Tips to avoid phishing scams


Phishing scams, in which cybercriminals impersonate trusted entities to steal sensitive information like login details and credit card numbers, are a major digital headache. These scams vary from email phishing to more targeted spear phishing, affecting countless individuals and businesses. Advanced tactics, including AI-crafted messages with personal details taken from public data, make these attacks increasingly convincing.

The challenge is further compounded by deepfake technology. It allows scammers to convincingly impersonate well-known people through realistic audio or video, tricking even the most vigilant people. As phishing continues to evolve, understanding and recognizing these sophisticated methods is crucial for everyone. Private individuals and IT professionals need to protect their sensitive information and maintain online security. Keep reading to learn essential tips to identify and prevent these deceptive attacks effectively.

Understanding phishing scams: the most common types

ADVERTISEMENT

Human psychology has a curious blind spot regarding security and personal data. Many of us operate under the assumption that our information isn’t valuable or that cyber threats don’t concern us – until it’s too late.

Phishing remains a prevalent cyber threat where attackers disguise themselves as legitimate entities to steal sensitive information such as login details and financial data. To put it into perspective, the FBI reported over 298,000 phishing complaints in a single year, making it the most reported type of cybercrime, accounting for approximately 34% of all complaints​. Furthermore, cybercrime has significant economic implications. The FBI reported that potential losses exceeded $12.5 billion from various internet crimes, with phishing being a significant contributor​.

Common types of phishing include:

1. Email phishing

Scammers send emails that appear to come from trusted sources to trick users into revealing personal information.

For example, in a well-documented case, attackers impersonated PayPal in an email, warning users about "danger from unauthorized users" on their accounts. The email contained a link to a fake login page that looked identical to the official PayPal site. Victims who entered their login credentials unknowingly handed them over to the threat actors.

PayPal scam email letter
PayPal scam email letter

You can tell that this is a phishing email because the sender's address is not from PayPal's official domain. It uses a generic greeting ("Dear PayPal customer"), creates urgency with a 24-hour deadline, and contains grammatical errors. If you hover over the “Confirm Your Information” button, you can see that it leads to a fake site. Legitimate PayPal emails address you by name.

ADVERTISEMENT

2. Spear phishing

What sets spear phishing apart from generic email phishing is the focus on personalized emails targeting specific individuals. During these attempts, attackers often impersonate trusted entities such as workplaces, software publishers, educational institutions, healthcare providers, or even your loved ones, aiming to deceive victims into revealing sensitive information or clicking on malicious links.

Apple scam phishing email letter
Apple scam phishing email letter

In this example, we can see that they got the name right, but how can you tell if this is a phishing attempt? The sender's email address ("supp0rt") is suspicious and mimics Apple's domain. Also, Apple never asks for credentials via email. The generic greeting and urgency ("within 24 hours") are also red flags.

3. Whaling

In essence, whaling is very similar to spear phishing as it’s highly personalized.hat distinguishes whaling from spear phishing? This form of cyberattack targets high-profile individuals within organizations, typically senior executives.

For example, in 2018, France's leading cinema group Pathé lost €19.2 million when attackers, impersonating the CEO, emailed the company executives requesting fund transfers to accounts in Dubai. The fraudulent emails led to significant financial loss and the resignation of top executives.

Another notable example happened in 2016 when a whaling attack targeted a major European aerospace company. The cybercriminals impersonated the CEO and instructed a senior accountant to wire €50 million for an “urgent acquisition.” The accountant complied, believing the email was genuine. This resulted in a significant financial loss.

4. Smishing

Smishing involves cybercriminals using fraudulent SMS (text messages) to trick victims into revealing personal information, clicking malicious links, or calling fake support numbers, often under the guise of urgency or rewards.

ADVERTISEMENT

Common examples include fake package delivery notifications claiming delays and prompting victims to provide personal or payment information, bank alerts warning of unusual activity and redirecting to phishing pages, and tax refund scams tricking users into revealing sensitive details like Social Security numbers for fraudulent claims.

USPS sms phishing scam
Example of USPS phishing scam

How to know that it’s fake? USPS does not contact recipients or request address confirmation this way. The link is not from usps.com, and responding with “Y" aims to bypass message protections. If you get such a message to an iOS device, hit "Report Junk" so Apple can improve phishing detection and block similar scams.

5. Vishing

Vishing (voice phishing) involves scammers impersonating trusted people or companies over phone calls to extract sensitive information like passwords or financial details. It often uses fear or urgency to manipulate victims.

These scams frequently target individuals by impersonating loved ones in distress, exploiting emotions to deceive victims into sharing sensitive information, or transferring money.

Real depiction of vishing scam in progress
Real depiction of vishing scam in progress

But in recent years, AI has turned vishing into a chillingly "Black Mirror"-esque reality. One notable example is when scammers used deepfake technology coupled with AI to clone the company chief financial officers’ voice, duping an employee into transferring $25 million dollars.

6. Quishing

Quishing, despite its suggestive name, isn't a risqué activity but a serious cyber threat.

ADVERTISEMENT
Quishing illustration
Quishing illustration

In recent years, cybercriminals have placed fake QR codes on restaurant tables and parking meters. When scanned, these codes lead users to counterfeit payment sites designed to capture credit card details.

The Microsoft 2024 Digital Defense Report highlights a staggering number of identity attacks. Over 99% of the 600 million attacks daily involve attempts to steal passwords. Microsoft is actively blocking thousands of ransomware and phishing attempts every second. It showcases the ongoing and widespread nature of these threats.

According to the UK Cyber Security Breaches Survey, phishing is also the most common type of cybercrime within businesses – 90% of companies and 94% of charities that experienced cybercrime reported phishing incidents​.

How phishing works

Phishing relies on social engineering and spoofing to trick individuals. Recent tactics include using AI-generated messages and deepfake technology to create convincing audio or video, making fake requests feel more legitimate. Cybercriminals may also use AI to personalize phishing emails based on publicly available information, crafting messages that feel relevant to their targets.

To better understand the mechanisms behind phishing and its real-world consequences, below is a table with some of the techniques that cybercriminals use and their descriptions:

TechniqueDescription
ImpersonationScammers create emails or websites that mimic legitimate entities to make recipients believe the communication is authentic
Urgency creationAttackers craft messages that convey a sense of urgency or fear, prompting hasty actions such as clicking on a malicious link
Email and website spoofingEmbedding malicious links in seemingly legitimate emails that lead to duplicated websites designed to harvest user credentials
Attachment scamsDistributing malware through seemingly innocuous attachments that can compromise the recipient’s data when opened
Targeted spear phishingHighly personalized attacks aimed at specific individuals or organizations to increase the likelihood of success
Smishing and vishingUsing deceptive SMS and calls, attackers impersonate trusted sources to request personal information under urgent pretenses

It’s important to note that today’s phishers have access to the integration of AI in phishing schemes, which is a significant evolution that makes attacks more convincing. Threat actors utilize AI to create emails that mimic the style and tone of trusted sources and sometimes even incorporate details from publicly available information or breached databases. According to Microsoft, AI-generated phishing messages are becoming more common, making it increasingly difficult for individuals and spam filters to detect phishing attempts.

Moreover, cybercriminals use advanced tools to automate and scale their attacks. These include phishing kits, which are pre-packaged with the files needed to launch a phishing website. These kits make it easier for even low-skilled criminals to initiate effective scams.

ADVERTISEMENT

To combat these threats, individuals and organizations must remain vigilant, skeptical of unsolicited communications, and proactive in employing advanced security measures.

Tips to avoid phishing scams

Phishing attempts can occur at any time and are personalized, making them more challenging to detect. As such, it's important to always verify certain elements when you receive any communication. In the table below, I’ve listed types of phishing with some of the red flags and also explained how to detect and react to them effectively:

Type of phishingRed flagsHow it worksHow to react
Email phishingGeneric greetings, urgency, misspelled URLs, strange links, a suspicious sender’s emailScammers send emails that mimic legitimate people or companies to steal dataCheck the sender's email address for mismatches; hover over links to preview URLs; verify with the company/person directly if suspicious
Spear phishingOften imitates a known contact or organization; requests action or confidential informationTargeted emails to specific individuals using personal information to appear legitimateDouble-check the sender’s details against known information; if suspicious, contact the alleged sender through another channel to confirm
WhalingDirected at high-level executives; often involves legal or financial requests; may include fake corporate emailsTargets senior management with requests for large financial transfers or sensitive dataVerify urgent financial requests by speaking directly to the requester via a known phone number, not the one provided in the email
Vishing (voice phishing)Urgent requests for action over the phone, unverifiable caller ID, requests for personal informationAttackers use phone calls to extract personal information directly from the victimVerify the caller by ending the call and dialing the official number of the organization they claim to represent
Smishing (SMS phishing)Text messages containing links to supposedly urgent updates or deals, requests for personal infoSends SMS with links leading to phishing sites asking for personal or financial detailsConfirm the legitimacy of the message by contacting the sender's organization through official channels before responding
Quishing (QR code phishing)QR codes in public or unexpected digital places that lead to login pages or requests for personal dataQR codes direct to malicious sites that mimic legitimate login pages to steal credentialsBefore scanning a QR code, ensure it is from a trusted source; scan with an app that previews URLs

Back in the day, it was a common practice for individuals to reset their account passwords simply by clicking a "Forgot Password" link and answering a personal question, like "What's your mother's maiden name?" or "What was your first car?" Unfortunately, this method was far from secure. Clever attackers could answer these questions through a quick internet search or by mining social media platforms, exploiting users’ oversharing habits.

While the general public's security awareness has yet to advance, the technologies for protecting online identities have made significant strides. To further protect yourself against phishing, here are some practical steps to integrate into your daily digital routines:

  • Use strong antivirus and anti-phishing software. Tools like Norton, TotalAV, and Bitdefender deliver wide-ranging protection with automatic updates to defend against the latest threats. Real-time scanning also helps by catching threats in the act.
  • Use smart password practices. Effective password management is crucial, and tools like NordPass can help by securely storing and organizing your passwords. It also generates strong passwords and auto fills them on websites and apps. Password managers simplify keeping multiple passwords and make it easier to update them regularly.
  • The most effective way to prevent phishing attacks is implementing two-factor authentication (2FA). Adding an extra layer of security to all of your accounts makes a big difference. Two-factor authentication combines something you know (your password) with something you have (a code from your phone) to significantly reduce the risk of unauthorized access. Use an authenticator app like Google Authenticator or Authy instead of SMS codes, which are more susceptible to interception. On most services, you can activate your 2FA by following these steps:
  1. Log in to your account. Go to account settings or security settings and look for the 2FA option
  2. Choose a 2FA method. Use an authenticator app like Google Authenticator or Authy to scan a QR code or enter a key and verify with the generated code, or set up a USB, NFC, or Bluetooth security key by following the on-screen instructions
  3. Verify your email. Enter the code sent to your email for confirmation
  4. Save backup codes. Download or store backup codes securely in case you lose access to your primary method
  5. Test and secure. Log out and try logging in with MFA enabled
  • Use your email's built-in phishing filters. Services like Gmail and Outlook have advanced detection systems that usually flag suspicious emails automatically.
  • Install browser extensions that alert you about risky websites. Tools like Norton or TotalAV are excellent for providing real-time alerts about potentially dangerous sites.
  • Regularly update. Regularly updating your software is essential. Updates often include critical patches that fix vulnerabilities, reducing the risk of exploitation by cybercriminals. By keeping your software up to date, you enhance your defenses against potential phishing attacks.

By integrating these habits into your digital routine, you can significantly enhance your protection against phishing. That being said, it’s not just about having the right tools but also about using common sense and remaining vigilant. Regular vigilance and a bit of skepticism can go a long way in protecting your personal information online.

ADVERTISEMENT

What to do if you encounter phishing

If you suspect that you have been targeted by a phishing attempt, taking immediate and decisive actions can help minimize potential damage and prevent others from falling victim to similar scams.

  1. Do not engage. First and foremost, do not interact with the content. Do not click on any links, do not download attachments, and do not reply to the message.
  2. Report the phishing attempt.
  • Emails and websites. Report phishing emails to your email provider. Most email services have a Report Phishing option. You can also forward the letter to the Anti-Phishing Working Group at [email protected] or to the Federal Trade Commission at [email protected]. Many companies also have dedicated channels for reporting phishing attempts that impersonate them.
  • Notify your supervisor. If you have received a phishing attempt on one of your workplace channels, depending on the organization's policies,you should inform your supervisor or a relevant department (such as IT) so they know potential threats and can assist you in following proper protocols.
  • Quishing. For phishing attempts using QR codes, report them to the impersonated company and avoid scanning unverified codes. Notify your IT department if it’s encountered in the workplace.
  • Smishing. Report smishing attempts to your mobile carrier. Some countries also have dedicated hotlines or online services for reporting SMS-based scams.
  • Vishing. For phone call scams, you can report the number to your phone service provider and, if applicable, to local authorities or consumer protection organizations.
  1. Change your passwords. If you suspect your information may have been compromised, change your passwords immediately. This is especially critical for accounts with the same password and username/email combination.
  2. Monitor your accounts. Check your financial statements and accounts for unauthorized activity.
  3. Alert your financial institutions. If the phishing attempt involved any financial accounts or there’s a possibility that your financial information was compromised, contact your bank or credit card company to alert them. They can monitor your accounts for suspicious activity and, if necessary, put additional security measures in place.

After dealing with an immediate threat, take some time to educate yourself and others about the dangers of phishing.

Learning how to recognize phishing attempts can help you avoid future scams. For more guidance and to report phishing incidents, visit trusted sources like the Federal Trade Commission (FTC) or the Anti-Phishing Working Group (APWG).

Conclusion

Phishing scams are getting smarter, targeting people through email, SMS, phone calls, and even QR codes. With tools like AI and deepfakes in play, these attacks can feel incredibly convincing. But there’s good news – you don’t have to be a cybersecurity expert to protect yourself. Simple habits like enabling two-factor authentication, using trusted anti-phishing tools, and staying cautious with unexpected messages go a long way. Spotting red flags, like odd-looking URLs or emails urging immediate action, can save you a lot of hassle.

At the end of the day, it’s about being proactive rather than reactive. Equip yourself with the right tools, trust your instincts, and don’t be afraid to ask questions when something doesn’t add up. Scammers rely on panic and haste – so slow down, stay skeptical, and keep your digital life secure.

FAQ


ADVERTISEMENT

Leave a Reply

Your email address will not be published. Required fields are markedmarked