If you’ve heard the term “phishing” but you’re not quite sure what it means, you might have searched for a definition online. Most search results define phishing as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
This definition includes a common misconception about phishing delivery channels.
Phishing attacks have expanded well beyond the confines of email communication to include all forms of electronic communication. Wikipedia accurately defines phishing as an “attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.”
Note the phrase electronic communication.
Threat actors—individuals or entities that are responsible for incidents that impact security—utilize all forms of electronic communication to deliver their phishing attacks. Digital platforms, such as text message, voice, email, and applications, all serve as unwitting hosts for phishing attacks. A term coined by cybercriminals to identify digital attacks that trick residents of the Digital World, i.e., consumers, into providing valuable personal and financial information, phishing as a concept has rapidly expanded beyond the sea of cybercriminals to encompass oceans of other threat actors.
Phishing attacks evolve over time, just as technology does.
Since the early days of cybercrime and the origination of phishing in the early 1990s, scammers and phishers have adapted their methods and platforms to hook consumers. Now, with the rise of social media and more individuals with an active Internet presence, it is increasingly easier for phishers to better target potential victims across all digital platforms. In fact, further development of the Internet and other forms of technology have opened the doors for many other forms of phishing.
Types of Phishing
Other types of phishing include:
Common Phishing Scams
Credit Card Phishing
Global credit and debit card fraud resulted in $21.84 billion in losses during 2015, according to a study conducted by The Nilson Report. In 2014, 45% of recorded fraud occurred online, meaning the physical credit card wasn’t even present at the time the fraud occurred. This percentage is expected to increase significantly as Point of Sale (POS) fraud decreases. In other words, phishers are attacking their victims where they least expect it—and when they are most vulnerable. 86% of identity theft victims experienced the fraudulent use of their existing account information, and much of this fraud can be prevented if consumers recognize such phishing attempts that may impact their online experiences.
Remember, unless you initiated the conversation with a legitimate entity, do not provide anyone with the following:
Your date of birth
Your social security number
Your mother’s maiden name
Three-digit security code on the back of your card
Answers to any security questions associated with your online accounts
Bonus tip: Credit card companies usually do not embed links in their mobile communications; instead, customers must independently type in the credit card’s web address. Be wary of any links you receive via text message.
Phishers often target banks and banking customers, as financial institutions’ platforms house customer login credentials, personally identifiable information (also known as PII), and banking and other financial data. As such, many bank-branded phishing messages provide a link (URL) that directs users to a website impersonating the user’s bank.
Bank-branded phishing attacks are growing at an alarming rate. A report by the Financial Fraud Action UK (FFA UK) found that bank phishers cost victims £325.3 million ($420.9 million) over a period of six months last year, which was a rise of 6% from £307.7 million ($398.1 million) over the same period in 2014.
One of the easiest ways to protect yourself from bank-branded phishing attacks is to understand what information your bank will and will not ask you to provide. In general, remember that your bank will never:
Request personal information when you did not initiate the conversation;
Close your account if you fail to confirm, verify, or authenticate personal information—again, when you did not initiate the conversation;
Require confirmation of personal information due to “system upgrades;” and
Make offers that sound “too good to be true”, such as monetary awards for completing a survey.
Bonus tip: As with credit card companies, banks usually do not embed links in their mobile communications; instead, customers must independently type in the bank’s web address.
In the United States, every American taxpayers’ favorite time of year—tax season—is prime time for phishers to attempt to get their cut from consumers. It’s important to recognize that phishers and other threat actors aren’t taking a break from producing IRS-branded scams and phishing attacks that claim to have your tax refund ready (if you only click this malicious URL and provide your banking account or credit card details!).
The attacks change from year-to-year, so be sure to remain up-to-speed on what types of attacks are affecting consumers and know how to protect yourself if you receive one. According to The Treasury Inspector General for Tax Administration (TIGTA), since October 2013, over 10,000 reports were received from IRS-phishing victims who collectively have paid more than $54 million due to IRS phone scams.
Remember, the IRS will never:
Demand immediate payment using a specific payment method;
Threaten to immediately bring in local police or other law-enforcement groups to have you arrested;
Demand that you pay taxes without giving you the opportunity to question or appeal the amount owed; and
Ask for your credit or debit card numbers.
Identifying Phishing Attacks in Message Content
Review the infographic below for some handy tips to help you identify phishing attacks.
Phishers also frame their attacks around current events and certain times of the year, targeting victims of natural disasters and epidemics or health scares and playing off strong emotions caused by economic concerns, major political elections, and holidays. Beware of highly specific communications around such events, especially if you don’t know the sender.
The bottom line is when in doubt, DON’T CLICK OR RESPOND.
You can report suspected phishing attacks to www.spamresponse.com/report-spam for investigation. SpamResponse investigates every report received and neutralizes threats posed by validated phishing attacks on consumers.