What is phishing?
Phishing is a form of online identity theft that aims to steal people's sensitive information, such as their credit card details, usernames and online banking passwords. Attackers, also known as "phishers," attempt to fraudulently retrieve legitimate users' confidential information by imitating electronic communications from legitimate organizations, such as banks and government agencies, usually via email. The annual worldwide impact of phishing scams and other types of identity theft is about $5 billion in damages.
How does phishing work?
Phishing emails appear to be from a legitimate institution or company that a person conducts business with, or a web system through which the person has an account.
The goal of phishing is to deceive the recipient into providing login credentials or other private information. For example, a phishing email appearing to come from a financial institution may warn the recipient that his account information has been compromised, and the email directs him to a website where he is prompted to reset his username and password. This website is also fake. It's designed to look and feel legitimate but exists solely to gather login details from the victims.
Varieties of phishing
There are several versions of phishing attacks. Here's a look at some of the most common ones.
- Spear-phishing. Spear-phishing happens when phishers successfully obtain specific information about their target before performing the phishing. Then, they use this information to create a message that looks like it comes from a trusted source, such as a family member or an organization that the victim does some kind of business with. After that, it involves a message asking for money. A spear-phishing message might look like this: "Hey, it's Katrina. I'm on vacation in Hawaii and someone stole my phone and wallet. Could you send me $1,000 as soon as possible?"
- Phone phishing. Not all phishing schemes attack people via emails. Some successful scams have started out as phone calls. Phishers may pretend to be someone from the IRS, a bank, a credit card issuer, or any legitimate institution that asks for personal information. They also invent some situation that appears to justify their request.
- Malware phishing. Phishing attacks involving malware require it to be installed on a person's computer. Phishers typically attach the malware to the email they send to the user. Once the user clicks on the link, the malware starts operating. Sometimes, the malware is also attached to downloadable files.
- "Man-in-the-middle" phishing. A more advanced example of phishing attacks is called man-in-the-middle phishing. Man-in-the-middle phishing is an attack during which the scammer secretly relays and alters the communication between two people who believe they are having a conversation with each other. A man-in-the-middle scam can be used in several different ways. One example is active eavesdropping, wherein the scammer makes independent connections with the victims and sends messages between them to make them believe they're communicating directly to each other through a private connection, when in fact the entire communication is manipulated by the scammer.
Preventing phishing attacks
In the United States, the Federal Trade Commission (FTC) and other government agencies have focused on public education to fight phishing attacks. Catching phishers is difficult. Fraudulent websites typically operate over a very short period of time, and they are often run from other countries.
The best way you can protect yourself from phishing scams is to avoid providing sensitive information in an email request. If the request seems to be legitimate, you can contact the company and check the validity of the request before giving any information. Even if the request or link is verified as legitimate, you should manually enter the required address in your browser instead of clicking on a link, as a phisher could conceivably operate concurrently within a legitimate company.