What is phishing? Here's what you should know about the virtual scamming technique and how to protect yourself from data theft
- Phishing is a form of cybercrime wherein you receive an email from a fake sender pretending to be someone else.
- The goal of phishing emails is usually to get you to give up personal or sensitive information.
- Phishing is easy to detect if you keep an eye out for bad spelling and grammar, email addresses that don't match the alleged sender, and requests for information you shouldn't provide over email.
- You should never respond to a phishing email and, instead, delete the message or follow your company's policy for reporting it.
Phishing is a cybercrime in which criminals masquerade as someone else, like a legitimate business, to get victims to surrender personal and sensitive information voluntarily.
A common kind of phishing email is when you receive a message in your inbox that appears to come from your bank. As part of some alleged security check, the message requests that you reply with your login information. That can include info like your username and password.
If you respond to this email with the requested information, you may have just given criminals unrestricted access to your bank account.
What is phishing?
The term "phishing" is a variation of the word "fishing." It is meant to symbolize that in most cases, cybercriminals cast a wide net, attacking a vast number of users at once, hoping that a few will take the bait.
There are several common variations of the basic phishing attack. A "spear-phishing" attack, for example, is one that's more targeted. In some cases, spear-phishing targets users known to use a specific bank, website, or online service.
Criminals conducting a generic phishing attack may know nothing about you, which is why you may occasionally get an email asking you to reset your password for a bank or online service you don't even use. But in spear phishing, criminals might have hacked a list of users for a common website and email those users asking them to give up sensitive information.
Likewise, spear phishing can be ultra-targeted at specific individuals, with custom emails that appear to come from co-workers, clients, or vendors to persuade you to give up passwords, account credentials, or other sensitive information.
You may also see other phishing-related terms, such as smishing (phishing that uses SMS text messages) and vishing (phishing that relies at least in part on voice phone calls). They all have the same goal: to persuade you that the communication is a routine request for sensitive information.
Common phishing ploys
There are countless common phishing attacks. Criminals are always trying new variations, so there is no single shortlist of phishing ploys to be on the lookout for. Even so, these are the kinds of phishing emails you will commonly see.
Winning a lottery or sweepstakes
You receive an email advising you that you've won a large cash award, usually in the form of sweepstakes. If you respond, you'll often find you need to give your bank account information to receive the deposit.
Assist someone dispensing a large bounty of money
This is the classic "Nigerian prince" scam, and there are a thousand variations in circulation today. The premise: Someone has a large sum of money that they will share with you if you can help transfer it to the United States or disperse it to charity. There is no money, but the criminals will take your money if you give them the requested information.
Security check for your bank account
You receive an email purporting to come from your bank requesting that you respond with your login information, account number, passwords, or other sensitive information.
You need to check on a charge or shipment or reset your password
In many cases, you won't be asked to reply with your account information. Instead, you might need to click a link in the email to open the website in question, where you need to log in and check on something.
The scam here is that the link takes you to an illegitimate clone of the website. If you enter your credentials, the criminals have captured your information.
How to detect a phishing attack
With a little diligence, it's easy to detect and avoid virtually all phishing attacks. Most phishing emails are relatively unsophisticated, aimed at ensnaring naive users who are new to the internet or who aren't aware of the risk of phishing attacks – or just very busy people who don't carefully review all their email. Here are the main things to look for.
Poor spelling and grammar
This might seem obvious, but it's the number one way to spot illegitimate emails. Many phishing emails are created by non-English speakers who miss nuances in English grammar. If an email claims to come from a major bank or retailer and includes obvious errors, beware.
The email address doesn't match the name
If your email claims to come from Netflix, but the actual email address does not end in "Netflix.com," it's almost certainly a phishing attack. Look in the "From" line of the email client. It should say, "Netflix <info@mailer.netflix.com>," not Netflix gdgeert@criminal_organization.remailer.com>.
Make sure the link goes where it claims — without clicking it
If you are preparing to click a link in an email, keep in mind that the link might take you somewhere different than the text in the link implies. Hover over the link without clicking it and see where it's going. If the domain is different than you expect, it's probably taking you to an illegitimate site.
Even better advice: Avoid clicking links in emails entirely. If your bank sends you an email claiming you have an important message waiting, open a web browser, and navigate there yourself. That way, you can safely find out if the message is real.
Be wary of any request for sensitive information
Banks and retailers will never ask you for your password or other personal information via email. If you get an email that seems weird, it probably is weird.
What you should do about a phishing attack
In general, nothing. Never reply to a phishing email, ever. Responding lets the sender know it has reached a real person, making you particularly vulnerable to additional attacks. If you get a phishing email, mark it as spam, which helps your email program know that it's not legitimate. Or send it to your trash folder.
If you are getting phishing emails at work using your corporate email, though, you should follow the procedures established by your company's IT department. Usually, IT will want you to forward these emails to a specific email address. This can help the company filter these messages more effectively and prevent other employees from falling victim to an attack.
Related coverage from Tech Reference:
What is a pop-up blocker? How to enable your web browser's pop-up blocker or disable it to access necessary pop-ups
What is a VPN? How a Virtual Private Network can help protect your privacy online
'What is a WPA2 password?': A guide to WPA2, the safest type of Wi-Fi password you can have
'What is Google Authenticator?': How to set up Google's two-step verification software to secure all of your Google apps
'What is my IP?': Here's what an IP address does, and how to find yours