Another day, another phishing attack. From businesses to consumers, phishing attacks are becoming a more widespread and dangerous online threat every year. One wrong click could quickly turn into a nightmare if you aren’t aware of the current techniques cyber scammers are using to get access to your valuable personal information.
A phishing attack is a tactic cybercriminals use to bait victims with fake emails that appear to come from reputable sources. The attackers’ goal is to lure the user into opening an attachment, clicking on a malicious link, or responding with private information. These phony emails have become alarmingly realistic and sophisticated. A scam may come in the form of a banking inquiry, an email from a seemingly official government agency, or even a well-known brand with whom you’ve done business—maybe you even pay them a monthly subscription fee.
If you do take the bait, you’ll likely be directed to a malicious website, where you’ll be prompted to enter your account login details, a credit card number, or worse yet, your social security number. The end goal of these phishing attacks is solely to steal your private information.
According to the Webroot Quarterly Threat Trends Report, the first half of 2017 saw an average of more 46,000 new phishing sites being launched every single day, making it the number-one cause of cybersecurity breaches. As hackers devise new phishing tactics, traditional methods of detecting them quickly become outdated.
One of the most popular tricks criminals use to avoid detection is the short-lived attack. The Quarterly Threat Trends Report also revealed that these attacks, where a phishing site is live on the internet for as short as 4 to 8 hours, are seeing a continued rise. Short-lived attacks are so hard to catch because traditional anti-phishing techniques like black-lists are often 3-5 days behind, meaning the sites have already been taken down by the time they appear on the list.
You’re probably already aware of the primary phishing-avoidance tip: do not click on suspicious links or unknown emails. But, as the state of phishing becomes even more advanced, how can you best spot and avoid an attack?
Lesser-known phishing giveaways
Webroot recommends keeping an eye out for the following:
- Requests for confidential information via email or instant message
- Emails using scare tactics or urgent requests to respond.
- Lack of a personal message or greeting. Legitimate emails from banks and credit card companies will often include a personalized greeting or even a partial account number or user name.
- Misspelled words or grammatical mistakes. Call the company if you have suspicions about an email you’ve received.
- Directions to visit websites with misspelled URLs, or use of , which precede the normal domain (something like phishingsite.webroot.com).
Stay ahead of cybercriminals
If an email in your inbox does seem suspicious, here are a few things you can do:
- Contact the service or brand directly via another communication channel (i.e., look up their customer support phone number or email address), and ask them to verify whether the content of the email is legitimate.
- Avoid providing any personally identifiable information (PII) electronically, unless you are extremely confident the email is from the stated source.
- If you do click a link from an email, verify the site’s security before submitting any information. Make sure the site’s URL begins with “https” and that there’s a closed lock icon near the address bar. Also, be sure to check for the site’s security certificate.