Phishing: Common Types and How to Avoid Falling Victim
By Charlie Luke, Fort Bliss Legal Assistance Office
“Phishing” consists of a fraudulent attempt by a scammer to gain access to sensitive information that could put individuals or entire organizations at risk. A scammer conducting phishing needs only to have an email or phone number to have a potential target. Several different approaches exist that can be used by a scammer in a phishing attempt, but they all require action on the part of the victim to make them work. Therefore, the easiest way to avoid falling into these traps is to know how to spot and ignore them.
“Email phishing” is the most common, and generally comes in the form of a seemingly legitimate message from a company. These messages will often mention issues with certain accounts; typical examples include a request to reset a password or update payment details. Clicking on the links in these emails can sometimes automatically install malware (software that performs harmful attacks on a user’s computer), but more often it redirects to an apparently legitimate site where login information is asked for. Once these details are entered, the scammer can use them to enter the user’s account and subsequently change the login info to lock the original user out. The malware links are even more risky, because clicking on them can automatically give the scammer access to sensitive personal or professional data and puts the entire contents of the computer’s hard drive, or even a shared network drive, at risk.
“Spear phishing” is a more specific form of email phishing and can be even easier to fall victim. A scammer who is spear phishing already knows some details about his or her potential victim, and uses these to create a more personalized, believable email. Whereas general email phishing can be sent on a widespread basis, spear phishing sends a personalized communication to individuals with mention of their name, company, relevant work, etc. These all make the email’s tone appear not only more plausible but also more human and less like an automated message. The biggest indicators that a message could be a spear phishing attempt include that the email is coming from an outside domain or from someone the target has never heard of.
“Whaling” is an even more precise form of email phishing and takes a similar approach to spear phishing but involves fake emails directed at higher-ranking individuals. The email is often sent from an apparent authority figure (usually the superior of the high-ranking official), which often makes the victim more likely to click on the link and try to do the task quickly to please his or her superior. In these cases, it’s always better to double-check through another form of communication with one’s higher-up to make sure he or she actually sent the email. A couple of indicators of whaling could be that the email address looks slightly different than normal, or the request being asked is an unusual one or different from a typical day-to-day task.
Phishing is not limited to emails and can also take place over text messages or over the phone. “Smishing,” or a phishing attempt by text, is very similar to the email attempts and usually tries to trick the victim into clicking a link in the text. “Vishing,” which takes place on a phone call, involves the scammer pretending to be a representative from a bank or other company that claims to need sensitive information in order to fix a problem with the victim’s account. The simplest ways to avoid falling victim to these is to not click on links in text messages – very rarely will a company contact an individual over text and require them to perform some important action. When it comes to vishing, it is even easier: simply do not give out sensitive information over the phone to a number that has initiated the call. A bank or other organization will never ask for this information over the phone, except perhaps as verification for an individual who reaches out first.
If someone does fall victim to a phishing scheme, there are several actions that must be taken. First, attempt to change the password for whatever account the information has been stolen. Also, the bank should be contacted, and accounts should be put on hold temporarily to prevent criminals from using saved credit card information to purchase things. If a computer has been compromised with malware, disconnect from the internet immediately and, if this experience occurs at work, report it up the chain of command and to any network or IT specialists within the organization. If any identity theft or loss of currency has occurred, report it to the police.
Phishing has been a problem to corporations and individuals for some time, and the potential threats seem to be increasing. Many more complex forms of phishing exist, but those listed above are some of the most common. The best policy is to always be cautious when using the internet or other potentially risky forms of technology. The easiest way to avoid falling into the trap is to make a rule of not clicking links in emails or texts unless they are from a trusted and verified source. Most emails that seem suspicious in any way can be ignored. If they are truly legitimate, the sender can reach out in another way to ask again.
If you have any further questions on this topic and want to speak with an attorney, please schedule an appointment with the Fort Bliss Legal Assistance Office by either calling (915) 568-7141 during office hours or emailing usarmy.bliss.hqda-otjag.mesg.bliss-legal-assistance-office@mail.mil anytime.