November 4, 2020
Authors: Emily Glazier and Henry Kenyon
What is a Phishing Attack?
Phishing is when a scam request, often in an email or text message, is sent to a mass amount of individuals asking for confidential information. It uses seemingly trusted sender information to lure the victim into clicking the link and providing passwords. There are multiple types of phishing that include:
- Whaling
- When phishing messages are directed to a company for malicious intent.
- Spear-phishing
- A phishing attack that targets an individual, trying to get sensitive information based on personalized messages.
The attacker(s) can then download malware onto your computer that can trace your online activity. They can also gain access to your confidential information such as your: Social Security Number (SSN), Drivers Licence, Address, Name, DOB, and so on.
How Can They Start?
Phishing attacks can start from emails, text messages, attachments, downloads, or unsecured websites. Attackers will craft their messages to look appealing so people will click links or download files. Often, people would just download files or click on links without verifying the authenticity of the website or where the files are coming from. This can put users in a risky situation as someone now is gaining full access into one’s systems and accounts.
Examples of Phishing Attacks
Email Phishing
The most common type of phishing attack that users can see on a daily basis would be through email. The emails can be designed to appear like they’re coming from an official company, organization, or person, whereas they’re actually trying to phish you of your personal information. This includes sending malicious files to download, links to fake websites (that may not look fake), or directly asking for information. For example, people may get emails from Amazon claiming that they need a user to verify their card number and address. This is a classic example of phishing, as Amazon would not email you to do that.
Packages
A common phishing attack that surfaced in 2020 is a text message informing the recipient that they have a package from the United States Postal Service (USPS) that they need to pick up, and then a link to the ‘package’. Once the link is clicked, the phishers ask for personal information, including bank information, using such information inputted to make unauthorized purchases. This type of phishing attack aims to lure a victim in by making them believe that they are trying to pick up something they ordered. There has also been speculation that the links also provide the phisher with the victims location, potentially leading to organized human trafficking. However, that has not been proven and has been widely denied by organizations against sex trafficking.
Car Warranty or Insurance
Another phishing scheme that impacts users frequently involves sending a phone call about a ‘car warranty.’ The automated caller usually begins by saying, ‘We have been trying to reach you’ and tries to use scare tactics about one’s vehicle’s warranty or insurance being expired to gain sensitive information. Once information is gained, the phishers usually try to impersonate the user, make purchases on their behalf, or steal money.
COVID-19 Specific Phishing Scams
- Due to the fear around COVID-19, pandemic related phishing attacks have began to occur
- Some COVID phishing attacks include emails asking for banking information for a COVID vaccine, even though there are no official vaccines approved for use in the United States
- Others target people who may be afraid of COVID and offer fake resources or forums
Staying Safe
Staying safe from phishing attacks starts by recognizing the signs of a fraudulent message.
- Check for spelling errors and suspicious information in messages and emails
- Strange terminology, phrases, or grammar
- Avoid clicking redirecting links that you don’t recognize. For example, if your “bank” emails you saying you need to log in to verify your account and provides a link, do not click it. Rather, open a new tab on your browser and access their website directly. You can also “hover over” the link and see where it redirects to
If you receive a suspicious or random email from someone you know, such as family, friend, or coworker, confirm with them personally that they sent you the message
How Can You Report Phishing
You can go to the Federal Trade Commission website and the Anti-Phishing Working Group to report phishing attacks. They recommend that you forward the scam to them so they have the original text data for analysis at reportphishing@apwg.org. Alternatively, you can also call/text the phone number, 7726 (SPAM), to report the incident.