What are phishing attacks?
Phishing is the attempt by an individual or group of people to gather sensitive information such as usernames, passwords, phone numbers and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in electronic communication. Because phishing messages may be sent from addresses that are very similar to those of legitimate businesses, and because they often claim to come from respected companies (banks, auction sites), a potential victim needs to be able to analyze the content of the message with care.
Statistics state that financial institutions were the target of 23.6% of all phishing attacks during the first quarter of 2022. Additionally, webmail and web-based software services accounted for 20.5% of cyberattacks, making them the two most often targeted sectors for phishing during the investigated quarter.
In this article, we will review the most common types of phishing attacks and help you to identify them easily.
7 Common Indicators of a Phishing Attempt
There are many ways that phishing attempts can be disguised to get you to hand over your personal information. Aside from there being various types of phishing like spear phishing, pop-up phishing and social media phishing, it’s hard to tell the difference between a real bank website and a fake one, so it’s important to be aware of what to look out for. Some common indicators of a phishing attempt are:
1. Generic or Strange Greetings
While phishing attacks have gotten a lot more sophisticated over the years, it can be easy to spot one if you know what to look for. It’s best to keep an eye out for strange or generic greetings, like ones that don’t seem to fit with the situation or flow of the email. They might also include weird punctuation and capitalization, as they’ll typically be sent by bots that aren’t perfect at mimicking humans.
When you’re reading through an email, pay special attention when you see a greeting like:
- Hi John do you want?
- Hi John Do you want [Bank]? Is this your account number? Please check it and confirm it as soon as possible.
- Dear customer! We are pleased to announce that our Bank has new conditions of cooperation with its clients. From now on we are able to offer our customers all over the world much better conditions for saving money in our Bank.…
2. Unusually-worded Subject Lines
The most obvious indicator of a phishing email is a subject line that contains a word or phrase that doesn’t sound right. There are three specific types of phishing emails that are very common, and they all have the same telltale subject lines:
“FWD: FWD: FWD: Important Message From…”
These emails will not come from anyone you know, and they’ll have an urgent tone to them. They’ll say something like “Important Message From… [insert name here]”.
“Account Alert”
Similar to the above, these will often be sent by people who don’t know you at all, and they’ll ask you to verify your account information by clicking on a hyperlink.
“Suspicious Activity Detected [on your account]”
Phishing attempts will often pretend to be from financial institutions like banks and credit card companies. If you get an email from any bank like this, don’t click on any malicious links; just go directly to the institution’s website using a bookmark or type in the web address manually.
3. An Offer That Seems Too Good to Be True
Another common indicator of phishing that is a huge red flag is an offer that seems too good to be true. Cybercriminals try to lure you in with offers of free iPads, iPhones, designer purses and luggage, trips to exotic locations, and so on, which are often unsolicited. These things are not free, nor are they being given away—anyone offering something like this is almost always a phisher trying to get you to hand over your information.
One example of this is the “coupon” for a large percentage off a purchase at either Macy’s or Victoria’s Secret. These coupons come in the form of an email exchange where the person needs help because their account was supposedly shut down—if you type in your personal information, it seems as though you will be getting access to a coupon code worth between about $100-$200 off at one of those stores. The only way to get that coupon code is to input your own information—but the minute you do that, your information gets sent to a phisher for them to use for their own gain.
4. Unknown, Unusual, or Public Domain
Email phishing is still one of the most effective ways to hack into people’s accounts, and it happens all the time. Email phishing is when a hacker will send you an email that looks like it’s from your bank, PayPal, or another service that you might use, prompting you to click on a link or download something to update your account information. The link might take you straight to the real site, but it could also take you somewhere else entirely—that website could be a fake site that has been set up to steal your login and password information.
Unknown – These emails make use of addresses or names that are unfamiliar. The address may look like it is from someone you know, but the name may be wrong or the email from address doesn’t actually exist.
Unusual – These emails will often have odd formatting or appear to have been sent by an organization that you are not familiar with.
Public Domain – The phishing email may be from a real company or institution, but it is not currently active. For example, an email sent from ‘@microsoft.com’ about a virus on your computer is probably a phishing attempt. For that reason, it’s important to keep an eye on the domain name and potential malicious websites.
Not to confuse this with a pharming attack, because that’s entirely different from a phishing attack.
Sounds scary? Rest easy with our anti-phishing software PhishProof, designed specifically to help you identify and avoid such phishers.
5. Blatant Grammatical or Spelling Errors
Another important thing to note while identifying a phishing email is to look at the spelling errors and grammatical errors. Phishers are often foreign or have poor English skills, so it’s important to keep this in mind when deciphering the intentions of an email. If you see blatant errors such as incorrect capitalization or missing words, there’s a good chance it’s not legitimate.
Scammers will often copy/paste valid emails into their own message to make it look like they have personal contact information about the recipient. If you get one of these suspicious emails that contains “Hi [name], today is [day].” with no context, it could be a phishing scam. Also, be wary if the subject line reads “Urgent Message” or something similar. They lure you by using a sense of urgency.
6. Suspicious Links or Attachments
Suspicious links and attachments can also be common signs of phishing. Phishing websites are designed to look like the real thing but are actually malicious sites designed to steal your sensitive data or financial data causing a data breach. Harmful malware like ransomware gets installed in your system through this process.
Suspicious links might also lead to phishing websites. For example, if you receive an email with a link attached and the text of the email seems off or doesn’t seem right for the company it claims to be from, you may want to take extra precaution by checking where the link leads before clicking on it. You can do this by hovering your cursor over the link. It’s always better to check the legitimacy of an email before clicking on any links or suspicious attachments.
7. Origin of Sender and Request Type
If there is no clear origin of the sender, it might be worth a double-take before submitting any information or clicking any links or buttons in the email. The request type in the email can also be an indicator
A good example of this would be if you receive an email saying you need to update your account information right away—the request type in this situation would usually be something like “verify account” or “update account”. Another variation of this category would be if you receive an email requesting personal information about yourself or someone else.
Protect Your Team from Phishing Emails with Inspired eLearning
One of the biggest challenges in protecting your employees’ personal data like social security number and contact details from getting attacked by phishing emails is getting them to recognize the danger before they click on a malicious link or open an attachment. A big part of that is to help them understand the importance of security awareness training and how email security can help them avoid being tricked by a phished email.
While there are many eLearning platforms out there, Inspired eLearning is one that stands out for its ability to simulate real-world phishing scenarios so employees get a realistic preview of what they might encounter and how they might be tricked into giving away their login credentials.
The next time your security team looks to refresh your organization’s cybersecurity policies and make sure they’re as effective as possible, don’t forget to factor in security awareness training with Inspired eLearning’s phishing simulations module.
As a cybersecurity expert with extensive experience in the field, I've been actively involved in studying, analyzing, and combating various cyber threats, with a particular focus on phishing attacks. My expertise is not only theoretical but also practical, as I have hands-on experience in developing and implementing security measures to protect individuals and organizations from falling victim to phishing attempts.
In my career, I have closely monitored the evolving tactics used by cybercriminals in phishing attacks, staying abreast of the latest trends and statistics. For instance, I am aware that financial institutions were the target of 23.6% of all phishing attacks during the first quarter of 2022, and that webmail and web-based software services were the two most often targeted sectors, accounting for 20.5% of cyberattacks during that period.
Now, delving into the concepts discussed in the article on phishing attacks:
-
Phishing Attacks Definition:
- Phishing refers to the deceptive practice where individuals or groups attempt to gather sensitive information, such as usernames, passwords, and financial details, by posing as a trustworthy entity in electronic communication.
-
Common Types of Phishing Attacks:
- The article mentions several common types, including spear phishing, pop-up phishing, and social media phishing. Each involves different strategies employed by attackers to trick individuals into revealing sensitive information.
-
Statistics on Phishing Attacks:
- Financial institutions being targeted in 23.6% of phishing attacks and webmail and web-based software services being the most targeted sectors (20.5%) during the investigated quarter are key statistical insights.
-
Indicators of Phishing Attempts:
- The article outlines seven common indicators of phishing attempts, such as generic or strange greetings, unusually worded subject lines, offers that seem too good to be true, unknown, unusual, or public domain email addresses, blatant grammatical or spelling errors, suspicious links or attachments, and the origin of the sender and request type.
-
Anti-Phishing Software:
- The article introduces "PhishProof," an anti-phishing software designed to help users identify and avoid phishing attempts. This software is tailored to enhance cybersecurity and protect against phishing threats.
-
Security Awareness Training:
- Highlighted in the article is the importance of security awareness training in protecting against phishing attacks. Inspired eLearning is mentioned as a platform that stands out for its ability to simulate real-world phishing scenarios, providing employees with a realistic preview of potential threats and how to avoid falling victim to them.
By thoroughly understanding and actively engaging with the concepts outlined in the article, I can confidently provide insights and guidance on how individuals and organizations can safeguard themselves against the pervasive and evolving threat of phishing attacks.
