InMyArea.com earns commissions from some of the providers we list on our site. Learn more  

How to Prevent Phishing?

Understanding What Phishing is and How to Avoid it

Updated:

Phishing attacks are becoming increasingly common. It’s important to understand what a phishing attack is and how to prevent it so you don’t lose any sensitive information. In this guide we will cover:

  • What is a phishing attack?
  • The different types of phishing attacks
  • Spear phishing vs. phishing
  • How to recognize and prevent a phishing attack
  • How to report a phishing attack

What is a phishing attack?

Phishing is a cyber attack that most commonly takes place over email, but can also happen via pop up ads, SMS, or a phone call. A hacker pretends to be another person or company in order to trick their victim into sending over sensitive personal information. There are several different ways that a hacker can do this, but the most common is to include a malicious web link within the email. This link will either lead to a website that tricks the victim into typing in personal information, or it will download malware onto your computer. During a phishing attack, a hacker might try to steal any of the following information:

  • Account usernames and passwords
  • Banking details
  • Credit card numbers
  • Personally identifiable information (PII), including your full name, date of birth, driver’s license or social security number
  • Proprietary business information (when the attack targets a business)

Once the hacker obtains your personal information, they might try to do any of the following malicious activities: 

  • Steal your identity
  • Open credit cards or bank accounts in your name
  • Sell your information to other parties for illegal purposes
  • Hack into your accounts and change your usernames and passwords
  • Make purchases
  • Use your social security number

An example of a phishing attack would be if a hacker sent you an email pretending to be Facebook. The email says that you need to log into your account to confirm your identity because there has been a security breach. The hacker includes a link that leads the victim to a website that looks very similar to Facebook, but it’s actually a fake malicious website. Once you enter the website, you’ll be directed to input your username and password. This information will go straight to the hacker, and they will have access to all of your personal information on Facebook.

What are the different types of phishing attacks?

Hackers can pose as a variety of people and businesses when performing a phishing attack. Some of the most common types of people and companies that hackers will impersonate are:

  • Online stores that you shop at such as Amazon
  • Any services that you subscribe to such as Netflix or Spotify
  • Social media platforms like Facebook or Instagram
  • Your coworkers, managers or company executives (for business attacks) 
  • A friend or family member
  • Your utility company
  • A home service provider like your internet provider or cell phone carrier
  • Any website you use that requires a login
  • Notable companies like the IRS
  • Hotel chains
  • Loan companies

Phishing attacks to steal sensitive information

Hackers will either attempt to steal sensitive information or install malware on your computer or device. In attacks that try to steal your information, the hacker will typically use a link to a malicious website that is disguised to look like a website you are familiar with. Once you reach that website, you’ll be asked to input your login credentials. You’ll be giving your login information to the hacker instead of the actual website. Our earlier example about a phishing website that looks like the Facebook login page falls under this type of phishing.

Phishing attacks to install malware

For phishing attacks that attempt to install malware on your computer, clicking the link in the scammer’s email will trigger malware to download instead of leading you to a website that looks like a site you are familiar with. Malware can give the hacker total access to your computer to do whatever they please with it. They can do things like delete or restrict access to your files, steal passwords and other sensitive information, install malicious pop ups, and even infect other computers on the same network. 

What is a spear phishing attack?

Spear phishing is a more targeted form of phishing. In a typical phishing attack, the hacker will send a generic email to hundreds of recipients in the hopes that several people will fall for the attack. On the other hand, in a spear phishing attack the hacker will target a specific person or business. Spear phishing attacks tend to be harder to identify than regular phishing attacks because the information in the email is much more personalized to the potential victim. 

One real-world example of a successful spear phishing attack occured in June of 2015. Employees of a technology company called Ubiquiti Networks Inc. were sent emails that appeared to be from some of the company’s top executives. These employees were instructed to transfer company funds to a third party account. In reality, the hacker was tricking the employees to transfer funds to his own account. Many employees fell victim to this attack, as the emails seemed legitimate thanks to spoofed email addresses and legitimate-looking web links. In the end the hacker stole over $46 million dollars in the attack. This attack would not have been successful if it was sent to just anyone, because all of the information and spoofed emails were specific to Ubiquiti. For that reason, it was a spear phishing attack rather than a generic phishing attack. 

Other forms of phishing

While phishing attacks occur most commonly over email, they can also happen via text or over the phone. In a phone phishing attack, the caller may pretend to be your credit card company, the IRA, or any of the other people or companies discussed earlier in this guide. The hacker will ask for sensitive information like your username and password, social security number or any other personal information. SMS phishing works similarly to email phishing. The hacker will send you a malicious link via text message to obtain your personal information. 

How to recognize a phishing attack

There are several different things you can look for to recognize a phishing attack. It’s best to be cautious and examine every email you receive for phishing. Here are some things to consider and look out for.

Creates a sense of urgency

Most phishing scams create a sense of urgency in the message to get you to act out of fear or concern. For instance, the email might say that they’ve noticed suspicious activity on your account. They might also say there is an issue with your account or your payment information that needs immediate attention. 

Request for personal information

Phishing attacks will usually ask for some form of personal information. It can be anything from your account login to your social security number to credit card information. 

Generic greeting

Because hackers send phishing emails out to lots of recipients, the greeting is usually very generic. It might say “Hello” or “Dear customer” without your name. If the email is coming from a company that you know and use, the real company would use your name to address you. 

Clickable links

You should be suspicious of any email that includes a link. While plenty of legitimate emails have links, most phishing attacks also use links. Do not click on any link unless you’re positive that it is authentic. We’ll get into the details about what to do if you suspect a phishing attack later in this guide. 

Offer free prizes or discounts

Phishing emails may offer free things like prizes or discounts on goods and services. The email might say that you’ve won a sweepstakes or that a company you subscribe to is offering something free to customers. 

What to do if you suspect a phishing attack

Consider the sender

The first thing to do when you receive an email is to make sure you actually have an account with the company that contacts you. If you receive an email about your Instagram being hacked but you don’t even have an Instagram, it’s probably a phishing attack. The same goes for emails from individuals. If you know the person’s name, double check the sender’s email address very closely with the email you have saved in your address book. The hacker can easily change just one letter or number in the email address to spoof it. If you’re still unsure, it’s best to call the person or company directly. 

Go straight to the company

If a company that you trust sends you an email that seems a bit, well, fishy, go straight to the company. Don’t click the link in the email or reply to it. Instead, open a new browser window and go to the company’s website to get their contact information directly. You can either call the company or send them an email. We’d recommend calling for the quickest response to ensure your account isn’t compromised.

Don’t click the link

If you suspect that a link in an email is a phishing attack do not click it. Hackers can easily change the name of a web link to make it look like it’s a legitimate site. To see the actual link address, hover over the link (but DON’T click). Before hovering over the link it might look like “amazon.com” but when you hover over it, it may have random numbers and letters added to the address. It’s best to go straight to the company’s website rather than clicking on the email link if you think the email could be legit. 

Ways to prevent phishing attacks

It’s best to be proactive so that you can stop phishing attacks before they even happen. To prevent phishing attacks we recommend the following:

  • Change the passwords to your accounts regularly.
  • Avoid giving out personal information unless absolutely necessary.
  • Make sure that the sites you visit start with “https” instead of “http,” or your browser identities that it’s a secure website: websites that begin with “https” are much more secure than those with “http.” If you think a website might be a phishing attack, double check that the web address starts with “https.” Popular browsers like Chrome and Safari will also alert you if the site is secure by placing an image of a lock or the word “secure” to the left of the site’s name.
  • Install antivirus software on your computer: popular software providers include McAfee and Norton. 
  • Don’t click on pop up ads on websites: many pop up ads on websites will lead you to malicious phishing sites when you click on them. 
  • Inspect every email for the common signs of phishing attacks that we discussed earlier in this guide.
  • Use your web browser’s anti-phishing toolbar: these toolbars well alert you if you attempt to type in login information on a website that isn’t legitimate. Chrome offers its own anti-phishing toolbar, which you can install here
  • Use two-factor authentication: most websites that require login information allow you to use two-factor authentication to sign in. When you type in your username and password, the site will send a verification code to your phone number. You’ll type that code in on the website when prompted. That way, if a hacker attempts to use your login information, they won’t be able to get in because the verification code will be sent to you instead of the hacker. This also means that you’ll be alerted immediately if someone is trying to log into your account. 

How to report a phishing attack

If you identify a phishing attack, report it to the FTC immediately. You can report it in two simple steps:

  1. For phishing emails, forward them to the FTC at spam@uce.gov and Anti-Phishing Working Group at reportphishing@apwg.org. For SMS phishing attacks, forward the text to SPAM (7726).
  2. Report the attack to the FTC at ftc.gov/complaint.

If you are reporting a phishing attack that you fell victim to visit the website IdentityTheft.gov. Depending on the information that the hacker stole from you, the site will give you specific steps to take.

In summary: Phishing attacks happen most commonly over email, but they can also take place via SMS, phone calls, and pop up ads. Typically the hacker will pretend to be a company or person that you trust in an email. The email will contain a link to a malicious site that will either steal your sensitive information or install malware on your device. The most common characteristics of a phishing attack to look out for are: 

  • A sense of urgency
  • Request for personal information
  • Generic greetings
  • Clickable links
  • The promise of prizes or discounts

If you believe that you have been targeted in a phishing attack, make sure to report it to the FCC to prevent the spread of the scam.