Table of contents
- What is phishing?
- The various forms of phishing
- How to identify a phishing attack
- Phishing prevention strategies
- How to recognize a phishing attack
- Quick guide: how to recognize a phishing attack
What is phishing?
The term ‘phishing’ is a variant of ‘fishing’. This describes how fraudsters ‘bait the hook’ in the hope that victims will ‘take the bait’.
Phishing is a type of cyber attack through which malicious attackers try to steal your personal and financial data by pretending to be a trustworthy entity. It is a simple but incredibly effective method that can trick you into revealing confidential information such as card numbers, e-mail addresses, and even your telephone number. These attacks can come via suspicious e-mails, messages on social networks, or malicious links. As techniques evolve, it becomes increasingly important to know how to recognise and defend against different phishing attack attempts.
The various forms of phishing
Phishing attacks can hit you in various ways, each with specific techniques and objectives. Here are the main characteristics you should know about each one to best protect yourself:
- E-mail phishing
This is the most common form; you have probably already dealt with it. It uses fake e-mails that appear to come from legitimate entities to steal personal information.
- Spear phishing
The attack strategy of Spear Phishing can be described as more targeted and sophisticated. Imagine an attack tailored to you or your company. In Spear Phishing attacks, the cyber criminal uses an attack technique that focuses on specific individuals or organisations through customised messages that are sent to victims, making it difficult to recognise the scam.
- Phishing via social media
As you are well aware, social media is a breeding ground for fraudsters. Phishing attacks via social platforms exploit trust in social interactions. In such cases, you may receive misleading messages from accounts that look like known friends or contacts, but behind which are malicious actors who are actually trying to obtain your personal information.
- Smishing and vishing
These are direct phishing attacks. These types of tactics use SMS (smishing) and phone calls (vishing) respectively. You may receive a text message asking you to click on a suspicious link or a phone call from someone pretending to be a representative of a company or bank, trying to extort sensitive information from you.
How to identify a phishing attack
Being able to recognise a phishing attempt is crucial to protecting yourself effectively. Here are some signs you should watch out for:
Personal information requests
Banks or companies will not ask you to provide personal information such as passwords or account information via e-mail. Beware of such requests.
Example:
You receive an e-mail that appears to come from your bank, in which you are asked to enter your password and account number on a website. This represents a clear phishing attempt. Many people have fallen into this kind of trap, but remember that banks never ask for certain information by e-mail.
Suspicious e-mail addresses
Check the sender’s address; often the presence of small anomalies or typing errors can indicate a phishing e-mail.
Example:
You receive a communication from this e-mail address ‘cust0mer.support@amaz0n.com’ instead of ‘customer.support@amazon.com’. The use of the number zero instead of the letter ‘o’, as well as other typing errors, is a clue that this could be phishing.
Links and attachments
Don’t be in a hurry when clicking on links. Watch out for suspicious sites or attachments that might contain malware. Many people click on links without thinking about what they might contain. Move your cursor over the URL and make sure it is reliable before proceeding.
Example:
An email informs you that you have won a prize and invites you to click on a link to claim it. What to do in this case? Hovering over the link, you may notice that the URL appears as ‘http://winbig.prizes.ru’ instead of a legitimate site. In this case, common sense invites us not to click.
Style and tone
An unusually formal or too informal writing tone may suggest a phishing attempt. It is often used to create a sense of fear or urgency and not make you think about the origin of the request. Before you act, stop and think.
Example:
You receive an e-mail with the content ‘URGENT: Your privacy is compromised! You must change your password NOW by clicking here!”. This type of message is designed to make you act fast without thinking. Take a moment to assess the situation and contact the company directly through official channels to verify the veracity of the e-mail and the possible seriousness of the situation. What appeared to you to be an emergency may just be yet another phishing attempt.
Phishing prevention strategies
When thinking about phishing protection, imagine a multi-layered approach that includes both technological and behavioural measures:
- Continuing education
Continuing education on the latest phishing methods is essential for everyone, both end users and IT security professionals. Organise regular training sessions to teach staff to recognise the warning signs and practise good digital security, such as never sharing sensitive information via email.
- Robust computer security
Use up-to-date antivirus, anti-malware and firewall software. This way, you can filter out much of the malicious content before it reaches you or others close to you.
- Source verification
Before replying to any request for personal or financial information, always verify the source.
In the case of a suspicious e-mail that appears to come from a bank or organisation, do not click on the links provided, but contact the organisation directly through official channels to confirm the legitimacy of the request. It teaches employees to have the benefit of the doubt and to always check twice before providing any information. A little scepticism doesn’t hurt.
How to recognize a phishing attack
Now, let us briefly review how to recognise a phishing attack:
- Check the urgency of the message
Phishing attacks often create a sense of urgency to push victims into making hasty decisions.
- Check for grammatical errors
E-mails with spelling or grammatical errors are often indications of a phishing attempt.
- Inspect links
Before clicking, place your cursor over links to check the destination URL, which can often reveal the fraudulent nature of the attempt.
- Standard doubt
Maintain an attitude of suspicion towards e-mails and messages requesting personal or financial data.
Quick guide: how to recognize a phishing attack
Phishing is one of the most dangerous threats to our security. Through the use of social engineering, cybercriminals carry out types of attacks that can trick us into revealing sensitive information, such as financial data and login credentials.
Verify the urgency of the message
A typical phishing attack is often carried out by trying to create a sense of urgency to push people into taking hasty action. Fraudsters may tell you that your account is at risk, report unresolved security problems, or request an immediate verification to avoid serious consequences. It is important to take a moment to think before acting and remember that serious organisations never request immediate responses by e-mail.
Example:
If you receive an e-mail from your bank that says: “Your account will be suspended within 24 hours for suspicious activity unless you confirm your personal details now,” it is important to be careful. This message creates urgency and may prompt you to click on suspicious links or give out information without checking. Remember that banks or other financial institutions never ask you to confirm your account details so urgently by e-mail.
Check for grammatical errors
E-mails from legitimate institutions are generally well written and without significant errors. If you find many grammatical or spelling errors, this could be a sign of a phishing attack. Errors can be typos, grammatical errors or incorrect use of technical terms. It is important to read the messages carefully and assess their professionalism before acting.
Example:
For example, you receive an e-mail from your streaming service that says: “We have problems with your payment. Please correct your payment details to avoid service interruption’ and has errors such as ‘correct’ instead of ‘correct’, it should be considered suspicious. Normally, official communications are carefully reviewed.
Inspect links
Before clicking on a link in an e-mail, hover your cursor over it to see the URL to which it points. URLs in attempted phishing attacks may look legitimate but often have small spelling errors or changed domains that do not match the official ones. Always make sure that the URL is what you expect from a reliable source.
Example:
Imagine you receive an e-mail offering you a tax refund and inviting you to click on a link. When you hover your mouse over the link, the URL that appears is not that of an official government site such as ‘agenziaentrate.gov.it’, but is ‘get-refund-fast.biz’. This is a clear sign of a phishing attempt. Sometimes, URLs in phishing attempts may resemble authentic ones, such as ‘agenziaentrate-italia.com’, but with small differences that make them suspect.
Check the sender’s authenticity
It is important to always be cautious with e-mails and messages asking for personal data or credentials. Before replying, check the authenticity of the sender through the official website or by calling customer service with a reliable number, not the one provided in the suspicious email. This precautionary approach helps protect you from phishing scams, which take advantage of the lack of verification.
Example:
If you receive an email that appears to come from a real online payment service and asks you to verify your identity to avoid account deactivation, do not click directly on the link provided. It is safer to open a new browser and enter the address of the official site yourself to check the status of your account. Or, you can call customer service using the number found on the official site to confirm whether the request is legitimate.
