If you’ve ever gone fishing, you know how to set up your fishing rod. You attach an enticing lure or bait to your line, toss your line out into the water, and wait for a bite.
Phishing is the same process except that instead of being the one to throw the line out, you’re on the receiving end of that line.
The term “phishing” comes from the idea that scammers use fraudulent emails, text messages, or phone calls to “fish” for information from unsuspecting users. In these messages, scammers try to trick you into giving them personal information, such as passwords, account numbers, or even your Social Security number.
Phishing is a form of social engineering attack. Social engineering is the art of manipulating people to give up confidential information. An attacker uses human interactions (social skills) to obtain and compromise information in a social engineering attack. These emails might use a compelling story, such as urgently asking for your help, donating to their fundraiser, or notifying you that “you’re a winner.”
The first phishing email is thought to have originated in 1995, with the first worldwide incident occurring in 2000.
ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you, was a computer worm that infected over ten million Windows computers in mid-2000. It started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.TXT.vbs.”
While receiving an email like that now might seem like obvious spam, users in 2000 couldn’t resist the urge to unearth their secret crush. Opening the attachment allowed the worm to gain complete access to the operating system, secondary storage, and system and user data. Even the Pentagon, CIA, British Parliament, and most large corporations completely shut down their mail systems. At the time, it was one of the world’s most destructive computer-related disasters ever.
Since then, cyber attempts and attacks have only gotten more sophisticated, savvy, and commonplace, using tactics such as:
- Spam: Unsolicited and unwanted messages that get sent out in bulk. Many email service programs and providers have their own spam filters.
- Spoofing: When someone or something pretends to be someone or something they are not in order to gain access to your systems. This tactic makes it’s possible to receive a seemingly innocuous email from an intradepartmental email address that is actually a phishing attempt.
- Spear Phishing: When criminals obtain information about you from websites or social networking sites and customize a phishing scheme to you.
- Clone Phishing: When scammers replicate an email you have received but include a dangerous attachment or link.
- Pharming: A malicious website that resembles a legitimate website used to gather usernames and passwords.
Some current and common phishing attacks look something like these:
Another phishing scam that has been common and popular over the years is the Nigerian Prince scam. It is sent via email from a “Nigerian prince” and typically offers the “investment opportunity” to share in a percentage of millions of dollars that they’re trying to transfer out of Nigeria. In return, all you need to do is send information like your bank and account numbers and passport information. Once you’ve sent this information, they either take your payment and disappear or drain your bank account.
These Nigerian prince scams still rake in over $700,000 a year. Advanced fee scams totaled $83 million in losses along with Nigerian prince scams.
The FBI’s Internet Crime Complaint Center (IC3) found that US-based phishing victims lost almost $54 million in 2020 alone. Total losses due to Internet scams in 2020 amounted to $4.2 billion.
The costliest phishing scam in history was with two of the biggest tech giants in the world, Facebook and Google. The Lithuanian hacker who targeted them impersonated an electronics supplier company, Quanta Computer, which both companies used. The hacker sent an elaborate invoice via email that cost them over $120 million.
How can you avoid becoming a statistic? If you’re unsure how to identify a phishing scam, get familiar with these clues, tips, and resources:
How to recognize phishing scams |
|---|
| Requests for your username and/or password; Credible institutions and organizations will never request personal information via email or phone. |
| Time-sensitive threats; e.g., your account will be closed if you do not respond immediately. |
| Spelling and grammar mistakes. |
| Vague or missing information in the “from” field or email signature. |
| “To” field contains multiple random email addresses or is alphabetized. |
| Impersonal or generic greetings, such as “Dear Ms. account holder.” |
| Unexpected files, attachments, or downloads. |
| Links that don’t refer to the sender’s organization or that you don’t recognize.
Links can also be disguised. It’s important to hover over the link to see if the destination is correct. The destination URL can look like a carbon copy of the genuine site, set up to record keystrokes or steal login/credit card information. Links can be unsecured. If the URL doesn’t start with “HTTPS” or you can’t see a padlock icon next to the URL, do not enter sensitive information or download files from that site. |
| Emails about accounts that you don’t have, such as Paypal or bank accounts. |
| Emails about loans that you don’t have, such as student loans or mortgages. |
| Emails “from” celebrities. |
| Plays on human emotions to evoke sympathy, kindness, fear, worry, anxiety, intimidation, or excitement. |
How to prevent scams |
|---|
| Rotate passwords regularly. |
| Use two-factor/multi-factor authentication (MFA). |
| Update your computer and browser regularly. |
| Install firewalls. |
| Install anti-phishing add-ons. |
| Install pop-up blockers. |
| Only visit sites with proper SSL certificates. |
| Don’t open suspicious emails. |
How to report and track scams |
|---|
| FBI Internet Crime Complaint Center: https://www.ic3.gov/ |
| Federal Trade Commission Report Fraud: https://reportfraud.ftc.gov/ |
| Federal Trade Commission Identity Theft: https://www.identitytheft.gov/ |
| SSA Scam Reporting: https://secure.ssa.gov/ipff/home |
| FCC Do Not Call List: https://www.donotcall.gov/ |
| BBB Scam Tracker: https://www.bbb.org/scamtracker/ |
With the history, statistics, tips, and reporting discussed in this post, we hope that you can successfully identify phishing emails, as well as learn how to protect yourself against all Internet scams.
- Have you ever been a victim of a phishing scam? What about another kind of Internet scam?
- Do you take preventative measures to avoid phishing scams?
