The term “phishing” refers to the practice of trying to obtain sensitive or personally identifiable information, such as credit card numbers, social security numbers, usernames, passwords, etc., through fraudulent means for a malicious or fraudulent purpose. Phishing attacks are often carried out in the form of scam emails, spoofed social media messages, etc. Typically, they contain a link to a website that’s full of malicious code and other threats, hoping you’ll click the link and download malware or enter personal information for criminals to steal.
You’re probably familiar with some of the more stereotypical scams, such as the fictitious “Nigerian prince” who needs your help to retrieve his riches. But phishing has gotten a lot more sophisticated since the days of scam emails laced with spelling errors, atrocious grammar, and other dead giveaways. Many of today’s phishing messages and websites can look and function almost exactly like the real counterparts they’re designed to mimic.
Not only are they more realistic than ever, but phishing scams have also become much more targeted. In years past, phishing attacks were conducted in more of a “spray and pray” fashion, often being launched at thousands of recipients for a minimal percentage return. While these older tactics are still in play, attackers have been adopting much more sophisticated methods to ensure success. For example, depending on the intended victim, an attacker might do a significant amount of reconnaissance through social media, email monitoring, and the like to appear as convincing as possible when they finally make their move.
Highly targeted phishing, known as “spear phishing”, is directed at specific individuals or companies. By gathering personal information about their targets, attackers significantly increase their likelihood of success. Even executives and other high-ranking targets at large companies can easily fall victim to such well-crafted attacks, thereby giving attackers access to the company’s networks and funds.
To avoid these types of attacks, you’ll have to pay extra attention. Keep an eye out for suspicious indicators, including requests for confidential information via instant message, SMS, or email; emails that use scare tactics or urgency to get you to panic and respond right aware; lack of a personal message, greeting, or other identifier, such as a partial account number; and directions to click a link to visit a specific website and take an action, such as verifying your account.
If you do get one of these messages, do not click any links or call any phone numbers it contains. Instead, contact the brand or service directly via their publicly listed phone number or customer service email address and ask them to verify whether the message you received is legitimate. Also, always exercise caution when entering any personally identifiable information electronically.
Read more about spear phishing: