Don't Get Hooked: A Guide to Avoiding Phishing Scams

Written By Patrick Himes

Key Points: Phishing Scams

  • Phishing Definition:

    • Cybercrime where attackers deceive individuals into revealing sensitive information by posing as trustworthy entities.

  • Types of Phishing Attacks & How to Identify Them:

    • Phone Scams:

      • Spoofed caller ID, unsolicited calls, high-pressure tactics, requests for personal information, unusual payment methods, promises of guaranteed returns, threats, poor communication quality, requests for confidentiality.

    • Text Scams (Smishing):

      • Suspicious sender, urgent language, requests for personal information, suspicious links, grammatical errors, generic greetings, unexpected offers.

    • Email Scams (SLAM):

      • Sender, Links, Attachments, Message.

    • Social Media Scams:

      • Suspicious friend requests, too-good-to-be-true offers, urgent messages, requests for personal information, suspicious links, fake profiles, requests for money, grammatical errors.

  • What to Do if You've Been Phished:

    • Clicked a Link: Disconnect from the internet, run antivirus software, or seek professional help if needed.

    • Shared Personal Information: Change passwords immediately, enable two-factor authentication, and notify anyone whose information was compromised.

  • Remember:

    • Stay vigilant and trust your instincts.

    • Verify information through official channels.

    • Share this information with others to create a safer online community.

What Exactly is Phishing?

Phishing, much like the act of fishing, involves casting a line into the digital world to see who bites. It's all about tricking someone into revealing private information. Phishers often pretend to be someone or something you trust to gain your confidence. Once they have that, they'll try to trick you into giving up sensitive data like passwords, usernames, or account numbers.

It's a way for hackers to target people instead of computers to get their hands on confidential information. This kind of attack, where people are the target, is known as social engineering. You could also say that social engineering is just a fancy term for when hackers con people. But while a con artist usually tricks their victim into believing something false to get something tangible, like money, a social engineer is after confidential information to access even more sensitive data, accounts, or systems. And unlike a con artist's victim, someone who falls for a phishing attack often doesn't even realize they've been tricked.

This happens because a phishing attack often won't directly ask for information that seems private to the victim. Instead, they might pose as a trusted entity, someone or something the victim believes already has access to the information, and simply ask them to confirm it. A classic example is an email that appears to be from a company you have an account with, asking you to log in via a link in the email. You might not fall for this, but it's still a common tactic because it works surprisingly well.

It's interesting to note that the 2024 State of the Phish report found that 71% of people who were phished clicked links or downloaded files even though 96% of them knew it was risky. This shows that there's a big difference between knowing something is dangerous and actually avoiding it. So, why did they do it? The report says the top three reasons were convenience, saving time, and a sense of urgency.

If you think something might be a phishing attempt, trust your gut and take a moment to think it through. Remember, if a hacker gets your information, it won't be convenient or save you time in the long run. And if you're feeling pressured to act quickly, that's a red flag – a hacker might be trying to manipulate you. If they get what they want, a situation that seems urgent now could turn into a real emergency.


Exploring Different Types of Phishing Attacks and How to Spot Them

Phishing attacks can happen in a variety of ways, not just through email. While email is a common method, scammers are increasingly using other channels to try and trick people. These include phone calls, text messages, and social media platforms, each with their own unique tactics and dangers.

Phone Scams

Phone scams can take various forms, from automated messages to conversations with real people, and even sophisticated deepfakes that convincingly mimic the voices of familiar individuals. The scammer might impersonate a representative from a company you do business with, requesting personal information under the guise of "verification." Alternatively, leveraging deepfake technology, they could convincingly replicate the voice of a friend or family member in distress, pleading for urgent financial assistance.

The advancement of deepfake technology and generative AI has empowered attackers to convincingly mimic the voices of individuals you know and trust. Moreover, they can exploit information gleaned from social media platforms like LinkedIn and Facebook to craft highly personalized and persuasive messages that far surpass the credibility of the infamous "Nigerian prince" scams.

Here are several ways to identify potential phone scams:

  • Caller ID Spoofing: Be cautious if the caller ID displays a name or number that seems familiar but doesn't match the context of the call. Scammers can easily manipulate caller ID information to appear legitimate.

  • Unsolicited Calls: Be wary of unsolicited calls from individuals or organizations you don't know or haven't interacted with before. Legitimate companies typically won't contact you out of the blue to request personal information or offer unexpected deals.

  • High-Pressure Tactics: Scammers often use high-pressure tactics to create a sense of urgency and coerce you into making hasty decisions. They may threaten legal action, claim you've won a prize, or insist on immediate payment.

  • Requests for Personal Information: Be extremely cautious if the caller asks for personal or financial information, such as your social security number, bank account details, or credit card number. Legitimate companies rarely request such information over the phone unless you initiated the contact.

  • Unusual Payment Methods: Scammers often request payment through unconventional methods, such as wire transfers, prepaid gift cards, or cryptocurrency. Be wary of any requests for payment that deviate from standard practices.

  • Promises of Guaranteed Returns or Investments: If the caller promises guaranteed financial returns or investment opportunities that sound too good to be true, they probably are. Exercise caution and avoid disclosing any financial information or making any commitments.

  • Threats and Intimidation: Scammers may resort to threats or intimidation to manipulate you into complying with their demands. They may threaten legal action, arrest, or other consequences if you don't cooperate.

  • Poor Communication Quality: Scammers may have poor call quality, background noise, or difficulty understanding you. This could indicate that the call is originating from an overseas location or a less-than-professional environment.

  • Requests to Keep the Call Confidential: If the caller asks you to keep the call confidential or not to discuss it with anyone, this is a red flag. Legitimate companies typically don't have any reason to discourage you from seeking advice or verifying information.

Remember, if you're unsure about the legitimacy of a call, hang up and contact the company or organization directly through a trusted phone number or website. Don't be afraid to ask questions and verify the caller's identity before providing any personal information. 

Text Scams

Text-based phishing attacks, also known as "smishing," often masquerade as messages from trusted sources, enticing you to click on a link. These links may lead to fake login pages designed to steal your credentials, or they might prompt you to enter personal information directly. Reputable companies are well aware of this common tactic and will typically not send text messages containing links that require you to log in. If you receive such a message, it's crucial to exercise caution. Avoid clicking on any links or responding to the message, as doing so confirms to the attacker that your phone number is active and may encourage them to intensify their efforts. The best course of action is to block the number and delete the message immediately.

Here are several ways to identify potential text scams:

  • Suspicious Sender: Be wary of messages from unknown or unfamiliar numbers. Scammers often use spoofed numbers or generic names to mask their true identity.

  • Urgent or Threatening Language: Smishing messages often create a sense of urgency or fear to pressure you into acting quickly without thinking. They may claim your account is at risk, you've won a prize, or there's a problem requiring immediate attention.

  • Requests for Personal Information: Legitimate companies rarely ask for personal or financial information via text message. Be cautious if a message asks for your password, credit card details, social security number, or other sensitive data.

  • Suspicious Links: Don't click on links in text messages unless you're absolutely certain they're safe. Hover over the link (if possible) to see the actual URL, and be wary of shortened links or URLs that don't match the sender's information.

  • Grammatical Errors and Typos: Smishing messages often contain grammatical errors, typos, or awkward phrasing. Legitimate companies typically proofread their messages carefully.

  • Generic Greetings: Be suspicious of messages that start with generic greetings like "Dear Customer" or "Hi." Reputable companies usually personalize their messages with your name or account information.

  • Unexpected Offers: If you receive a text message about an offer or prize that seems too good to be true, it probably is. Scammers often use these tactics to lure victims into their traps.

Remember, trust your instincts. If something feels off about a text message, it's best to err on the side of caution and avoid interacting with it. Don't click on links, don't reply, and don't provide any personal information. If you're unsure about a message's legitimacy, contact the company directly through a trusted phone number or website to verify.

Email Scams

When it comes to email, the Office of Information Technology at the University of Colorado in Boulder came up with a great acronym for remembering how to identify phishing attacks. 

Identify phishing by remembering to SLAM:

  • Sender: Look for misspelled email addresses or masked sending addresses that don’t match the expected sender’s name or address. If you don’t recognize the sender, don’t proceed.  

  • Links: Use your mouse to hover over (but don’t click on) links to check them out before you click – especially links you don’t recognize. Instead, directly type the website URL into your browser.

  • Attachments: Do not open unexpected attachments – even from people you know. Sometimes people you know have had their account compromised or don’t realize they’re forwarding a phishing attack.

  • Message: Check emails, including subject lines, for suspicious language, misspelled words and bad grammar – hallmarks of a mass-produced phishing scam.

When you receive a phishing email, it's important to take action to protect yourself and others. If the email was sent to your work account, report it to your company's IT department or follow their established protocol for handling phishing attempts. Many organizations have specific procedures in place to address such incidents and prevent further harm.

For personal email accounts, some email providers like Gmail offer a built-in "Report phishing" option within their web or mobile apps. If this feature is available, utilize it to alert the provider of the suspicious email. However, if your email provider lacks a dedicated reporting mechanism, you should still take steps to safeguard your account. Start by deleting the phishing email and blocking the sender to prevent further communication. It's crucial to avoid responding to the email, as this could inadvertently confirm that your email address is active and potentially expose you to more targeted attacks.

If the phishing email appears to have been sent from someone you know, it's possible that their account has been compromised. In this case, reach out to them through a secure and alternative communication channel, such as a phone call, text message, or direct message on a trusted platform. Inform them of the suspicious email and advise them to take immediate action to secure their account and notify their contacts of the potential breach. This will help prevent the phishing attack from spreading further and causing harm to others. Remember, taking swift action when you encounter a phishing email is essential for protecting yourself and others from falling victim to online scams.

Social Media Scams

Social media phishing scams can range from the blatant to the subtle. Some may employ obvious tactics, such as informing you of a non-existent contest you've won or threatening to lock your account unless you provide specific details. Others take a more cunning approach, enticing you with seemingly harmless personality quizzes or polls that, in reality, are designed to extract personal information. While these quizzes may appear entertaining – "Discover Your Hogwarts House!" or "Which Disney Princess Are You?" – they can be cleverly disguised data collection tools. Remember, not all online quizzes are malicious, but it's crucial to exercise caution whenever you're asked to provide personal information, especially if it seems unnecessary for the quiz's purpose.

Here are several ways to identify potential social media scams:

  • Suspicious Friend Requests: Be cautious of friend requests from people you don't know or who have very few mutual friends. Scammers often create fake profiles to connect with potential victims.

  • Too-Good-to-Be-True Offers: Be wary of posts or messages offering free gifts, prizes, or exclusive deals that seem too good to be true. Scammers often use these tactics to lure victims into providing personal information or clicking on malicious links.

  • Urgent or Threatening Messages: Scammers may send messages claiming your account has been compromised, you've violated terms of service, or you need to act quickly to avoid negative consequences. These messages are designed to create a sense of urgency and panic, leading you to make impulsive decisions.

  • Requests for Personal Information: Legitimate companies rarely ask for personal or financial information through social media. Be cautious if a message asks for your password, credit card details, social security number, or other sensitive data.

  • Suspicious Links: Don't click on links in social media messages or posts unless you're absolutely certain they're safe. Hover over the link (if possible) to see the actual URL, and be wary of shortened links or URLs that don't match the sender's information.

  • Fake Profiles and Impersonation: Scammers often create fake profiles that impersonate celebrities, businesses, or even your friends and family. Be cautious of interacting with profiles that seem suspicious or have recently been created.

  • Requests for Money or Donations: Be wary of requests for money or donations, especially if they come from someone you don't know well or through an unusual payment method. Legitimate charities typically have established websites and donation platforms.

  • Grammatical Errors and Typos: Scam messages often contain grammatical errors, typos, or awkward phrasing. As mentioned before, legitimate companies and organizations typically proofread their content carefully.

Again, trust your instincts. If something feels off about a message or post on social media, it's best to err on the side of caution and avoid interacting with it. Remember, don't click on links, don't provide personal information, and don't send money unless you're absolutely certain the request is legitimate. And as always, if you're unsure about something, contact the company or individual directly through a trusted channel to verify the information. 


Steps to Take If You've Been Phished

The steps you need to take will vary depending on the specific nature of the phishing attack you've encountered. The actions required if you've accidentally divulged personal information differ significantly from those necessary if you've inadvertently clicked on a malicious link. Let's explore the appropriate responses for each scenario.

What to Do if You Click on a Phishing Link 

If you've inadvertently clicked on a suspicious link, your immediate priority should be to isolate your device from the internet. This can be achieved by disconnecting the Wi-Fi or unplugging the ethernet cable. While clicking a link doesn't always result in malware installation, it's a possibility you shouldn’t ignore. Malware can operate stealthily, downloading additional malicious software or attempting to spread to other devices on your network. By disconnecting from the internet, you limit the potential damage and prevent further infection.

Once your device is offline, the next course of action depends on your security software situation. If you have up-to-date antivirus software installed, run a full scan immediately. This software is designed to detect and quarantine most types of malware and viruses, effectively neutralizing the threat.

However, if you lack antivirus software or haven't updated it in a while, you'll need to take additional precautions. Start by booting your device into safe mode, a diagnostic mode that limits the programs and drivers that can run. This helps prevent any potential malware from executing while you address the issue. In safe mode, back up any essential personal data you want to preserve. Once you've secured your data, seek professional assistance from a reputable computer repair shop. They have the expertise and tools to thoroughly scan your device for malware and remove any malicious software they find. Remember, taking swift action after clicking on a suspicious link can significantly minimize the potential damage and protect your device and data.

What to Do if You Shared Personal Information

If you've inadvertently divulged your username and password, immediate action is crucial. Begin by changing your password directly on the website or app associated with the compromised account. Ensure you access the site by typing the URL into your browser rather than clicking on any links, as these may lead to phishing sites designed to steal your new credentials. It's equally important to update passwords for any other accounts where you've used the same or similar login information. Hackers often exploit password reuse, and once they have access to one account, they may attempt to gain entry to others using the same credentials or slight variations. Remember, creating unique and strong passwords for each of your accounts is a fundamental step in safeguarding your online security. To learn more about how to prevent password reuse, please read my article Your first step to cyber resiliency is the easiest.

Furthermore, consider enabling two-factor authentication (2FA) wherever possible. This adds an extra layer of security by requiring a second form of verification, such as a unique code sent to your phone or generated by an authenticator app, in addition to your password. Even if a hacker obtains your password, they'll be unable to access your account without the second factor.

If the compromised information belongs to someone else, it's your ethical responsibility to notify them immediately. This allows them to take the necessary steps to protect their accounts and personal information. Be transparent and explain the situation clearly, providing any relevant details about the phishing attack or how the information was compromised. By informing the individual promptly, you can help mitigate potential damage and prevent further harm. Remember, taking swift action is crucial in minimizing the impact of a phishing attack and protecting yourself and others from online threats.

In conclusion, phishing attacks remain a pervasive and significant threat in the digital landscape. By familiarizing yourself with the various forms these attacks can take and learning how to identify their telltale signs, you can empower yourself to safeguard your personal information and financial well-being. Remember, vigilance is key; trust your instincts and exercise caution when encountering suspicious messages or requests. Should you fall victim to a phishing attack, swift action is essential to minimize the potential damage and prevent further harm. Take the next step in protecting yourself: share this information with your friends, family, and colleagues, and together, we can create a more secure online community. By staying informed, adopting proactive security measures, and remaining alert to evolving cyber threats, you can navigate the online world with greater confidence and security.

FAQs

  • What is phishing?

    • Phishing is a type of cybercrime where attackers trick you into giving them your private information by pretending to be someone you trust. They often use emails, text messages, or phone calls to try to steal your passwords, bank account numbers, or other sensitive data.

  • What are some common signs of a phishing scam?

    • There are many signs that could indicate a phishing scam, including misspelled email addresses, suspicious links, unexpected attachments, messages with poor grammar or spelling, urgent or threatening language, requests for personal information, and offers that seem too good to be true.

  • What should I do if I think I've been phished?

    • If you think you've been phished, there are a few things you should do. If you clicked on a suspicious link, disconnect your device from the internet and run antivirus software. If you shared personal information, change your passwords immediately and enable two-factor authentication. You should also notify anyone whose information may have been compromised.

If you have any questions or would like to learn more, please feel free to contact us!

Patrick Himes

My journey into the world of cybersecurity began in 1986 with my first computer, where I taught myself to code and delved into the realm of video game hacking. This early fascination led me to write my college thesis on hacking and ultimately pursue a 25-year career as a professional software engineer.

During my tenure at smaller companies without dedicated cybersecurity teams, I was often called upon to defend against cyber attacks and ensure the security of our products and confidential client data. These experiences highlighted the critical need for widespread cybersecurity awareness and motivated me to establish my own company dedicated to empowering individuals to navigate the digital landscape safely and confidently.

I believe that clear communication and accessible education are key to fostering a cyber-aware society. By sharing my knowledge and expertise, I aim to equip everyone with the tools and understanding they need to protect themselves in an increasingly interconnected world.

Previous

Your Data Matters — Keep It Hidden. Keep It Safe.
Next

How to Balance Connection and Caution on Social Media