What is Phishing?In this day and age, one of the biggest cybersecurity issues is phishing. Between last October and March of this year, experts found that instances of phishing have increased 250%, putting phishing activity at the highest level it’s been in 12 years, as reported by Infosecurity Magazine. Because phishing is one of the most successful cybercrimes, it’s not going anywhere anytime soon. Luckily, you can protect yourself by becoming familiar with what phishing is and how to spot the techniques most often used in phishing attacks.

What is phishing?

Phishing describes lots of different scams, but the hallmark of each is that it involves victims giving up personal information to scammers under a guise of legitimacy. These scams utilize some sort of digital communication addressed to a potential target, usually via email, to lure victims into compromising their device or identity. For example, phishers might contact you by email, pretending to be your bank, a social media site or some other institution you trust. They’ll often request that you click a link, which leads to a site they control, to “sign into” your account, or they’ll ask you to click on a malicious attachment that will install malware on your machine. Less commonly, they might ask for your information outright, using very convincing details to prove they are who they’re pretending to be.

The earliest phishing scams began in the mid-90s on AOL Instant Messenger (AIM) and were started by hacking communities, like those of today’s dark web. Since hackers “lured” and “reeled” victims into giving up credit card numbers by pretending to be AOL employees, the activity became known as fishing. The term was later combined with the word phreak, likely a reference the phone phreaking culture of the late 50s to mid-70s in which pranksters exploited technology, mainly telephone systems, for fun or personal gain. Since its birth, hackers realizing the potential of phishing, expanded their reach far beyond AOL.

Who does phishing affect?

The reach of phishing cannot be overstated, as it’s now a menace plaguing every level of society. We’ve talked before about common email scams and how they relate to phishing, and while email is the default communications medium for phishing, in all honesty any digital text based medium – like chat clients or text messaging (often called SMiShing or SMS phishing) – is conducive to phishing. Essentially, if you have an email address, cell phone, social media account or communicate online in any way, you are a potential target for any type of phishing.

Phishing techniques

While some may be familiar with the idea of phishing, what they may not realize is how many ways scammers attempt to target people. Below are a few of the other methods hackers use in their phishing attacks.

1. Pharming. Pharming is the manipulation of a legitimate website in a way that forces visitors to be redirected to another website (usually a scammer’s). You can think of pharming as phishing’s inverse — phishing forces the scammer to actively engage the user whereas pharming is a passive process where the user unknowingly comes to the scammer. In some cases, though, pharming is achieved by infecting a user’s computer or browser with malware. In order for a pharming to work, scammers have to use a series of techniques known as “website spoofing” which involves the meticulous recreation of a legitimate website’s appearance on another site. While phishing isn’t website spoofing, most forms of phishing rely on some form of spoofing to trick the victim into thinking the website is secure.

Combating pharming: Pharming is extremely difficult to prevent, especially if a computer infection isn’t the source of the problem. As such, the safest way to avoid pharming is to know what you’re looking for. If you’re on a site where you have to give up personal information or log into an account, check for a green lock near the address bar which indicates HTTPS encryption. If the website is a financial institution, it should also have something known as an Extended Validation Certificate, which most browsers display by showing the name of the company next to the green padlock. This means the site is not only encrypted, but that its owner’s identity was verified before the site was given the encryption. If you can’t verify the legitimacy of the site or don’t feel comfortable entering such information, you should contact someone you trust to confirm the legitimacy or hold off on using the site if possible. Another helpful tool you may want to consider is Internet security software, as it will alert you to a potential pharming site before you visit it and enter your information.

2. Evil twin. Aside from the name, evil twin attacks are no laughing matter. It’s a form of Wi-phishing (wireless or Wi-Fi phishing) and is most commonly done over public Wi-Fi. The evil twin is named so because it refers to a fake (malicious) hotspot imitating a legitimate one. A hacker can turn their device into a detectable hotspot in a public place like a coffee shop, and when people connect to the network, the hacker can monitor all of their activity. If the hacker is especially malicious, they can control what you see on the Internet, as they’re the intermediary between you and the World Wide Web. You can think of this as spoofing on a grander scale since every site you visit could essentially be replaced with a spoofed version by the hacker controlling the evil twin.

Combating evil twin attacks: First and foremost you should avoid public Wi-Fi, as you can never trust the legitimacy of it. Keep in mind that if you decide to use public Wi-Fi, there’s a chance you might have accessed an evil twin and not a legitimate hotspot — just because the network is called “Coffee Shop Wi-Fi” doesn’t mean it’s safe to use. If you decide to take the risk and use public Wi-Fi, be sure to only access sites that don’t require you to login or share personal information.

3. Malware and exploit-based phishing. Malware and various software exploits allow scammers to nearly duplicate the effects of the evil twin attack without you having to connect to their computer. For example, keyloggers allow your activity to be traced remotely. By getting you to click on malicious links that are sent to you via email, text message, online chat programs or social media sites, scammers have the ability to see everything you do, manipulate what your browser displays — which could be used to send you to spoofed sites — or install ransomware on your device.

Combating malware and exploit-based phishing: Most modern browsers have built-in malware protection to defend browser exploits, so make sure your browser is always up to date and that you’re using a browser with noted security features, such as Chrome or Firefox. In addition, you may want to consider investing in an Internet security software to reduce your chances of having infections that make you more susceptible to phishing.

This list is by no means complete, as the sophistication of cybercrime is always increasing and there are seemingly endless ways for scammers to attack unknowing victims. As frightening as this might sound, the key to protecting yourself is making sure you stay observant when using the web and practicing good cybersecurity habits, like not clicking on any unfamiliar links or connecting with anyone you don’t know on social media.

For more information about staying safe while on the web, keep reading our technology blog. And to learn more about options that can keep your computer safe, take a look at our Internet security software reviews.