The ultimate guide to avoid email phishing

Think before you click!

The best solution to any problem is to keep things simple. When it comes to getting personal information, asking for it and getting an answer is one of the most frictionless ways there is. In essence, this is what phishing is—a quick way for bad actors to get access to valuable information or funds.

Origin of Phishing
What is Phishing?
How Does Phishing Work?
Popular Forms of Phishing Attacks
Tell-tale Signs of a Phishing Attack
Simple Ways of Protecting Yourself Against Phishing
How to Protect Businesses Against Phishing Attacks
What to do if You’ve Been Phished
Why You Should Take this Seriously – Phishing and Your Business
How Can Phishing Negatively Affect Your Business
The Bottom Line

Origin of Phishing

On August 6, 1991, the World Wide Web was made available for public use. Shortly after, people have been finding creative ways to use this for personal gain, both good and bad. But these types of attacks are not something new. It has been going on in one form or another for years, even before the internet. 

The term phishing was officially coined around 1996. It was termed by hackers stealing American Online accounts and passwords, which was pretty popular during those years. Phishing, which sounds very similar to ‘fishing,’ was what they were trying to do—casting their hooks to catch as many unsuspecting people as possible.

What is Phishing?

Phishing is a type of fraud usually done via email that tricks a person into divulging their personal information (bank accounts, birthday, address, Social Security Number, log-in credentials) without them knowing it. 

Phishing attacks can be classified into two categories; ‘spear phishing’ or ‘bulk phishing.’ Spear phishing, as the term implies, is a targeted attack against specific individuals or an organization. Bulk phishing, on the other hand, sends countless attacks, usually via email or links contained in mobile messages, to random people hoping to capture as much information as possible. 

How Does Phishing Work?

Phishers attack by disguising themselves as legitimate organizations who are trying to ‘help’ or doing ‘you a favor.’ An email from a bank, for example, can be asking for your account details so they could protect you against fraud. 

Another popular way of tricking you into turning in your details is by telling you that you have ‘won’ something or lose the chance to win if they could not send the required information.

Recent strategies have shifted their focus on ‘rewards’ to ‘scaring’ people. For example, revenue agency scams scare people into submitting their personal information due to unpaid taxes or debts.

Basic Strategies

  • Creating a pseudo website. Phishers can send you a link to a popular banking site, for example, which looks very similar to the real thing but with a slightly different URL. At first glance, you might not see anything wrong with the official URL (e.g., www.bankofamerica.com) but upon closer inspection, they’ve subtly added characters (e.g., www.bankofamerica1.com). Visually, there might be no difference in how the website looks like tricking you into entering your account information.
  • Email. One of the most popular forms of phishing. A hacker might pretend to be someone from a well-known organization and use a sender’s address in this form (manager@wellsfargobank1.com). At a glance, it seems to come from someone working from the bank and a person of authority. 
  • Direct messaging. A more natural approach to phishing is by connecting with potential victims via messaging apps. Social media sites have become so popular that these have become a prime hunting ground for phishers and hackers. 

Where do Phishers get your email information?

  • Using programs or software to search the internet for emails by using the ‘@’ sign.
  • They can also generate email addresses using popular mail service extensions combined with common user names. 
  • Buying them legally or illegally from email aggregators. Ever visited a site asking for your email information in exchange for a free subscription?

Popular Forms of Phishing Attacks

There are many forms of phishing attacks. All are designed to trick the victim into believing that this is coming from a reputable or legitimate source. Below are the most common types of phishing attacks being employed today.

1. Deceptive Phishing – this form of attack uses emails to trick recipients into sending their personal information. The email can contain a link to a fraudulent website where you are then asked to verify your details but entering sensitive information.

It works by alerting you about possible unauthorized access to your bank account. The email then points you to their fake website, where you are asked to enter your account details. 

A few things to check if the email is legitimate 

  1. Do you have any official business or enrolled in any services with the company sending you the email? 
  2. Any official announcement from a company requires proofreading and editing by professional business writers. Check for any grammar or spelling issues. 
  3. Check all links and verify if these are legitimate. Be cautious if they redirect you to another site before entering any personal information. 

2. Spear Fishing – this is a more dangerous form of phishing attack since hackers might already have some form of personal information about you, giving the attack some way of legitimacy. It might come from a person who has intimate knowledge about you or information gathered from social media sites.

How to protect your personal information on social media sites

  1. Check your privacy settings, limit access to your social media account to close friends or relatives
  2. Never disclose your location, home address, complete birthdate
  3. Use strong passwords and use different passwords for each social media account
  4. Use two-factor authentication
  5. Never use social media or messaging apps to discuss sensitive information

3. Vishing – this is a phishing attack that is performed over the phone. Like spear phishing, the caller might be armed with personal information and use it to trick you into believing that the call is legitimate. 

Vishing is considered the most personal of all the phishing strategies since this involves talking over the phone. It can also be the most dangerous since the scammer can readily rebuttal any concerns you might have. Unlike the other forms of phishing, which gives you time to check every detail for accuracy, conversations happen in real-time.

4. Smishing – another popular way of phishing is through the use of fraudulent text messages. Similar to sending countless emails to unsuspecting individuals, phishers send SMS to random phone users, which contain a ‘call to action’ message. 

It tricks you into sending your personal information by telling you that you have won something, there has been an unauthorized bank transaction or masquerading as a government agency. To protect yourself against this type of attack, verify if the message is real by directly calling the government agency or company. You could also send a text message back, asking them if they know your complete name or any related information since most smishing attacks are random. 

5. Whaling – can be considered as a high-level spear-phishing attack. These are usually targeted against high-value targets such as those in senior management positions. Whaling is more sophisticated and well-organized attacks that use personal information and better written. This type of attack requires more time and resources but provide better returns for hackers. 

What is ID fraud?

The greatest danger of a phishing attack is when a hacker steals your identity and uses it to purchase products, opens a new account for credit and services.

It doesn’t need to be high tech. A criminal can gain access to your personal information by only going through your trash. Old letters and bank statements can also contain sensitive information, so be sure to dispose of these properly. 

Tell-tale Signs of a Phishing Attack

Sad to say that not everybody is aware of phishing attacks, and of course, there’s always that first time when a person encounters such a situation. While people are becoming more aware of phishing attacks and identifying them, hackers have also leveled up and come up with better-written, well-planned ways of tricking unsuspecting victims. 

1. Incorrect URL

Hackers dupe you into entering your personal information by sending you links to enter the requested information. ‘Never’ click on the URL unless it is first verified. Below are two simple ways of checking if the link is authentic. 

a. Do a manual search – if the email comes from an organization like PayPal, search for their official website and compare the URL link.

b. Hover your mouse over the link and check if the hyperlinked site is identical or is it sending you to another location.

2. An email asking for your personal information

Banks or any legitimate organization all have the personal information they will ever need from you. When a bank asks for your details, the only time is to verify your identity when making a transaction. When this happens, ignore and delete the email.

3. Unusual subject lines 

Hackers trick you into entering your personal information by masking their real intentions. Be wary of emails with these subjects:

  • Winning a prize without you ever joining the contest
  • A threatening email that demands immediate payment 

4. Poorly written emails

If you’ve won a million dollars or an expensive trip to the Bahamas, you would at least expect them to have a decent copywriter on their payroll. Another noticeable sign of a phishing email is grammar and spelling errors.

5. Emails sent by people/organizations you don’t know

Most phishing emails use generic salutations like Sir or Ma’am. If you’ve recently received official correspondence from your bank, for example, most greetings at least contain your first name to make it feel more personal. Phishing emails, on the other hand, are usually generic. 

Simple Ways of Protecting Yourself Against Phishing

There are several ways of protecting valuable information contained in networks. These programs are designed to protect servers against unauthorized access from hackers. But phishing attacks are not intended for attacking servers, but for the more vulnerable element in data protection, the human component, you the user.

1. Stay calm

Phishing strategies include eliciting strong emotions among their victims to stop them from acting rationally. It is why some scams such as those that promise rewards or threatening messages are highly successful. 

When this happens, keep your wits around you and never click on any link. Proceed by verifying each detail of the message for authenticity. Check the site’s official website and if a contact number is provided, call them.

2. Install anti-virus software 

It prevents malware or any virus from infecting your computer. It could also scan all the attached documents. Once a hacker can access your computer, they could use ‘keyloggers’ to collect user names, passwords, and any log-in information.

3. Never post sensitive personal information online

Hackers spend countless hours trying to develop programs and strategies to gain access to your personal information. Posting this information on your website or social media accounts only make it easier for them. Social media sites are rich sources for information (home address, birthday, occupation, and family connections). It can be used to open new accounts and even hijack your identity to commit fraud.

4. Educate yourself

The best protection against phishing attacks is to update yourself with the latest information regularly. Even anti-virus software is not 100 percent effective. It is because anti-virus software is created in response to current threats and not against future attacks. 

How to Protect Businesses Against Phishing Attacks

1. Educate your Employees

The most critical step in protecting your business against phishing attacks is to educate your employees. The human factor is the weakest link in any anti-phishing strategy. All your efforts are wasted if an employee decides to click on a link or mistakenly send their log-in details.

2. Email Filters

Although this is a guaranteed fool-proof way of preventing any malicious email from entering your network, it can minimize your exposure to this type of attack. Not all email filters are created equal, so you have to do some due diligence and check the most effective email service you would want to use.

Another right way is to disable all hyperlinks in your email settings. Although this would disable dangerous links in your email messages, it also means that you won’t receive links from legitimate sources.

3. Anti-virus Software

Installing an anti-virus software offers your business a complete approach to securing your valuable data. It protects you against all types of attacks, and some even come with anti-phishing features that check emails for dangerous links and attachments. 

However, it would be best if you kept your anti-virus software updated continuously. It is to ensure that you are always getting the best and latest protection. You should also regularly scan your system and devices for any viruses just if some of these manage to sneak up your system.

4. Virtual Private Network (VPN) 

You must keep your online transaction secure by online sending information over a secured network. A Virtual Private Network keeps you protected by encrypting your data online. It is why you should warn employees not to send any sensitive information over public Wi-Fi connections. 

5. Keep all your software updated

Software companies regularly update their products and provide some level of protection against attacks with their updates. An example would be your operating system (Windows, Linux, macOS), which regularly updates its software and built-in anti-virus software. 

What to do if You’ve Been Phished

Finally, it happens. You’ve been tricked into divulging your personal information or click a suspicious link. What happens now?

1. The first thing you should do is to change all passwords associated with the account that has been compromised. It is why most accounts are now protected with two-factor authentication (2FA) as an added layer of protection. 

Two-factor authentication refers to a two-step verification that requires a user to provide two different methods to authenticate their log-in. If you’re using an account, you can set up 2-step verification to protect your account if your password is stolen.

2. If you accidentally entered your credit card information, immediately contact your bank and cancel your card. This way, it is easier for you to dispute any unauthorized charges after you’ve submitted your request.

3. Unplug yourself from the internet. Take your computer, laptop, smartphone, or any mobile gadget offline to stop information from leaking out. 

4. Suspicious links or attachments can contain viruses or malware that allows hackers to hijack your computer or run programs that collect your personal information. 

5. Monitor your credit for any unauthorized transactions and place an identity theft alert. If someone is making unauthorized applications for credit using your name, it can be seen in your credit reference files. 

6. If you suspect a phishing attack and this happens over your company-wide server, notify all employees and immediately contact the IT department. 

Why You Should Take this Seriously – Phishing and Your Business

Industry experts estimate that 1 in every 99 emails is a phishing attack. It might not sound alarming, but if you consider the millions of emails being sent every day, it is a staggering number. According to Avanan’s 2019 Global Phish Report

  • 25% of phishing emails bypassed Office 365 default security
  • 1 of every 25 branded emails is phishing
  • 98% of emails containing a crypto wallet address are phishing
  • Over half of all phishing emails have malware

With phishing attacks getting more targeted and sophisticated, Microsoft has placed the loss to businesses at 500 around billion, with each data breach costing a company about 3.8 million. 

How Can Phishing Negatively Affect Your Business

1. Damage your reputation/customer confidence – the prospect of telling your customers that you have been a victim of a phishing attack can have long-term damaging effects on your company’s reputation. 

2. Loss of customers/clients – a direct result of a damaged reputation. It would not come as a surprise but rather something that is expected.

3. Regulatory fines – companies could also be fined for failing to protect their client’s information

4. Loss of company value – anything unexpected, especially those that negatively affect the company, can send investors into a jitter 

5. Disrupt operations – even the slightest suspicion that your business has been the victim of a phishing attack can lead to the disruption of normal operations. It could take days or even weeks before the threat is assessed and contained.

The Bottom Line

It is estimated that 9 out of 10 cyber-attacks are initiated with a phishing email. It is why protecting your business against phishing attacks should always be a top priority when protecting yourself against online threats.

The best way to keep yourself safe from phishing is to unplug yourself from the internet and revert to traditional correspondence (face-to-face meetings, letters). Especially today, this is not practical.

At MetaFuro, in addition to a host of other security features, we offer you a ‘bubble’ where you can safely send and receive messages from external companies that are personally verified by us. This helps ensure that who you think you’re talking to is who you actually are talking to.

If you’re interested in learning more, check out our product page to see how MetaFuro can be tailored to your needs.

More to learn on MetaFuro!

Check out some of our articles and resources to help launch products faster with MetaFuro.

Want To Launch Your Products Faster?

Check out MetaFuro for a Free Trial!

contact us
Arrow-up