Don’t Get Reeled In! Recognising and Reporting Phishing

Don't Get Reeled In! Recognising Different Types of Phishing Attacks

Have you ever received an email from a foreigner requesting financial assistance? How about a text message claiming you’ve won a particular prize for a competition you’ve never entered? In cybersecurity, these scams are commonly known as “phishing” attempts.

 

Believed to come from the term “phoney fishing,” the Internet Engineering Task Force defines phishing as a technique for attempting to acquire sensitive data (e.g. bank account details) through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business. It is crucial to understand phishing attacks and how they work to avoid falling victim to them as they evolve with technology.

 

Phishing attacks fall under “social engineering” tactics, which involve using psychology to encourage humans to take particular actions. The common psychological tactics used in phishing attacks involve drawing on emotions like fear, anger, and excitement and appearing to be trustworthy while creating a sense of urgency in hopes that a user will take a detrimental action without taking time to think and rationalise. Usually, if the user does not comply with a particular action, the attacker threatens dire consequences.

 

Types of Phishing

Today, phishing takes various forms depending on the attacker’s target. When you understand the variety of forms that phishing may take, you are better equipped to identify it and refrain from falling victim to it. A few common types of phishing are detailed below.

 

Email Phishing

One of the most common forms of phishing, email phishing, involves attackers pretending to be reputable businesses to solicit payment, personal information, or both. Email phishing is not necessarily a targeted means of phishing, so attackers can use this tactic at a broader scale, attracting more victims than other phishing methods.

 

 

Spear Phishing

Spear phishing attacks are highly targeted attempts to get a single member or several members of middle management teams with some level of power to authorise specific purchases. The attacks often appear to come from upper management and will include information likely of interest to the target, making them seem more legitimate.

 

Whaling

Whaling is a specific type of phishing attack that involves actors strategically posing as top-level management of an organisation to solicit money or information from other employees. Scammers utilising the whaling method benefit from publicly available information on high-level employees. They will try to infuse that information into their message to make the email appear more authentic.

 

Vishing

Voice phishing, or vishing, often transpires over the phone and involves scammers speaking to a potential victim in attempt to gain their personal information that they can leverage in commiting another crime. During vishing attacks, the perpetrator often pretends to represent a reputable organisation like a financial institution, technical support group, medical facility, or law enforcement agency. They will use fear tactics to draw specific information they claim to require out of their prospective victims. As deepfake technology advances, detecting vishing attacks is becoming increasingly challenging. Because of these advancements, being ever-vigilant and particular about where and how personally identifiable information is shared is critical.

 

Smishing

Smishing is a form of scam using short messaging services (SMS), and the word combines the terms “SMS” and “phishing.” A smisher’s goal is usually to get victims to download malware on their phones by sending them a URL, often disguised as a contest prize or a parcel delivery attempt. A smisher may also attempt to get your confidential information by sending you a custom-made site designed to mimic a reputable one, like an online bank account portal.

 

Phishing Defence

There are a few ways to remain vigilant against phishing attacks. Most important of all is to remember that if a communication conjures a strong emotion coupled with a sense of urgency, it is likely a phishing attempt. Stop, think, and reason. Be very reluctant to give out personal identifiable information to anyone by phone or email.

 

Verify

While it may require extra steps, it is often best to verify unusual communication with organisations directly through their official means of communication. For example, strange banking notifications can be verified by logging into the bank application or by calling the bank at its listed telephone number.

 

Keep Your Eyes Peeled

Look out for common indicators that a communication is illegitimate. These can include spelling and grammatical errors and suspicious domains. If a link seems suspicious, navigate to the organisation’s website via the web browser rather than clicking a link provided in an email or SMS message. CIRT-BS and GetSafeOnline offer a tool called “Check a Website” that enables users to verify the legitimacy of various websites before engaging with them.

 

Password Protection

Strong passwords are important, but they are even stronger when combined with multi-factor authentication, which can help prevent unauthorised account entry in some cases by forcing the user to verify login attempts should a password compromise occur.

 

Reporting

Users who believe they have fallen victim to a phishing attack should protect their accounts by changing all impacted passwords. Next, they should do their due diligence to report the issue to law enforcement, CIRT-BS, and the spoofed organisation. When a phisher has attacked at a representative of an organisation, CIRT-BS recommends contacting the company’s information security and information technology department to report the crime.

 

Conclusion

When we understand phishing attacks in their various forms, we can better spot them, avoid becoming victims, and take appropriate action to defend ourselves. Whether a vishing attack, smishing attack, or email phishing attack, remaining vigilant for unusual communications and requests are paramount and when these messages are spotted, verifying them by another means of communication goes a long way. Report any communications you believe are phishing scams. As always, CIRT-BS remains dedicated to helping residents of The Bahamas avoid falling victim.

Scroll to Top
Skip to content