What is a phishing attack?
A phishing attack is a fraudulent email, text message, or phone call that aims to trick people into sending money or disclosing information, such as a bank account number or password.
To pull off a phishing attack, a hacker pretends to be a legitimate organisation or a person you know or trust. They may ask you to:
- Send personal details or dictate them over the phone
- Complete a fake online form with your credentials
- Download and open an attachment that infects your device with malware
If you give away your information, the perpetrator can sell it or use it to steal funds, access your accounts, or commit identity fraud.
Types of phishing attempts
- Mass phishing: The perpetrator sends the same attempt to many users.
- Spear phishing: The perpetrator targets one person and collects information about them to make the attempt more believable.
Fraudsters sometimes start with mass phishing attempts to extract sensitive information about the company and then use that information to spear-phish employees.
How to recognise a phishing attack
Phishing attacks often look like legitimate communication and can be hard to recognise. The following 5 signs can help you stay safe:
- A company reaches out about your account, but you don’t have a prior relationship with the organisation.
- The sender’s email address or phone number doesn’t match the information on the official website or the one used in previous exchanges.
- The message or call claims that you must act immediately, suggesting consequences like account deletion if you don’t abide.
- The message or email starts with an impersonal greeting, such as “Hello” or “Hi dear.”
- Less sophisticated attempts may contain spelling mistakes in the message copy.
These signs are sometimes not enough to rule out a phishing attempt. For example, a phishing email may look professional, address you by name, and appear to use the company’s actual email address with the help of email spoofing.
How to recognise email spoofing
Email spoofing manipulates email headers to make it appear like the message is coming from a legitimate email address. Attackers may spoof the entire address or only the domain name—the part that comes after the @ symbol.
To check for spoofing, open the email header and:
- Compare the display name and email address
- Compare the from address and reply-to address
If they don’t match or don’t use the same domain name, you may be looking at a spoofing attempt.
Another way to check for spoofing is to select the Show Original, View Raw Source, or similar options (depending on your inbox provider) and inspect the DKIM field. If the sender is legitimate, the DKIM domain name should match the one in the sender’s email address. You can also search the return-path to see where the message came from.
How to protect yourself from phishing attacks
Take the following precautions to reduce your chances of getting scammed:
1. Ignore all suspicious messages or calls
An unexpected email, text message, or call that seems too good to be true is likely a phishing attempt. Avoid taking action (clicking links or downloading attachments) until you’re 100% sure the sender is legitimate, and ignore any intimidation attempts from the sender. If the request is real and urgent, the company will find another way to reach you.
2. Contact the organisation or person directly
If you’re unsure whether the original message was a phishing attempt, contact the company or person to verify. Don’t use the contact information provided by the potential attacker. Source the information from the official website or your contact list.
3. Use updated security software
Security software can protect your device from malware-infected attachments that can steal your data. It can notify you if it detects suspicious activity or flag potentially harmful websites and prevent you from visiting them. Update the software regularly or tick the auto-update box so it’s effective against the latest threats.
4. Back up your data
If you fall victim to phishing, fraudsters can hold your data for ransom, corrupt it, or delete it. To avoid data loss or hijacking, back up your data to an external hard drive or a cloud regularly.
5. Turn on multi-factor authentication
Turn on multi-factor authentication wherever possible. In the event that someone obtains your login credentials, they won’t be able to enter your account unless they complete the second step, which may involve:
- Entering a one-time passcode sent to your phone or email
- Answering a personal security question
- Scanning your fingerprint or face
6. Use a password manager
Password managers can autofill your credentials on saved websites. If you run into a fake website or end up with malware on your computer, a password manager can prevent hackers from capturing your information via keylogging.
7. Report phishing attempts
If you receive a phishing attempt, report it as spam to your inbox provider. Some devices may also allow you to report text messages.
You can also:
- Report the phishing attempt to a local authority, such as the Federal Trade Commission (US) or National Cyber Security Centre (UK).
- Inform the company that was impersonated
What to do if you fall victim to phishing
- Log the details of the attack: Inspect the emails or text messages to determine what happened and the information you disclosed. Write down the details, as you’ll need them to report the incident.
- Run a malware scan: If you’ve downloaded any attachments, use security software to scan your device, remove the program, and restore your system.
- Change passwords: Change all affected passwords, especially if you’ve used them on multiple websites. Always use strong and unique passwords.
- Contact your financial institution: If you’ve revealed any financial information or noticed an unexpected transaction, contact your bank immediately. Their customer support team can advise you on the best course of action and help you get a refund.
- Monitor for unauthorised login attempts: Check your inbox and junk mail for any unauthorised login attempts or transactions so you can quickly report them to minimise or prevent damage.
- Contact the credit bureaus: If you suspect identity fraud, place a fraud alert with the credit bureaus to protect your credit score.
Anti-phishing best practices for businesses
Besides the measures discussed above, consider these precautions to protect your company’s sensitive information:
- Don’t share personal information about founders or executives online: Whaling attacks can happen when hackers impersonate an executive to trick an employee into giving up information. Train your staff on how to recognise a whaling attack by inspecting the sender email address, etc.
- Use anti-spoofing protocols: Use protocols such as two-factor authentication (2FA), multi factor authentication (MFA), encryption, certificate-based authentication, etc., to protect your business.
- Follow the data minimisation principle: Limit sensitive data collection and gather only what’s necessary.
- Manage information access: Build a sound permissions infrastructure for all software platforms to limit employee access to only what they need. If an employee leaves a role or the company, revoke their access immediately.
- Have an incident response plan: Prepare for the worst-case scenario and create a system that detects risks and designates a response team to deal with the aftermath of a phishing attack.
- Educate your employees and customers: Teach your employees and customers how to spot phishing, why it’s important, and how to report attempts.
Ready to promote your business and reach the right people? Sign up for Klaviyo and captivate your audience the right way.