.
  • Activate your spam filter: your email provider probably has a couple of settings you can use to keep spam out of your inbox. This might not stop all phishing emails from reaching you, but will give you an extra layer of security, so you’ll encounter malicious emails less often. Do make sure any important email addresses you might receive emails from have been placed on a whitelist, so they won’t accidentally end up in your spam folder.
  • Only share your data on secure websites: the address bar will tell you whether the connection between you and the website you’re visiting is secure. If it is, you’ll see a small, closed lock on the left side of the URL as well as ‘https://’ (including the ‘s’) in the link. If this is missing, you shouldn’t share any personal information on that page. A lot of phishing websites have started using HTTPS as well, so this little check won’t be able to save you from all scams. Still, it’s an important start. If you’d like to know more about HTTPS, we wrote a full article on this topic.
  • Make sure you know how you can protect yourself online: our 8 simple steps to go online safely will help you with this.

Working as a Money Mule: accidentally criminal

Moneybag with dollar sign on computerSome phishing attacks are collaborations between over a hundred people. The biggest chunk of such a group consists of so-called ‘money mules’. These people (often students) temporarily open up their bank accounts to phishing money. This way, stolen money can be sent from account to account quickly and easily, so it’s much harder for authorities to trace the money back to the actual mastermind behind the operation. By way of compensation, the money mules are allowed to keep a small percentage of the money.

Money mules are often recruited by a ‘shepherd’. This happens either online, with job vacancies that seem legal but aren’t, or in real life. A shepherd might go to school playgrounds and other public locations to ask people whether they want to make some extra money. A lot of money mules aren’t aware of the fact that what they’re doing is illegal. They’re complicit to cybercrime without even knowing it.

The risk of being found out by the police is much bigger for money mules than for the person behind the attack. The path of the stolen money first goes through all the money mule’s accounts, after all. We discourage anyone from taking part in such practices. If someone offers you a job that requires you giving them access to your bank account, something ‘phishy’ is definitely going on.

What to Do When You’re the Victim of Phishing?

Have you become a victim of phishing? The security measures you should take, depend on the kind of scam. Here’s what you can do if you’ve fallen prey to a phishing scam:

  • When you gave someone your bank information, block your card and call your bank.
  • If it’s an account for an online service, quickly change your password and other crucial information.
  • When you clicked on a suspicious link or downloaded malicious software, use antivirus software to scan your computer and quarantine any viruses.
  • Always contact the actual company or person and tell them what happened. They might be able to help you or at least warn others.
  • Report the phishing to the appropriate authorities, for example the police.
  • Inform your (online) friends about the scam. The criminal might use your data to make more victims.

Conclusion

Phishing is a nasty kind of online crime. Clicking a malicious link or logging in on the wrong website can have disastrous consequences. To ensure you won’t fall victim to this, it’s important to stay informed. Know how to recognize a phishing message and what to do when you receive one. Keep phishing at a distance by setting up your accounts the right way. Has something happened regardless? Make sure to contact the right organizations and take steps to keep the damage to a minimum.

Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. Since 2019 she is VPNoverview.com's cybersecurity news coordinator.

More articles from the ‘Cybercrime’ section

Comments
Leave a comment
Leave a comment