If you’ve been following us for a while, you’ve definitely seen us warn you about phishing scams and tell you how to avoid being a victim. But what are they?
A Brief Background
The word ‘phishing’ sounds like ‘fishing’ because scammers ‘fish’ for your data in a sea of other users. The ‘ph’ part comes from the word “phreaking” (‘phone’ plus ‘freaking’) which involves illegally using an electronic device to avoid paying for telephone calls. This goes back to the 1960s when John Draper (the “phone freak”) had a pirate radio show and wanted people to phone in for free so he could understand his signal strength and reception in different areas.
What Does Phishing Involve?
This is when someone poses as a trusted entity to trick you into giving them your data, such as your personal information, passwords or bank details. This is a serious crime as these scammers can steal money and property, ruin reputations, scare customers away and commit identity theft. Last year, phishing was the most common type of cybercrime in Ireland and in 2020, it cost the Irish economy €9.6 billion.
Phishing Types and What to Watch Out For
- Email phishing is when a scammer sends malicious emails that look normal. They look the same as internal emails within your organisation, which makes it hard to identify if they’re real or not. They usually contain links and a domain name that is out of place. Once someone clicks the link, the scammer can find a way to access the receiver’s data. Make sure to check the spelling and grammar of these emails, and never click the link.
- Spear phishing is more specific than email phishing as it’s intended to target a specific person or department. The email will include information relevant to the person or group such as current events or financial documents. Scammers can attack people of authority within an organisation and encourage them to provide sensitive information (called ‘whaling’). They then use this information to spear phish other employees. If the greeting looks odd or the sender threatens that something must be done urgently, it’s usually a tell-tale sign of a scam.
- Vishing and Smishing are other terms you may have seen us talk about. ‘Vishing’ translates to ‘voice phishing’, and ‘smishing’ is ‘SMS phishing’. Vishing involves the scammer talking directly to the target, while smishing involves sending a text message instead of an email. Watch out for robot voices when you think you’re being vished and compare the message to previous texts when being smished.
- Clone phishing involves the scammer copying emails previously sent by trusted people to the target. When there is a link in the email sent by the trusted person, the scammer changes that link to direct the receiver to a fake website. You can hover over the link (but don’t click it!) and check the address of the website to see if it’s fake.
- Pharming is more sophisticated as the scammer hacks the DNS (Domain Name Server) of a business’s website so when the target goes to the URL of the website thinking it belongs to the business, they are automatically brought to a different website that’s owned by the scammer. If you get redirected, contact the business you thought you were dealing with immediately.
- HTTPS phishing is where scammers use HTTPS instead of HTTP to make their website look more trustworthy. Businesses are encouraged to get an SSL cert which converts HTTP websites to HTTPS and is seen to be more secure than HTTP. This is a difficult scam to spot but inconsistencies within the websites is usually a giveaway. We’ve got more on HHTP and HTTPS on the blog.
- Pop-up phishing can be easily missed. When you visit any website, you’ve probably seen a pop-up notification. Scammers can plant code into that ‘notification’ so that when someone clicks on ‘Okay’ or ‘Allow’, they enable the scammer to install viruses. Pop-ups that are flashing or moving around the screen to get your attention are usually not to be trusted.
- Evil twin phishing uses fake WiFi hotspots so when someone turns on the mobile data on their phone and uses the hotspot, scammers can access their sensitive data. Public hotspots should always be avoided for this reason.
What to Do if You Think You’ve Been Phished
- Alert the business you thought you were dealing with.
- Contact your bank immediately, and cancel your cards if necessary.
- Regularly check your spending history on your bank’s app to make sure there is no unusual activity and that you haven’t been a victim of identity theft.
- Report the crime to your local Garda station.
- Reset your login details of the affected accounts.
- Back up your files.
- Run a scan on your computer or phone for viruses.
Now that you know what phishing is, remember to always stay alert when communicating or shopping online. You can always come back to this post if you have your suspicions. We’ve got lots more security advice here.