Phishing is, in its simplest definition, the process of attempting to bait a victim with fake email, text, social media, or instant messages that will convince a victim that the message is legitimate. They will then share private information that the bad actor can use in a variety of malicious ways including identity theft, stealing credentials and accounts, changing passwords and taking personal or financial information either for misuse or for sale.
Phishing can also be used to infect your device with malware so that threat actors can steal additional information later or commit other malicious actions. The important thing to remember is that phishing scams want to appear legitimate so they will seem to come from someone you know or a company you have business with and will often include an attachment or link to click on which will lead you to a malicious website or download.
Phishing doesn’t just occur over email, either. You may have heard of either ‘smishing’ or ‘vishing’ – the first is SMS text message attacks that are usually sent out to thousands of numbers at a time, the second is voice call attacks. There are usually automated phone calls that invite the users to click through to someone who can “help.”
Another term you may have heard is ‘spear phishing’ which is an attack that targets specific people – either a few or just one person. Those spear phishing messages will be tailored to that victim’s specific situation or experiences, either mentioning co-workers or company business that seems both legitimate and urgent.
The sense of urgency is common in phishing attacks, whether it's a text message that claims you have a lost package and need to click a link to get it delivered properly, an email that seems to come from inside your company claiming a payroll issue or even a phone call that claims to be from a government agency like the IRS claiming that you’re in trouble for unpaid taxes.
How you can stay safe
The best way to avoid getting phished is to know the common techniques and make sure you’re only giving away personal information to legitimate websites and companies. Never click on an unexpected link or attachment – if you know the sender, contact them directly to see what they sent and why before clicking through.
If a company contacts you about an urgent matter regarding your account, don’t click anything in an email, text or message. Instead go directly to their website in the browser’s address bar and type in their web address manually and enter in your log in details yourself. This way you can make sure you’ve got the company name spelled correctly; a common phishing technique is to misspell a company name with a “0” instead of an “o.”
Maintain best practices with your online accounts: Never reuse passwords, remember you can always use a password manager to help keep your passwords secure. Use two-factor authentication when possible. Keep one of the best antivirus software programs current, updated and running on all your devices – both your PC and even your mobile device. We have recommendations for the best Android antivirus apps if you don’t already have one installed. And for added protection make sure your antivirus program has a VPN, or offers a hardened browser for an added layer of security.
