Phishing 102: Types, Examples, and How to Detect Phishing
Yesterday, we introduced phishing and its importance in cybersecurity. Today, we’ll dive into the types of phishing, provide real-world examples, and equip you with practical tips on how to detect phishing attempts. With phishing attacks becoming increasingly sophisticated, knowing what to look for can save you from falling victim.
Types of Phishing
1. Email Phishing
Attackers send fake emails that appear to come from legitimate organizations. These emails often use urgent language to manipulate you into clicking on malicious links or downloading attachments.
Example:
A message claiming your bank account will be locked unless you "verify your details" via a link.
How to Detect It:
• Look for generic greetings like "Dear Customer."
• Check the sender’s email address for subtle misspellings (e.g., support@bannk.com).
• Hover over links to see if they match the sender's domain.
2. Spear Phishing
A targeted attack that uses personal information (like your name, role, or company) to make the scam more convincing.
Example:
An email claiming to be from your HR department asking you to confirm confidential information.
How to Detect It:
• Be wary of unexpected requests for sensitive information.
• Confirm with the sender through another channel, like a direct phone call.
3. Smishing (SMS Phishing)
Attackers use text messages to lure victims into clicking malicious links or sharing sensitive information.
Example:
A text saying, "You’ve won a prize! Click here to claim it."
How to Detect It:
• Watch for texts from unknown numbers with urgent or tempting offers.
• Avoid clicking links in unsolicited messages.
- Vishing (Voice Phishing)
Scammers impersonate trusted entities over the phone to extract sensitive information, such as credit card numbers or account details.
Example:
A caller pretending to be from your bank, asking you to "confirm" your PIN to prevent unauthorized transactions.
How to Detect It:
• Legitimate organizations will never ask for sensitive information over the phone.
• Hang up and call the organization directly using their official number.
5. Clone Phishing
Attackers duplicate a legitimate email and replace its links or attachments with malicious ones.
Example:
You receive what appears to be a follow-up email from your service provider with an updated attachment that’s actually malware.
How to Detect It:
• Compare with previous communications.
• Verify links and attachments before opening.
• Pharming
This involves redirecting users from real websites to fake ones through DNS manipulation.
Example:
Typing in "bank.com" redirects you to a fraudulent site.
How to Detect It:
• Look for subtle differences in the website URL.
• Check for HTTPS and a valid security certificate.
How to Detect Phishing
• Examine the Sender’s Details
• Check for typos or inconsistencies in email addresses or phone numbers.
• Legitimate organizations often use official domains, not free services like Gmail or Yahoo.
• Look for Generic or Suspicious Language
• Phrases like "Dear Customer" or "Urgent action required" are common red flags.
• Scammers often use emotional triggers, like fear or greed, to manipulate you.
• Hover Over Links
• Before clicking, hover your mouse over any link to preview the URL. If it doesn’t match the supposed sender’s domain, avoid it.
• Beware of Unexpected Attachments
• Phishing emails may contain attachments with malware. If you weren’t expecting a file, don’t open it.
• Verify Requests for Sensitive Information
• Legitimate organizations will never ask for passwords, credit card numbers, or personal information via email or text.
• Use Multi-Factor Authentication (MFA)
• Even if your credentials are compromised, MFA can prevent unauthorized access.
• Trust Your Instincts
• If something feels off, double-check. It’s better to be safe than sorry.
Examples of Phishing in Action
1. The PayPal Scam
You receive an email claiming there’s an issue with your PayPal account, prompting you to log in using a fake link.
2. The Job Offer Scam
Scammers promise high-paying jobs but ask for upfront fees or personal details.
3. The Netflix Scam
You receive an email claiming your Netflix account is on hold due to a failed payment. It provides a link to"update your payment information," but the link leads to a fake site designed to steal your credit card details.
4 The Tax Refund Scam
A message from the "IRS" claims you’re eligible for a tax refund and asks for your bank details to process the payment.
- The IT Support Scam
An attacker poses as your company’s IT support team, asking you to reset your password using a link provided in an email.
As we conclude this year’s awareness month, I sincerely thank you for your active participation. I hope you’ve learned valuable insights and gained a deeper understanding throughout this journey. Let’s make a date for next year November 1st to 30th for another impactful awareness campaign. See you then.