In today’s increasingly digital age, in which technology is an integral part of our lives, cybercriminals have found many ingenious ways to exploit vulnerabilities, and target unsuspecting individuals. Two prevalent and deceptive techniques used by cybercriminals are phishing and smishing scams. In this guide, we will delve into the world of phishing and smishing, exploring scammers’ tactics, the ‘red flags’ to look out for, and providing invaluable prevention tips to help you stay safe and secure against these devious scams.
But first, let’s take a look at what phishing and smishing actually are.
Part 1: Understanding Phishing and Smishing Scams
1.1 What is Phishing?
Phishing is a malicious and deceptive cyber-attack technique in which scammers pose as trustworthy companies (or even, individuals), to manipulate unsuspected victims into divulging sensitive information. This sensitive information might include usernames/email addresses; passwords; credit card details; social security numbers, or other personal information. Phishers employ various communication channels, with email being the most common, to cast a wide net and increase their chances of success.
Phishing attacks are characterized by the following elements:
Social Engineering: Phishing relies heavily on social engineering tactics to exploit our emotions, such as fear, curiosity, greed, or urgency. The scammer crafts messages that evoke these emotions to compel recipients to act impulsively, without questioning the authenticity of the communication.
Email Spoofing: One of the key techniques used in phishing is email spoofing, in which an attacker manipulates a legitimate sender’s email address or name to make it appear as if the email is coming from a reputable source. By impersonating well-known organizations, financial institutions, or government agencies, phishers aim to gain the trust of their targets.
Phishing Websites: Phishers often create fake websites that mimic (sometimes very closely indeed) the appearance of real websites, to deceive users into entering their login credentials or other sensitive information. These phishing websites are designed to be almost identical to the real ones, making it difficult for the average (or unwary) user to spot the difference.
1.2 What is Smishing?
Smishing, short for “SMS phishing” is a type of phishing that leverages text messages (SMS) to execute the scam. Similar to traditional phishing, smishing attackers impersonate reputable companies (or individuals) to trick message recipients into taking specific actions, such as clicking on malicious links or providing personal information.
Smishing attacks exhibit the following characteristics:
Fake Urgency: Smishing messages often employ a sense of urgency to pressure recipients into taking immediate action. Scammers may, for example, claim that recipients’ accounts are at risk of suspension or that they have won a prize that requires immediate verification.
URL Shorteners: To conceal malicious URLs (web page addresses), smishers frequently use URL shortening services, making it challenging for users to identify the true destination of the link without clicking on it.
Of course, there are many legitimate uses for URL shorteners, so a shortened URL by itself does not mean a message is definitely a scam.
Call-to-Action: Smishing messages typically include a call-to-action, urging recipients to click on a link or call a phone number. This call-to-action may be disguised as a special offer, a security notification, or a verification request.
Part 2: Tactics and Techniques Used in Phishing and Smishing Scams
Now that we’ve had a look at what phishing and smishing are, let’s take a deeper dive into the common tactics used by phishing and smishing scammers.
2.1 Email and Phone Number Spoofing
Email spoofing is a very common technique in phishing attacks. In phishing emails, scammers manipulate the sender’s name and email address to make it appear as if the email is coming from a legitimate source. The intention is to deceive recipients into believing the communication is genuine and from a trusted source.
In smishing attacks, a similar tactic is used, but instead of email addresses, scammers manipulate the sender’s phone number, or text message headers. This creates the illusion that the message is from a legitimate source, increasing the likelihood of the recipient falling for the scam.
2.2 Urgency and Fear Tactics
Phishing and smishing attackers frequently use urgency and fear to manipulate their targets into taking immediate action. For example, phishing emails may warn recipients that their accounts will be closed if they do not verify their information within a specified timeframe. Smishing messages might claim that recipients’ bank accounts have been compromised, urging them to call a specific number immediately to rectify the situation.
By employing these fear-inducing tactics, scammers hope that victims will act impulsively without stopping to carefully consider whether the message might not be genuine.
2.3 Impersonation of Trusted Brands
A hallmark of successful phishing and smishing attacks is the impersonation of trusted and recognizable brands. Phishers will often imitate well-known financial institutions; e-commerce websites; social media platforms, or even government agencies. The use of logos, branding elements, and email templates that closely resemble those of the genuine organizations further enhances the illusion of legitimacy.
For example, a phishing email may appear to come from a bank, requesting the recipient to update their account information immediately to avoid account suspension. Similarly, a smishing message might impersonate a popular online retailer, claiming that the recipient has won a gift card and must follow a link to claim the prize.
2.4 Malicious Links and Attachments
Both phishing emails and smishing texts often contain malicious links or attachments. These links and attachments can lead to various malicious outcomes, such as:
- Phishing Websites: Clicking on a link in a phishing email may direct the recipient to a fake website that looks nearly identical to the legitimate one. The purpose of these phishing websites is to trick users into entering their login credentials or other sensitive information, which the scammers then capture to use (or sell).
- Malware Delivery: Clicking on a malicious link or downloading an attachment can introduce malware onto your device. Malware may include keyloggers, which record keystrokes to capture sensitive information such as passwords and transmit it back to the attacker; or ransomware, which encrypts the victim’s files and results in a ransom demand to decrypt them again.
- Form-based Attacks: Some phishing websites contain forms that request personal information under the guise of account verification or other seemingly legitimate purposes. Unsuspecting victims may unknowingly provide their sensitive data directly to the scammers.
Part 3: Red Flags to Identify Phishing and Smishing Attempts
In this section we’ll take a look at some of the key ‘red flags’ or warning signs to look out for.
3.1 Generic Greetings
Phishing and smishing messages often use generic greetings like “Dear Customer” or “Dear User” instead of addressing recipients by their names. Legitimate organizations usually personalize their communications and address users by their full names or usernames.
3.2 Misspellings and Grammatical Errors
A common hallmark of phishing and smishing messages is the use of misspellings, grammatical errors, and awkward language usage. Phishers often operate internationally and may not be fluent in the language used in their scams, leading to noticeable mistakes.
Legitimate organizations typically employ skilled copywriters and have a thorough proofreading process, so their communications are unlikely to contain such errors.
3.3 Suspicious Sender Information
This is why it’s really important to examine the sender’s email address or phone number carefully – especially if you weren’t expecting the communication. Phishing emails often come from addresses that very closely resemble the legitimate organization’s domain, but have slight variations or misspellings. A common ploy to look out for is the use of subdomains – this enables scammers to put the name of a legitimate company within the email address, which can be easy to miss at a quick glance.
Similarly, smishing messages may come from phone numbers that appear to be legitimate, but the scammers use burner phones or other tactics to hide their true identities.
3.4 Unsolicited Requests for Personal Information
Legitimate organizations seldom (if ever) request sensitive information, such as passwords or account numbers, through email or text messages. In fact, many go out of their way to tell customers they will never do this. Be cautious of any communication that asks you to provide such information, without a clear and legitimate reason. If in any doubt, call the organization. Never use contact information provided in a suspicious email or text message – go directly to the organization’s website to find their real contact details.
3.5 Unrealistic Offers or Prizes
Be highly sceptical of messages that offer extraordinary prizes, rewards, or discounts for little to no effort on your part. If an offer seems too good to be true, it almost certainly is.
Phishing emails may claim you’ve won a large sum of money, a lottery prize, or a free gift card. Smishing messages might promise exclusive deals, or the chance to win a luxury holiday, or a new car. Don’t let greed be your downfall! Remember, scammers rely on emotions overruling reason.
3.6 Threats and Urgent Calls to Action
Phishing and smishing messages often include threats of dire consequences for non-compliance, or urgent calls to action. Threats might include claims of account suspension, legal action, or fines if the recipient does not do as requested immediately.
By creating a sense of urgency, scammers aim to pressure recipients into acting impulsively without pausing to consider the legitimacy of the communication.
Part 4: Preventing Phishing and Smishing Attacks
No we know what phishing and smishing are, some of the common tactics scammers use, and red flags to look out for, let’s take a look at what actions you can take to protect yourself from phishing and smishing scams.
4.1 Educate Yourself and Others
One of the most effective ways to combat phishing and smishing attacks is through education. After all, knowledge is power! Stay informed about the latest phishing and smishing techniques and share this knowledge with your friends, family, and colleagues.
Educational resources, security awareness training programs, and cybersecurity experts can provide valuable insights into the tactics used by scammers and how to spot potential threats.
4.2 Verify Sender Identity
Before responding to any messages that request sensitive information, take the time to verify the sender’s identity through a trusted source. For example, if you receive an email from your bank requesting personal information, visit the bank’s official website or contact their customer service line directly to confirm the legitimacy of the communication. Never rely on contact information provided in a suspect email or text message.
Similarly, if you receive a smishing text claiming to be from a government agency, verify the contact details through the official government website.
4.3 Avoid Clicking on Suspicious Links
One of the primary ways phishers and smishers lure victims into their scams is through malicious links. To protect yourself, be cautious when clicking on links in emails, especially if they seem unexpected or suspicious. Remember, scammers rely on powerful emotions, including fear, urgency, desire, greed, and curiosity, overruling calm, reasoned analysis.
Hover your mouse cursor over the link to preview the full URL before clicking it. If the link appears to lead to an unfamiliar website or looks different from what you expected, don’t click it. Not even out of curiosity!
4.4 Enable Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) provides an additional layer of security to your online accounts. By enabling 2FA, you add a second authentication factor, such as a unique code sent to your phone or generated by an authentication app, which is required in addition to your password, to access your account.
Even if a scammer manages to obtain your login credentials through phishing or smishing, they won’t be able to access your account without that second authentication factor.
4.5 Install Anti-Phishing and Anti-Malware Software
Protect your devices and your data by installing reputable anti-phishing and anti-malware software. These security applications can detect and block phishing attempts, malicious links, and malware-infected files, providing an extra layer of defence against online threats.
Make sure you keep anti-malware software up to date to ensure you have the latest protection against ever-evolving cyber threats. You should also ensure it’s set to automatically scan files before they open, as this can provide an extra layer of protection if you do mistakenly try to open a malicious file.
4.6 Regularly Update Software and Operating Systems
Keep your software and operating system up-to-date to patch known vulnerabilities. Cybercriminals often exploit security flaws in outdated software, so applying updates quickly when they become available is crucial to maintaining robust security.
Part 5: Reporting Phishing and Smishing Scams
Received a suspicious email or text message? Deleting it will keep you safe, but reporting it might help to keep others safe, too!
Please note that the following information is intended for a UK audience.
5.1 Report to Action Fraud
Action Fraud is the UK’s national reporting centre for cybercrime and fraud.
To report phishing emails or suspicious text messages (smishing), you can contact Action Fraud through their website: https://www.actionfraud.police.uk/report-phishing. The above web page has useful information about how to report scams such as phishing and smishing, and what to do if you’re unfortunate enough to have become a victim.
5.2 Forward Suspicious Emails
If you receive a phishing email, you can also forward it to the UK’s National Cyber Security Centre (NCSC) at firstname.lastname@example.org. The NCSC investigates and takes down fraudulent websites associated with phishing attacks.
By reporting phishing and smishing incidents to Action Fraud and forwarding suspicious emails to the NCSC, you contribute to the efforts of cybersecurity professionals in combating these scams, helping to protect others from falling victim.
Part 6: Staying Vigilant in a Connected World
Lastly, let’s run through a few general cybersecurity tips.
6.1 Trust Your Instincts
When it comes to online communications, trust your instincts. If something feels not quite right about an email, text message, or even a phone call, proceed with caution – and pay extra attention to attempts to play on your emotions. If you’re unsure about the authenticity of a message, contact the supposed sender through verified contact details to verify its legitimacy.
6.2 Regular Security Awareness Training
Consider participating in security awareness training programs that teach you and (if applicable) your organization’s employees about phishing and smishing threats. The more informed you are, the better equipped you’ll be to identify potential scams and respond appropriately. Share your knowledge with friends, family, and colleagues to help them stay safe, too.
6.3 Regularly Monitor Your Financial Accounts
Regularly review your financial accounts for any unauthorized transactions or suspicious activities. If you notice anything unusual, promptly report it to your bank or credit card provider.
Phishing and smishing scams continue to be widespread and can be sophisticated threats. Armed with the above knowledge, with vigilance, and through the implementation of preventative measures, you can significantly reduce your risk of falling victim to the cruel, deceptive tactics scammers use.
Stay informed about the latest phishing and smishing trends, and educate yourself and others to help foster a safer online environment. Verify the identity of senders, and resist the temptation to click on suspicious links, or provide sensitive information to unknown sources.
By being aware of the red flags, and following the prevention tips outlined in this comprehensive guide, you can navigate the digital world with renewed confidence and security. Empower yourself to protect your digital identity, your personal data, and your financial well-being, ensuring a safer online experience for you, and others. With collective awareness and by taking proactive measures, we can all stand up against the persistent threat of evil phishing and smishing scams.