What Is Email Phishing?
Email phishing is a technique of attack used by hackers and other cyber-criminals. It is one of the most common ways in which a person can be hacked, as it has the ability to bypass many standard security measures. Email phishing scams have been common since the earliest days of the internet, and no one seems to have any way of neutralizing this threat. That’s the bad news.
The good news is that email phishing has a weakness. As a technique of attack, this method is flawed because it relies on user error rather than any technical expertise. Anyone can do a phishing email, even if they aren’t a computer expert. Thus, once you learn how to spot a phishing email, your chances of being victimized can be greatly reduced.
How Do Email Phishing Attacks Work?
Phishing attacks work by impersonating a legitimate person or website. By doing this, they can trick many people into clicking things that they should not click. It might be as simple as a text box where you click a button that says “OK.” However, most email phishing scams are a little more elaborate than that.
These kinds of cybercriminals will usually start by creating a spoofed email. For instance, it might be made to look like a legitimate email from your bank. The hacker might use the same headers, logos, and layout to make everything look legitimate. In some cases, these fake emails can be very hard to spot.
There are several ways in which your security can be compromised by a poorly-chosen click of the mouse. Sometimes, phishing emails will include a link that the reader is directed to click. When they do, a tracker embedded in the link can reveal all kinds of personal information, including your home address. Using this information, they can do all sorts of fraudulent or harmful things to you.
Most phishing attacks are intended to steal information that can later be used for criminal purposes. Passwords are obviously the most frequent targets. For instance, a hacker might send an email that is made to look like one that came from your social media account. They might claim that your password is about to expire and that you need to click a link in order to reset that password. Of course, the link just takes you to a fake page where you are prompted to enter both old and new passwords. Using a keylogger or a screen capture program, a hacker can then obtain your account password.
Why Do Phishing Attacks Work?
As we mentioned earlier, phishing attacks work by taking advantage of human error. It’s not easy to break through strong encryption, so hackers will often use this as a workaround. If they cannot compromise the system itself, they attempt to compromise the people who use that system. Even if your system is protected by strong encryptions and long passwords, this method of attack can still potentially succeed.
Phishing attacks also work because people aren’t very observant. Most fakes can be spotted if you take the time to analyze them. There are many ways to do this, but a lot of people don’t take the time or effort to do so. When they see an email from what seems to be a trusted source, their mind does not register any danger. As such, they will often click the boobytrapped links without much thought.
Maybe now, you can understand why they call it a phishing attack. Like a fisherman, the hacker is putting some bait in front of their potential prey. The fish might not bite on the line, but the fisherman knows there are plenty of fish in the sea. If one doesn’t bite, another one will. That’s why hackers will sometimes send out mass phishing emails…it’s like a fisherman casting a wider net to increase their chances of success.
How Common Are Phishing Attacks?
Because many of these attacks go unreported or undetected, there is no way to know how many times per year people are hacked in this way. However, there are some numbers that can give us a general idea. According to internet security company Kaspersky, they tracked a total of 482,465,211 phishing threats in 2018. As you can see, this is one of the most common hacking tactics around.
There is some good news for the average user, though. On the whole, cybercriminals are unlikely to target people at random. The vast majority of phishing attacks are directed at the corporate sector. To be more specific, the most dedicated efforts seem to be aimed against credit organizations and other financial institutions. In most cases, these people want money, and they are going to target those who have plenty of funds.
According to a report from Verizon, nearly a third of all data breaches in 2018 were caused by phishing attacks. For data breaches involving corporate espionage, about 78% of the attacks were phishing expeditions. They also report that scammers are getting smarter and more elaborate with their deceptions.
How To Identify Phishing Emails
If someone has targeted you for a phishing attack, there will probably be certain “red flags,” which can raise the alarm bells in your head and cause you to proceed carefully. When reading your emails, you should always be on the lookout for these indicators of suspicious activity.
First of all, you should always be cautious when asked for your password or other login information. This information is the most frequent target of phishing attacks, so guard that password with your life. You need to understand that hackers can use various methods to capture your password if you are dumb enough to type it in the wrong space.
If you get an email that asks you to reset an important password, do not simply click the embedded link. Most sites will not ask you to reset your password, so an email like this is an immediate red flag. In most cases, a website user will have to request a password change. It is rare for anyone to demand that you change your password immediately.
You can also compare the suspicious email to an older one that is known to be safe. For instance, let’s say someone impersonates your bank or Paypal account. When they send you the email, asking you to change your password or click a link, you can compare it to other emails that you received from Paypal or your bank in the past. Obviously, you need to pick one that you know to be legitimate. Any little discrepancy is reason enough to delete the email and block the sender.
Believe it or not, the telephone is probably your best weapon against phishing scams. That might sound strange, but think about it: How do you catch a person who is impersonating someone else? One way is to contact the real person who is being impersonated. For instance, let’s say that someone sent you an email pretending to be a member of your family. If anything looks wrong, you might want to call that relative and see if they sent you an email recently. If the answer is no, the email is definitely a scam attempt. If some legitimate institution wants you to change your password, you should be able to call them up and verify this fact.
You should also keep a close eye on the URL of any password reset pages that you might visit. For instance, let’s say you get an email from Adobe or some other software company whose products you have bought. They might prompt you to update your software by clicking on a link. If you then click on the link, you will be taken to a spoofed page where your info can be stolen. However, you can still avoid being hacked at this point.
Look at the URL at the top of the page and make sure that it’s an official source. For instance, if you were trying to update Adobe Acrobat, the link should take you to adobe’s official page. If it goes anywhere else, it might be a scam attempt. For the record, this shouldn’t even be an issue when it comes to software. Most software can be updated from within the program, which is much safer than clicking links in your email.
On this subject, you need to be aware of the tricks that are sometimes used to fool people like you. When you look at the link in a suspicious email, it might look legitimate. However, appearances can be deceiving. By embedding a redirect message in the code of an otherwise respectable website, they can redirect you to their spoof page. To give an example: Let’s say you get an email that is supposedly from your school. The link at the bottom of the message might look like it goes to the official website for your school. However, the malicious code that has been embedded there can redirect you to a spoof page. For this reason, lots of redirections from a single link is always a major warning sign.
How To Report Phishing Emails
Once you have identified a phishing email, you must then decide what to do in response. On a purely selfish level, you can choose to delete the email and block the user. However, you should think about the other people who might be victimized by this email. Again, these things are usually sent out as mass emails, so there is an ethical duty to report this kind of thing.
If you are like most people, you probably don’t know how to report a phishing email. Thankfully, it’s a pretty easy process. In the United States, you should probably report such emails to the Department of Homeland Security. As you might know, that department consists of quite a few agencies, but the one you want is called the “United States Computer Emergency Readiness Team,” or “US-CERT” for short.
The US-CERT has a website where you can report phishing emails, which can be found here. They keep an extensive catalog of all known phishing emails for research purposes, working in partnership with a private organization known as APWG (the Anti-Phishing Working Group). It is this private organization that handles the record-keeping, so your report will probably go straight there.
In addition, you may want to inform the party that was being impersonated. For instance, if someone is making spoof emails disguised as notices from your employer, you might want to let your employer know about the situation. If someone were impersonating you, wouldn’t you want to know?
These Attacks Are Easy To Attempt
There is a reason for the popularity of email phishing as a primary method of attack. It is popular because it’s easy to do. You don’t have to be a computer expert or a government-trained hacker to attempt one of these attacks. As for your chances of success, that would be pretty random. Still, the attempt is quite easy to make. There are certain places on the internet where you can get or purchase “phishing kits.” These are ready-made kits that give the phisher all the tools they need. Again, they don’t have to be a hacker or an IT expert: They just have to get the kit and follow a few simple instructions.
When you learn about how these attacks work, it is easy to feel a little nervous. These methods are hard to detect and are more likely to succeed than most other methods of cyber-attack. As the methods become more elaborate and more devious, it will become harder and harder to detect these fake emails that can pose such a huge security threat. In the end, there is only one way to guard against phishing attacks, and that method is total vigilance. If you have found this article to be helpful, please feel free to fill out the contact form below.