Tactics Phishers Use to Target Tech-Savvy ConsumersIf you’re knowledgeable about technology, you may not take phishing very seriously. When you hear about phishing attacks, you think of misspelled emails from people claiming to be Nigerian princes or long-lost relatives asking for money. However, phishers have gotten much more advanced in recent years, and while phishing scams used to be easy to spot, now they can be subtle enough to fool even the most tech-savvy among us. Keep reading to learn what techniques these sophisticated phishers are using, and how you can make sure you don’t fall victim to them.

Pretend to be from a trusted source

Phishing emails used to be designed to stand out, with lots of unnecessary capitalization and punctuation. Now, though, phishers try to make sure their scams blend in with whatever environment they’re in, which often means impersonating big companies or individuals to appear more trustworthy. Netflix and Google have both had fake versions of their services used to collect security and financial information from people, and in the Google case, the phishers used the Gmail contact lists of victims to spread the attack even further. The emails that delivered these phishing schemes were formatted to appear official and contained professional-looking copy, and the fake Netflix websites even put promotional photos for upcoming Netflix shows in their backgrounds to seem more legitimate. Perhaps even more importantly, the phishers behind these attacks made the subjects of their emails fairly mundane. The Netflix phish asked the recipients to update their billing information, and the Google phish just informed people that someone had shared a Google Doc with them. Those are fairly common emails to get, and their normalcy allowed them to trick large numbers of people into letting their guards down.

Add pressure

One psychological trick that some phishers use is to mention some kind of penalty for failing to do what the phishing message tells you to, often with an added time limit. For example, the Netflix phish mentioned above said that the target’s Netflix account would be suspended if they didn’t update their billing information within 48 hours. This ticking clock serves a couple of purposes, the first being to put a sense of urgency on you to act. Stress and pressure make you think less about negative consequences when you perform actions, which translates into taking less care to make sure that you aren’t clicking on a phishing scam. The other reason phishers like to encourage people to act fast is because phishing websites get discovered and shut down all the time. As such, many phishing websites are created with the short-term in mind, with an average of 1.4 million created every month in 2017. When a phisher sets a deadline, their hope is that you’ll fall for the scam before the website gets shut down.

Exploit your assumptions

People who are good with computers know a few things they can check to identify a phishing scam, such as the sending address of an email, the hover-over domain of a link and the HTTPS encryption of a website. Unfortunately, phishers with the right know-how can manipulate all of these things, using your confidence in your own technological knowledge against you. They can spoof email addresses, making it appear as if their phishing email is coming from the official address of a company or individual they’re impersonating. Using the coding language JavaScript, phishers can also alter the domain you see when you hover your mouse over a link, or even embed malware in links that activate when you hover over them. Finally, HTTPS encryption, characterized by the green lock icon in the address bar, is becoming so widespread and easy to get that almost 25% of phishing sites are using it. Many people assume that the presence of HTTPS encryption means a website is safe, but it only means that your connection to the website is encrypted, and an encrypted connection to a website that steals your identity is still a connection to a website that steals your identity.

How to stay safe

The most important things you can do are to treat every link and message attachment that gets sent your way with skepticism, and to keep in mind that scammers are developing new tools all the time. Always err on the side of caution when it comes to entering personal information into a website or downloading something to your device, and if you’re in doubt, call the person or company you’re supposedly communicating with to ask for confirmation. Apart from that, start paying more attention to URLs when you’re on a website, as knowing how to read them can tip you off that you’re on a phishing page, and practice good fundamental security behaviors. Setting strong, unique passwords for every login (using a password manager can make this easier), enabling two-factor authentication whenever you can and keeping your software up to date can go a long way in keeping you safe online.

New cybersecurity threats are popping up constantly. To stay ahead of the curve on cybercrime awareness, read our technology blog.