Many people associate phishing scams with email, but in reality, phishing can come in many different forms, including text messages (smishing), pop-up windows, phone calls (vishing), social media messages, and even bogus websites. In order to gain the victim’s trust, scammers may impersonate a bank, government agency, well-known retailer, the victim’s boss, or even a family member. Learn the myriad of ways cybercriminals attempt to trick their victims through phishing scams and steps to better protect yourself.
How Phishers Lure Their Victims
Phishing scams typically work by luring victims into clicking a link or opening an attachment that infects the computer or device.
If a victim is fooled and clicks on a link in a phishing message, they may be directed to a fake website that looks almost identical to the website of a real organization, such as a bank or credit card company. The victim is then prompted to enter sensitive information like an account number, password, or banking PIN.
Alternatively, a phishing attack could infect the victim’s device with malware or viruses that can collect information or leave the device vulnerable to future attacks.
The Many Possible Faces of a Phishing Attack
Experts say that phishers often impersonate a trusted organization or individual—and they can be very convincing. Scammers may use recognizable logos to make their emails and websites look genuine, or they may fake the caller ID to display a real corporate or government phone number. Some modern phishing tactics may include:
- Emails that appear to come from a legitimate credit card company, bank, or financial institution requesting account information.
- Emails about a payment issue with a purchase or account, which may include threats of legal action or an account being frozen if the issue isn’t resolved promptly.
- Text messages that contain a link or phone number that, if clicked, may automatically open a browser or dial a number.
- Messages that appear to come from a charity or take advantage of current events, such as a recent natural disaster.
- Message about COVID-19 information or resources, such as contact tracing, stimulus payments, or treatments.
- Emails from a well-known technology provider claiming that there is a problem with the account or emulating what appears to be an account recovery email.
- Pop-up windows on a computer or mobile device that warn of phony viruses, promise a prize, or redirect to a scam site.
- Unsolicited phone calls or texts that claim to be from a government agency, public utility, or bank.
- Fake unsubscribe emails that encourage the individual to click an unsubscribe button or enter information.
- Threatening messages warning of potential legal action or financial harm over an unpaid tax or utility bill.
- Emails that appear to come from someone the individual knows, such as a family member, friend, or colleague.
Steps to Help Better Protect Yourself Against Phishing Attacks
The FBI’s Internet Crime Complaint Center reported that phishing victims lost almost $58 million in the U.S. in 2019. Fortunately, there are ways to help better protect yourself and your loved ones from phishing attacks.
- Think before clicking - The FBI advises individuals not to click on anything in an unsolicited email or text message. Instead, it’s advised to contact the company to ensure the request is legitimate by searching for authentic contact information online or on an existing account statement.
- Use strong, unique passwords - The Cybersecurity and Infrastructure Security Agency (CISA) recommends using the longest password or passphrase permissible on an account. It’s advised to create a unique password for each account, and change passwords immediately if a breach is suspected.
- Safeguard personal and financial information - The CISA recommends that individuals never reveal personal or financial information over email, and not to respond to emails asking for this information, including through any links provided in the email.
- Exercise caution with attachments - It’s advised not to open an attachment unless it’s certain that it is from a trusted source. The FBI states to never open an email attachment from an unknown person and be cautious of forwarded email attachments.
- Pay attention to email and website addresses - The FBI advises individuals to carefully examine the email address and website in any correspondence. For example it may be a scam if the sender uses a free or consumer email service (such as gmail.com or similar), but they claim to represent a large, well-known company. The CISA recommends checking a website's security by verifying that it begins with "https" (rather than "http”) and displays a closed padlock icon.
- Enable two-factor authentication - Experts recommend enabling two-factor authentication on accounts when possible. By requiring an extra code or physical key for login, it may be more difficult for phishers to hack into accounts even if they know the username and password.
- Safely close suspicious pop-up windows - It’s advised not to click on or call phone numbers in suspicious pop-up windows. Instead, safely close pop-up windows by finding the corresponding icon on the task bar, right-clicking, and selecting “close” or “quit.”
- Avoid family or friend impersonations - The CISA advises that if an email from family member, friend, or colleague seems unusual or suspicious, it’s better to reach out to that person directly on a separate secure platform—especially if the message has a request in it. The person could be being impersonated, or their account could have been hacked.
- Beware of false urgency - The CISA states that individuals should be cautious of any communications that pressure them to act immediately, as many phishing scams attempt to create a sense of urgency, such as a fear that an account or information is in jeopardy.
- Share safely on social media - The FBI advises individuals to be careful about what type of information they share on social media. Scammers can use some information—like pet names, schools, family members, and birthdays—to guess passwords or the answers to security questions.
- Install and update anti-virus software - Experts recommend ensuring that all computers, phones, tablets, and Internet of Things devices are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
According to the CISA, individuals should take the following steps if they believe they have been the victim of a phishing attempt.
- File a report with the Federal Trade Commission, and consider reporting the attack to the police.
- If financial accounts may have been compromised, contact the financial institution, close any relevant accounts, and be alert for any unexplainable charges.
- Immediately change any passwords that may have been compromised, including other accounts that use the same or similar password.
- Watch for other signs of identity theft.