What is Phishing and How Does It Work?

These days, every time someone has any kind of online account compromised, they tend to say they’ve been “hacked.” However, while hackers certainly do exist, that’s not how this kind of attack happens in most cases.

It’s much more likely that the person who says they were hacked was tricked into letting cybercriminals access their accounts. Phishing is one of the ways that they do this. Here’s what you need to know.

What Is Phishing?

Phishing is a type of cybercrime where criminals access various online accounts that don’t belong to them by using deceptive methods. Usually, this means that you receive an email from a fake account or from one that is cloaked. Still, sometimes, it also means using malicious software like Trojans, keyloggers or ransomware that is usually also sent in an email.

The goal of phishing is to convince the recipient of a fake email that it is genuine and to have them take some kind of action – whether that’s following a link in an email that says your account has been compromised or opening an attachment containing malicious code.

How Phishing Works

There are undoubtedly genuine hacks out there – where highly skilled hackers access websites and servers directly and access user data that way. But that requires an enormous amount of skill, and most large companies have dedicated security departments that work night and day to stop these kinds of attacks.

This means that it’s much easier for cybercriminals to trick individuals into handing over access to their accounts. This can be done in several ways, but the goal is always to fool you into handing over your information.

What Are Different Methods of Phishing?

Cybercriminals use a variety of methods to get access to your accounts. Once they do, they might go as far as taking it over completely, locking you out and even making changes to the phone number and email associated with the account.

Link Based Phishing

One method these criminals use to access and often take over your online accounts is to send you a fake customer service email. This email will usually say that there’s been a problem with your account, a security breach, or to confirm an order that you did not place.

The email you receive might look like it came from the actual company, either because they are using a method called spoofing or because they are using a very similar domain name.

There will be a link or button in the email with instructions to follow it and take some kind of action – whether it’s changing your password, confirming the supposed order or something else.

However, the provided link does not lead to the actual website but rather to a fake site set up by the criminals, where they can capture your password and account information and take it over.

Sometimes, cybercriminals will even try to do this with your email accounts. If you follow the instructions, they will have access to not only your email account but also all the sites that send password reset requests to that email account!

Text-Based Scams

You used to only have to worry about phishing on your computer, but these days, phones and tablets are vulnerable too!

Some of the more common scams involve text messages stating that your iPhone or Apple password has changed. This is followed by a call from a number that looks like it’s an Apple store or department. The person on the call will ask if you’re in a different location, and then when you say no, they will send you an OTP.

Once you’ve given them this OTP, they can log in to your account, and if you have a linked crypto account, they can even steal your NFTs or coin.

Executable Files

Executable files are another phishing method that is used very often for a variety of phishing scams.

Sometimes, these files contain keyloggers or digital “backdoors” that give cybercriminals direct access to your computer. Sometimes, it’s ransomware that captures and holds your files for ransom (and can give the person who has the access to passwords and personal data) and sometimes, it’s something else like a worm that uses your email account to send out more phishing emails.

Executable files can sometimes be hidden inside legitimate seeming documents and attachments, too, so you can’t always tell what you’re opening.

Page Hijacking

Sometimes, when cybercriminals start a phishing project, they divert traffic from a legitimate site to their own fake version of the site. It’s not always easy to see when this has happened, but there are usually some signs that things might not be correct. A different URL or web address in the address bar and no SSL certificate (usually shown by a small padlock in the search bar) are two signs that things aren’t what they seem.

If you’re taken to a page, you weren’t expecting to reach when you follow a link, that’s another sign there might be something wrong. In this case, assume the worst, and avoid doing whatever you were planning to do.

Social Engineering

The last kind of phishing we’re going to talk about is what is known as social engineering. This usually uses a trusted entity like a government department or even a tax authority to “scare” people into following instructions.

These days, many of these kinds of scams are done over the phone, spoofing phone numbers and convincing victims to deposit money into an account to avoid legal action or arrest.

How to Stay Safe

Phishing is one of the most insidious and hard to prevent types of cybercrime, but there are ways that you can protect yourself and your online accounts from these kinds of attacks. Here are a few simple ways to stay safer online and off:

• Look closely at any emails you receive – anything that seems out of the ordinary like poor spelling and grammar, low-quality logos and images, or email addresses that are slightly different to the site they’re supposed to be from are red flags

• Never follow a link in an email that says there’s a problem with your account – this is almost always an attempt to capture your account information – rather type the website address into your browser yourself, and contact site support there

• Make sure that you have antivirus and antimalware software on your computer and that you keep it up to date and activated

• Never give anyone any passwords, user information or one time passwords by email or over the phone – you should only ever use these kinds of two-factor authentication if you set them up yourself and if you’ve gone to the site yourself

• Change your account passwords often, and use secure and hard to guess passwords – if cybercriminals get into one account, they can usually access more, and before you know it, your identity has been stolen

• Use a prepaid credit card or third-party processor like PayPal to make online purchases – this keeps your banking information private, and you can dispute fraudulent charges if they do happen

• Avoid doing online quizzes and games where you have to share information from social media accounts and similar – these might give someone with less than honest intentions information they can use to trick you

• Use an email client that has a good spam filter – most will catch many of the phishing emails that are sent out en masse, so you don’t have to decide if they’re legit or not

• Always assume that you’re at risk when you are online – never assume any site or form is safe, and if you have any doubts, cost the site or company directly

• Don’t forget that phone numbers can be spoofed too! Banks and websites usually won’t ask you to log in from a link in a text – so don’t follow them if you get them!

• If you receive a phishing email from a genuine person, there’s a good chance their email account is compromised too. Don’t follow any instructions but let them know that there might be a problem with their account so that they can take appropriate action.

• Never agree to pay for any service by means of gift cards or similar – no legitimate company or organization will ask you to do this, and it’s a huge red flag!

Unfortunately, the more we do online, the more attractive we are to people who would like to take over our accounts, take our money, or use our personal information for their own purposes.

You always need to be vigilant, and if you’re ever in doubt about whether something is safe, assume it’s not. It’s better to have to do things the hard way than to give away your information.

Phishing won’t be going anywhere anytime soon because there are still so many people who do fall for these scams and schemes. However, we can get better at spotting these scams. Make sure that you also report any suspected phishing emails to your email service provider, so they can take steps to address the problem.

Stay vigilant, and always take your time to read and consider the validity of any email or text you get.