How to Avoid Phishing Scams
Updated December 28, 2020
What is Phishing?
Staying safe online is no easy task, even more so with the advent of automated phishing scams which are most frequently created so that people give away sensitive information such as website logins or banking details.
Phishing scams often make use of electronic communication, such as social media posts, emails, text messages or instant messaging and are sent by accounts/people who are either known to the recipient or appear to be from someone they know and trust.
It is the implicit trust factor that makes phishing scams so successful. We’re conditioned to click links or open messages from those we trust – it’s the foundation of modern electronic communication.
Unfortunately, once a link is clicked and details entered, scammers now have access to that personal information and can use it for nefarious purposes.
How Big is the Phishing Scam Problem?
With nearly 300 billion emails being sent every day, it’s all too easy to assume that email is a safe way to communicate – and it generally is safe, but not always.
Symantec has estimated that .05% of emails are part of phishing attacks. It doesn’t sound like much, but works out to around 150 million phishing scam emails being sent daily.
Over time, computer users are getting better at avoiding obvious scams, so scammers are getting more sophisticated in their approach. In fact, phishing attacks are increasing in number each year at a double-digit rate.
Of the 150 million email phishing scam attempts sent each day, roughly 10% get past defensive software and land in the inbox. Of those, approximately half get opened by their intended recipients.
Types of Phishing Scams
Phishing is a large area, with multiple attack vectors and different types within each.
Whether you refer to the various approaches as categories, channels, vectors, modes or methods, the point remains – attacks come at us from multiple directions, often simultaneously. Phishing approaches include:
Email-based Attacks (Email Phishing)
Probably the one that we’re the most familiar with, email-based phishing scams are traditionally thought of as the mass-blast approach where the perpetrator sends out thousands, or even millions, of emails, in hopes that a percentage of them will get through, then opened and ultimately clicked.
Corporate firewalls and antivirus programs are getting more adept at stopping dangerous emails from arriving in user inboxes, but personal computer (non-corporate) users are not as well fortified. With each iteration of improved detection comes an iteration of increased sophistication of attacker methods, staying one step ahead.
Search Engine-based Attacks (SEO Phishing)
Search engine-based phishing scams (SEO phishing) have been recognized by major search providers like Google (and Bing) and have diminished in volume as compared to several years ago. It used to be that a significant percentage of search results were dangerous, that people wouldn’t recognize them as such and would visit them with disastrous results.
In more recent years, Google and Bing have started to remove dangerous sites from the search results as well as labeling them as potentially hazardous, thus preventing searchers from visiting. That said, there are still many dangerous sites in the SERPs.
SMS-based Attacks (SMishing)
Much less common, much more effective, and often much more dangerous, SMS phishing scams occur when someone sends an SMS message that appears to be an order confirmation, delivery confirmation, notification of system access, prompt to update security details or otherwise prove that they are indeed the right recipient.
It’s all too easy to send an SMS that appears to be from a legitimate source, making links in SMS messages particularly dangerous!
Social Media-based Attacks (Social Phishing)
As people spend substantial amounts of time on social media sites, attackers have leveraged this avenue of scamming by compromising their targets via social media networks and messenger clients.
Don’t think that social media phishing scams are simple, or limited, in nature. As the public gets more familiar with common scams like the Nigerian 419 banking scams, the attackers come up with new angles, ranging from appearing to finding compromising information about a person that they need to attend to, to looking like they’ve got details about a cheating spouse. The list is nearly endless.
Voice-based Attacks (Vishing)
Voice phishing, or vishing, isn’t just placing calls to people in order to social engineer them to do something, or give certain information, though these are quite common. Voice phishing can be tied to SMishing to get people to call certain numbers, often with huge toll charges involved, without the caller realizing how expensive it will be to place the call.
Social engineering can be as simple as getting a receptionist to give over the schedule of a company executive, allow access to a secure area of a building or even as much as providing login details which can be used to remotely access the company network.
Types of Attacks:
Fake Authority Accounts (aka Impersonation)
Sometimes appearing as celebrities, politicians, brand representatives or company executives, impersonation scams involve pretending to be some authority figure and using them to spread messaging that’s untrue, damaging to the brand or otherwise inciting the reader to take action that’s expensive or dangerous.
Malware, once installed on user computers, can be used to log keystrokes (like usernames and passwords), perform events like clicking on paid advertisements or even running cryptominers (like bitcoin mining). Malware most commonly is used to generate revenue for the scammers by having your computer perform automated activities, though occasionally is used to glean personal information for other purposes.
Personal Detail Theft
There are times when phishing scammers are wanting your login details or other personal information, like birthdate, mother’s maiden name, address and telephone number. Detail theft can include bank account details and website login credentials so that they can impersonate you, order products and empty your accounts through transfers.
Links can sometimes look like they point to one site, but in fact point to another. This happens 100% of the time when using URL shorteners, a common occurrence on social media sites, messengers and in SMS messages.
How to Protect Yourself Against Phishing
Avoiding phishing scams takes work. It means being aware, careful and taking extra steps. It means removing some of the convenience of instantly responding, instantly clicking or instantly answering questions and requests that come your way.
Call Them Back
If you’re not 100%, absolutely, positively certain as to the identity of the person on the other end of the phone, when they’ve called you…. Make note of their company, department and name then go online, find the number for them and call them back.
This includes companies like banks, government agencies, retailers and corporate offices.
If someone asks you for information to identify yourself, remember that they can use that information in pretending to be you as they login to other websites.
Don’t give out your date of birth, account details or other personally identifying information until you have called the right number.
DO NOT ask for their number and call that number to see if it’s them. Look up the number online and call the known good number directly. Ignore any number they tell you to call.
Antivirus and Firewall – Installed and Updated
There’s no excuse for having a computer that doesn’t run an antivirus / firewall combination. With tons of choices in the market, pick one of the more popular ones, check their reviews and install it.
Keep it updated. An antivirus application that has out of date signatures is as dangerous as eating mystery meat from the fridge that’s gone out of date weeks ago. Keep it updated.
Operating System – Updates
Windows, MacOS, Linux or other…. Operating systems need to be kept up to date, because compromises can occur as a result of out of date system files.
Don’t Open Links Without Checking
Links are the crux of the issue with most phishing scams. If you never open a link sent by someone, you’d avoid 95% of phishing attacks. However, this means you’d also miss out on a lot your friends, neighbors and family have to share.
Instead of ignoring all links, check them first.
If you’ve got a security suite installed, check to see if it has a link checker as one of its functions. If not, then copy and paste any links into a link checker before actually clicking and following the link.
One easy to use free tool is available from Google via the Safe Browsing tool:
Another similar tool is Safe Web from Norton:
A perennial favorite is from long-standing antivirus provider VirusTotal:
Don’t Open Email Attachments Unless First Requested by You
If you didn’t ask for someone to send you an attachment, don’t open the attachment directly. Instead, save the attachment (without opening it) and then submit the file to VirusTotal above, where there’s an option to upload and check attachments.
Sometimes just viewing an attachment is enough to trigger the payload and cause your system to become compromised.
Protect Your Personal Information
Remember that personal information can be the obvious stuff, like account numbers, logins and passwords. Personal information can also be the information that’s used to recover lost passwords and do resets – like secondary validation such as mother’s maiden name and date of birth.
Do not provide personal information to someone who calls you. As above – call them back first at a number found on the official website of the company.
Your secondary validation details are just as dangerous as your primary ones.
Don’t Re-Use or Multi-Use Passwords
If you’re using a password across multiple sites, it’s time to wake up and smell the coffee. You can easily get one site compromised and suddenly a scammer can use your logins across multiple sites.
This becomes particularly nasty when you don’t worry much about protecting details on a non-secure site that has nothing of value (no purchases, no banking, no financial matters), but you use the same login credentials there as you do across other more secure sites.
Using the same passwords across multiple sites is seriously dangerous!
Be Alert for Urgent Messages
When you’re getting messages about a pending transaction, overdue charge, item about to ship or anything which purports to be about money you don’t remember spending, for purchases you know you’ve never made or other financial matters that don’t sound right, think, take a deep breath and think some more.
Look up the company official phone number online and call them to discuss.
Do not open the link. Do not answer the phone and treat them as official representatives.
Look up the company official phone number online and call them to discuss.
Phishing scams are rampant, costly and difficult to defend against without effort.
Take the time to protect yourself. Take the time to investigate. Take the time to think about the possibility that someone is scamming you.
Lucky for you, KnownHost offers security optimizations as well as custom DDoS protection, top-notch security is preconfigured to your installation BEFORE ever logging into your account for the first time! Start taking the right security precautions and migrate to KnownHost today!