As we navigate through the waves of the new year, with resolutions and aspirations in tow, it’s crucial to remain vigilant in the digital sea where a distinct figure still lurks – the Phisherman (pronounced “fisherman”). Much like a skilled angler casting a line, the Phisherman specialises in the art of phishing, a nefarious practice using diverse mediums like emails, phone calls, or text messages to hook personal and business information, as well as your hard-earned money.
What is phishing?
To delve a bit deeper, phishing is intertwined with the delicate dance of social engineering. It involves cunning attempts to entice individuals into surrendering private information – such as passwords, credit card details, sensitive data, and more. While phishing scams traditionally manifested as blatant spam emails, distinguishable by telltale signs like misspellings or incorrect email addresses, the landscape is constantly evolving. The next iterations of these schemes are more sophisticated. Much like a fisherman choosing the perfect bait, these malicious actors manipulate our digital behaviour, exploiting vulnerabilities in our habits. For example – a phishing email may sport a QR Code instead of a conventional link, banking on the reflex to scan without a second thought – a modern twist to an age-old trick.
Phishing, however, is not only confined to the depths of your inbox. The net is cast wider, extending to phone calls and text/social media chat messages. Some more audacious criminals may pose as law enforcement or official institutions, hoping to use falsely placed trust as a method to reel in sensitive information. Whether the lure is an urgent phone call or an innocent-looking message, a cautious approach is highly important.
Different types of phishing
Just like a savvy angler switching up their bait based on the catch they’re after, the Phisherman adapts their tactics to manipulate and lure us into their line of deceit. While we can’t detail every piece of bait they use, we can certainly identify trends and group their tactics into a few main categories.
Email Phishing: This is the go-to move for most Phishermen. They craft emails that mimic legit companies or individuals, aiming to trick you into clicking links or downloading attachments packed with nasty software.
Vishing (voice phishing): Someone calls you claiming to be from your bank, credit card company, etc., and says they need personal information in order to "verify" your identity.
Smishing (SMS phishing): An SMS message that appears on your phone that looks like it's from an organisation such as PayPal or Apple—or even someone who knows you well—asking for personal information.
Pharming: In pharming attacks, hackers create a clone website (known as a "pharm") that looks like the real thing but actually hosts malware instead of the genuine content you were expecting
Spearphishing: This a type of attack that targets specific individuals or companies. This type of phishing usually comes with an attachment or link to a website that asks for personal information. The emails often appear to be from legitimate organisations like banks or tax agencies, but they're not.
Whaling attacks are similar to spearphishing, but they target high-level executives in large corporations and government agencies. These attacks usually take the form of email attachments or links that contain malware that can steal sensitive data from computers belonging to high-ranking employees.
How to identify a phishing attack?
Spotting a phishing attack is crucial to avoid falling prey to the Phisherman’s cunning tactics. Here are some telltale signs to help you distinguish the fake from the real:
Unusual contact details: Keep an eye on the email address, website link, or phone number. Even if it seems familiar, watch out for misspellings, formatting errors, or the use of a private number. It might look almost right, but not quite.
Strange subject lines or text: If the subject line or body text feels off or different from the usual tone of the person supposedly sending it, be cautious. Verify with the person through another mode of communication before responding; it could be a clever ploy to exploit familiarity.
Pressure or urgency: Multiple messages or persistent phone calls pressuring you to divulge information should raise red flags. Malicious actors often use urgency to trick you into releasing sensitive details. Take a step back and assess the situation.
Caution with links and attachments: Check for unnecessary links or attachments in the email. Avoid opening attachments unless absolutely necessary, and only if they come from someone you know and trust. Verify the legitimacy of attachments using websites like VirusTotal for an extra layer of security.
In our next instalment, we will guide you through some protection and prevention tips to secure your digital waters, as well was what to do should you find yourself entangled.
Stay tuned for more valuable insights in our upcoming article.