A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.
The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.
And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.
With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.
Most prevalent types of phishing scams
Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.
With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.
This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.
Here are the six most common types of phishing scams and how to protect yourself.
1. Email scams
Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.
These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.
How to protect yourself:
- Never click on links in emails. Instead, visit the official site.
- Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
- Disable automatic image loading, as this can let scammers know you’ve seen the message.
2. Voice phishing (vishing)
Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.
Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.
How to protect yourself:
- Never answer calls from numbers you don’t recognize, even if it has a local area code.
- Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
- Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
3. Phishing websites
One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.
After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.
How to protect yourself:
- If you get a message with a link—even if it looks trustworthy—go to the official site instead.
- Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
- Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.
4. SMS text message scams (smishing)
Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).
One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.
How to protect yourself:
- Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
- Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
- Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.
5. Social media phishing
Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.
One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.
How to protect yourself:
- Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
- Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
- Don’t ever share your social media password with a third-party website.
6. Man-in-the-middle attack
This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.
Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.
How to protect yourself:
- Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
- If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.
How to prevent phishing
Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.
- Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
- Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
- Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
- Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.
What to do if you’re a victim of phishing
You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.
- Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
- Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
- Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
- Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
- Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.
No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation
Conclusion
Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.