The Internet is a network of computers filled with valuable data, so there are many security mechanisms in place to protect that data.
But there's a weakest link: the human. If the user freely gives away their personal data or access to their computer, it's much harder for security mechanisms to protect their data and devices.
A phishing attack is an attempt to trick a user into divulging their private information.
Illustration of a phishing attack. An attacker has a fishing line with a hook through a web browser. The web browser has a password field with "UsersR3alP@ssword" filled in.
An example attack
A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
Screenshot of a phishing email. Subject line says "Your PayPal Access Blocked !". Email is from "PayPal email@example.com". Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses. How can I fix the problem? Confirm all your details on our server. Just click below and follow all of the steps. Confirm Account Details Now." There are two hyperlinked parts of the text.
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
Screenshot of a phishing website. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". Main area of screen contains login box with PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button.
If the user is convinced and enters private details on the site, that data is now in the hands of the attacker! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.
Signs of a phishing attack
Fortunately, there are some tell-tale signs of phishing scams.
Suspicious email address
Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Conversely, a legitimate email address is not a guarantee that an email is 100% safe. Attackers might have figured out a way to spoof the legitimate email address or hacked their way into control over the actual email.
Phishing emails will often link to a website with a URL that looks legitimate but is actually a website controlled by the attacker.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". The address is highlighted with a circle.
Attackers use a variety of strategies to make tempting URLs:
- Misspellings of the original URL or company name. For example, "goggle.com" instead of "google.com".
- A spelling that uses similar looking characters from other alphabets. For example, "wikipediа.org" versus "wikipedia.org". The "e" and the "a" are actually different characters in those two domains.
- Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first.
- A different top level domain (TLD). For example, "paypal.io" versus "paypal.com". Popular companies try to buy their domain with the most common TLDs, such as ".net", ".com", and ".org", but there are hundreds of TLDs out there.
Even if an attacker hasn't found a similar looking URL to host their malicious webpage, they can still try to disguise the URL in the HTML.
Consider this very legitimate looking text:
Visit www.paypal.com to change your password.
Now try clicking the link. You didn't land on PayPal, did you? That's because the text of a link isn't the same as the destination of the link.
Here's what the HTML looks like:
Visit <a href="http://malicious-link.com">www.paypal.com</a> to change your password.
An attacker might disguise links in that way in an email message or a webpage. Whenever you click a dubious link, it's important to check the URL in the browser bar to see where your browser actually landed.
Non-secured HTTP connections
Any website that is asking you for sensitive information should be using HTTPS to encrypt the data sent over the Internet.
Phishing websites don't always go through the extra effort to use HTTPS.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "Not Secure" and URL "paypal--accounts.com". The "Not Secure" warning is highlighted with a circle.
However, according to a report, more than two-thirds of all phishing websites used HTTPS in 2019, so a secured URL does not necessarily equate to a legitimate URL.
Requests for sensitive information
Phishing emails will often ask you to either reply with personal information or fill out a form on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Screenshot of a phishing website, cropped to show just the login form. Login form has PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button. The email and password fields are highlighted with circles.
Urgency and scare tactics
Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
Screenshot of phishing email, cropped to show part of the body. Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses." The heading and final line are highlighted with circles.
Handling a phishing attack
Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing attack, do not click on any links or download any attached files.
Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.
There's a new type of phishing that's even more popular and dangerous: spear-phishing. Instead of sending a similar email to many users, a spear phisher will research a user and send an email specifically targeting them.
Spear phishing attacks often target people within a organization, with the goal of gaining access to the organization's data.
One of my colleagues received this spear phishing email that claimed to be from Sal Khan himself:
Fortunately, it was obviously a spear phishing email from the sender's email address.
But not all spear phishing attempts are so obvious and not all targets are so vigilant. If just one person in an organization accidentally reveals their credentials or downloads malware onto their work computer, an attacker can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
Want to join the conversation?
- At the bottom of the article it says
"🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google."
the link takes me to
Is this a trick question? Does google actually own "withgoogle.com"?(12 votes)
- You can trust the link. One way to check is to visit the site, click the "lock" icon and check the certificate before proceeding. It's from Google and verified.(7 votes)
- Do some websites/companies take measures against phishing attacks?
There used to be a scam call claiming to be from the IRS, but people knew it was fake because the IRS doesn't make calls. What are some other ways to prevent phishing?(4 votes)
- There is almost nothing a website/company can do to prevent a phishing attack. A professional attacker will design their own login pages that look similar to those of the actual website. When you enter your information that information will be sent to two places, the actual website and the man in the middle (the attacker). You will then be redirected to the actual website and you wont be able to know if you were phished until the hacker has gained access into your account.
To prevent a phishing attack I recommend that if you receive an email from Instagram, FaceBook, or any other website go to the actual website and check. Do not click on any link or enter your information directly from the email unless you are 100% sure that the email sent is not a phishing attack.(1 vote)
- The website asked for my name and phone number, so i didn't do it. Is it legit?(1 vote)
- The simple answer is *Probably So.* Because websites nowadays ask for phone numbers to send a verification text message. Unless the website is unsecure, you should be able to enter the information and not likely to get hacked. Have A Good day & Hope this hekped(2 votes)
- "Subdomains that look like the domain name. For example, "paypal.accounts.com" instead of "accounts.paypal.com". PayPal owns the second domain, but they have no control over the first."
I have a hard time understanding which of the domains are "first" and "second" in this instance?(1 vote)
- Subdomains come before the main domain. In the second instance, 'accounts' is the subdomain and 'paypal' is the domain. The first example, 'accounts' is the main domain (making it not actually owned by PayPal), but 'paypal' is the subdomain, making it look like the legit PayPal website (but don't be fooled!).(2 votes)
- I got a Trojan horse scam once, it was from an anime website I was trying to watch Kimetsu no yaiba (demon slayer) and I'm wondering if threes anyway to avoid it happening again.(1 vote)
- Avoid untrusted websites, such as those offering "free" games or videos. Do not download files from untrusted websites, and if you do, make sure you scan the files with antivirus software before opening or running them. Enable stricter security features on your browser. Many of the better antivirus software products have some sort of browser protection as well.(2 votes)
- are they any gadgets that can help prevent phishing attacks(1 vote)
- Many modern anti-virus software programs provide protection against phishing attacks. They may not block all attempts, but they can at least reduce them.(1 vote)
- I failed the phishing email quiz, but I'll be much more careful if this happened to me IRL, actually(1 vote)