What is Phishing?
Phishing is a process where cyber criminals, usually over email, 'phish' for your personal details or login details to online services, with the intention of stealing your data or money. Most phishing is done via email, but it is also prevalent via website popups, and on social media sites.
How do they do it?
Phishing attempts usually take the form of the hackers posing as a well known or reputable company or website. For example, you may receive an email which at first glance looks like it is from your bank, or from another service such as Paypal or Amazon.
The email will usually contain the relevant company's branding, and can appear quite convincing - although they are often littered with spelling and grammatical errors.
The phisher will usually try to direct you to a login page via a link in the email and ask for secure details such as your password. You may also need to 'confirm' your details with the fraudulent site, such as credit card numbers or bank details! This login page usually follows from the email and will contain the relevant company's logo and branding, although spelling and grammatical errors will exist here.
They may also use scare tactics, and warn you that if you don't "confirm your account details" then you risk losing access to the service altogether.
This is a huge red flag. Obviously, if you do this, you are not logging into your bank's genuine website, and now the phisher can help themselves to your money by proceeding to the genuine website and using the details you just gave them in order to log in. They may not even need to do that, if you happily handed over your bank or credit card details, rather than login details.
Here's an example of a typical phishing email:
What are the impacts of Phishing for businesses?
Phishing has many impacts, including financial loss, but also loss of productivity for businesses - especially if the phishing attack results in the installation of malware.
Telltale phishing signs you need to look our for
- Email asking you to confirm your details for an online service.
- Spelling or grammatical errors in email - or just strangely worded English
- The email address the email is sent from does not match the main domain name of the service - or only matches partially. For example - email@example.com - Obviously the scammer won't have an email address on the same domain as the legitimate website - so they will have to register something that matches it as closely as possible, or could easily be mistaken for the real thing.
- Basic looking email - but with the legitimate logos and other branding - Note - the email does not always look basic, sometimes they are quite good copies of the real thing.
- Don't open or download any attachments that come with these emails - they may contain malware that also tries to steal your information - without you knowing. You shouldn't go to the sites linked by phony emails for the same reason - but if you do end up there somehow then.... (read on)
- Ideally, you will recognise the email for what it is straight away, and won't click on any links. It is highly advised not to click the links, but if you do happen to land on the page there are some things to look out for. The real thing would most likely be a secure website - so look in the address bar. Does the URL start with http or https? The scammers won't usually bother to secure their dodgy website - so it won't have the S.
Another thing to look out for is the padlock icon in the bottom right corner of your web browser, or to the left of the URL in the address bar. Un-secure websites will not have this. You should double click this lock to check if the security certificate is verified. Don't take the https in the URL as gospel - it is possible for fraudulent websites to hijack your browser.
- If the s from https is missing, the site is almost definitely bogus, however, just because it is there, does not mean you are definitely safe. Make sure you roll over links and check where they are really directing you. A link could be cloaked to look at first glance like it will take you to a legitimate website.
- When you land on this site that is linked by the email, can you do anything else on it? If it's the real thing, you should be able to click on links to go and navigate other parts of the site, such as a clickable logo that links to the homepage, and links in the header or footer that let you explore other areas of the site. Fraudsters probably won't bother to flesh out any other pages.
It is a good idea to forward the emails to firstname.lastname@example.org, and also to the company being impersonated in the email. This helps steps to be taken to prevent others from falling victim to the scam.