When it comes to modern scams, phishing is undeniably one of the most prevalent. In 2023 alone, researchers found that over 1.76 billion phishing emails were sent out worldwide. Much like real fishing, phishing uses links as bait to “catch” victims, tricking them into giving up sensitive information. These phishing attacks have proven extremely effective, which is why we are here to provide a full guide on everything you need to know about phishing so you can stay safe.
Let’s get into it.
What is Phishing?
The basic concept of phishing is that scammers pose as a trusted source and provide a fraudulent link via email or text that tries to get victims to click on it under some false pretense. The end goal is to either get malware on victims’ computers or to trick victims into unknowingly giving up valuable private information.
Who's Calling Me?
Search any phone number to learn more about the owner!
How Does Phishing Work?
Scammers can use a variety of tricks and approaches when it comes to phishing attacks, but in general, this is how a phishing attack works:
- Victims receive an email, text, or social media DM (direct message) claiming to be from a trusted source (i.e., the bank, USPS, a government agency, customer support, etc.).
- The message will generally have some sort of urgency, requiring the recipient to click an attached link to supposedly address the issue.
- Victims who click on the link are taken to a website that resembles the authentic website of the organization that is supposedly contacting them (known as website spoofing).
- Victims are then prompted to log in and enter sensitive information in order to resolve the problem they were contacted about (all of which is completely made up, unbeknownst to the victim).
- Scammers then have the victim’s login information and other valuable information to fraudulently use or even sell on the dark web.
Phishing attacks are a form of social engineering — they rely on deception to trick people into revealing private information. This is most often accomplished by sending victims messages with notices that are both urgent and plausible, such as a missed payment, an arrest warrant, a (fake) fraudulent charge notice, or any other message that might cause someone to panic and ignore the red flags pointing to a scam.
Types of Phishing Attacks
While most common phishing attacks are link-based, phishing has sprouted an abundance of offshoots that function slightly differently, but have the same end goal of scamming people of their information or finances.
Here are a few popular types of phishing attacks:
- Email phishing: When you think of phishing, email phishing is the original. These emails will either have links or even malicious downloads that can infect a victim’s computer should they install the infected file(s).
- Smishing (sms phishing): After email phishing, smishing (sms + phishing) is the next most common. You’ve likely received a text from an unknown number claiming to be your bank and providing a link to stop a fraudulent charge (or some other made-up problem). It’s standard phishing, just done via text message.
- Vishing (voice phishing): Vishing is what you get when you blend voice + phishing. These attacks are done via phone calls where someone calls claiming to be from an organization like the bank or IRS (just like with regular phishing). They will then guide victims to go to a fake website, hand over credit card information, or even directly transfer money. Recently, scammers have also begun to use AI to mimic voices, tricking people into thinking they are receiving an emergency call from a loved one urgently requiring money.
- Quishing (QR code phishing): A newer form of phishing, quishing (QR code + phishing) takes advantage of the widespread adoption of QR codes for things like menus and parking payments. Scammers go around putting up fraudulent QR codes (often putting them right on top of a real QR code) in order to get people to unknowingly scan them and enter in private information or credit card details.
- Spear phishing: Phishing is typically successful because scammers can cast their net wide and try to get as many people as possible to see their fake message and click on the link within. Spear phishing, however, is a targeted phishing attack where scammers already have some baseline of knowledge about an individual, and use that insight in an attempt to get the victim to disclose more information. This is often effective because people will assume the scammers are whoever they claim to be, due to them having more intimate information, much like a legitimate institution would.
- Whaling: Whaling attacks are similar to spear phishing, with the difference being that the targets are always high-ranking executives of some sort. The goal of these attacks is actually to get high-level access to the target’s business, proving to be more lucrative than going after an individual’s assets/information.
- Clone phishing: Also quite similar to spear phishing and whaling, clone phishing picks out a target group of users (usually from a certain business) and sends them a phishing email that looks exactly like a trusted source that the victims often interact with. This is once again an attempt to gain access to and compromise a certain business.
- Watering hole attack: The most complex of the phishing attacks on this list, watering hole attacks compromise legitimate websites and change out the legitimate links on the site for malicious ones. These links either quietly download malware onto users’ computers, or redirect users to a spoofed clone website that tricks users into divulging private information.
How To Spot a Phishing Attack
Phishing messages are very specifically designed to look legit, but that doesn’t mean they are without a few tells. Here are things to look for before clicking any link:
- Take a good look at the sender’s address. If it looks off, it’s probably a phishing attempt. Scammers will often have email addresses that look very similar to authentic addresses, but they will differ in subtle ways. For example, be wary of “.org” when you know it should be a “.com” and any other slight differences, such as “l” (L) being swapped out with an “I” (i) or vice versa.
- Messages with urgent, fear-inducing language are another common sign of a phishing attack. If you stay calm and pay attention to the details, red flags start to pile up. While you don’t want to ignore a real notification, authentic messages won’t be written in an inflammatory manner, unlike phishing messages.
- Be on the lookout for overreaching requests. Organizations/customer support aren’t going to ask you to download programs or give up private information like financial details. They also certainly won’t demand payment, so if any odd requests are made, it’s time to disengage.
- This one is simple, but look for poor grammar. Scams come from all over the world, and as such, many messages are written poorly or, at the very least, oddly worded. If you notice the grammar is off, it’s most likely a scam.
These are a good starting place, but some scammers are better than others, which means you’ll always have to keep your wits about you as scammers develop new ways to hide their tells.
How To Avoid Phishing Attacks
In an ideal world, you’ll always be able to tell when a message is a phishing attack. After reading this article, you’ll have a better shot at avoiding becoming a victim of a phishing attack, but you still shouldn’t let your guard down. Outside of looking for the common signs, the most effective piece of advice is to never click links you aren’t 100% confident in.
If you get a notification requiring immediate action, ignore the attached link and go directly to the source. For example, if you get a text claiming to be from your bank, disregard the link and phone number in the text and instead go to your bank’s verified website to contact them. If you have in fact been compromised, they’ll be able to help, but if not, you’ll know it was just a phishing attempt.
Another sign to look out for is if you use a password manager that autocompletes login forms, it won’t work on spoofed websites. If, for some reason, you notice your password isn’t auto-filling like normal, make sure you’re on the correct site.
Phishing Examples
There’s a good chance a phishing attempt has come across one of your devices, but here are a few common phishing examples for you to look out for:
- Fake bill or invoice: This phishing attempt will pretend to be from an organization (like the IRS) telling you that you have an outstanding balance of some amount and that you must pay in order to avoid additional fees.
- “Your account has been compromised” alert: Another common phishing attempt will claim that your account has been compromised and that you must log in to resolve the issue.
- Fake customer support: If customer support reaches out to you unrequested, there’s a good chance it’s a phishing attempt. That becomes 100% a phishing attack if they ask for any private information or payment.
The list could go on and on, but a large number of phishing scams are some variation of the ones above. Remember, if you receive a link unprompted, have your guard up.
Don’t Take the Bait
Scammers are able to reel in countless victims through phishing every year, but the best thing you can do is be informed. Look out for the common red flags, trust your gut, and never ever (seriously, don’t do it) click on a link that you aren’t 100% confident in.
Receive a message from someone but aren’t sure it’s legit? Use Spokeo to find out who’s messaging you, and if they are who they claim to be. It’s good to err on the side of caution, but it’s even better to be sure.
Cyrus Grant is a writer from Southern California with a background in law and dispute resolution. When he isn’t writing he can be found deep-diving into the latest technology trends or simply spending time at the beach.