While some types of spam are relatively harmless (if irritating) bulk advertising, there are other, more malicious ones that people will use in attempts to steal personal information or otherwise wreck computers. These types of spam are commonly known as phishing scams. We'll explain what these are, and how to protect yourself against them.
What is phishing, and what are phishing scams?
The term "phishing" comes from a hacker-influenced corruption of the word "fishing". And, just as the goal in real-life fishing is to use bait to lure fish into being caught on your hook so that you can eat them, mount them as trophies, or just brag about them and then throw them back in the water, a phishing scam works in much the same way. It uses some type of enticement or urgent request, usually conveyed through email, as bait. It then lures people into giving up personal information, or downloading viruses or spyware that steal their personal information and/or damage their computer.
The "bait"
The type of "bait" that phishing scams use can come in various forms. Some, like more general forms of spam, advertise debt relief services, weight-loss solutions, get-rich-quick jobs, and other products which are often "too good to be true". Others warn you about a problem with a bank account, website account, or some other type of account that you use, and tell you that fixing the problem requires that you give up personal information. Still others claim that you have been selected to enter or win some kind of contest.
Often, part of the bait is that the phishing scam will tell you that you need to act immediately. For instance, it may tell you that the product or offer it is supposedly advertising is only available for a limited time. Or, if it claims that there's a problem with one of your accounts, it may warn you that something much worse will happen to that account (such as it being shut down or possibly broken into) if you don't fix the problem quickly.
The "hook"
The "hook" in phishing scams can take different forms, too. Sometimes, a phishing scam will directly ask you to reply to the email with one that includes your personal information. This may even just be your email address; remember, most spam comes over automated mailing lists, not to you directly.
Others will require you to click a link to a website and then enter your personal information there. Sometimes, this website won't even give you a chance to enter your personal information, and will instead download a virus or spyware program to steal your personal information or otherwise wreck your computer. And still other phishing scams will require you to download a form or other computer file attached to them, which — again — likely contains a computer virus or spyware program that steals your personal information or damages your computer.
What is advance-fee fraud?
Advance-fee fraud is a popular type of phishing scam in which the perpetrator asks a victim to send them money to facilitate some sort of financial transaction. This could include the purchase of an item that the victim is selling, or the transferring of money into a secure bank account. The victim is promised payment for their goods or services, but instead the perpetrator makes off with their money, and perhaps also their banking information. We'll cover this type of phishing scam in more detail in our Advance-Fee Fraud article.
What is spear phishing?
Spear phishing is a special type of phishing scam, in that it doesn't go after random people in an attempt to steal their personal information or damage their computer. Instead, it is usually performed by someone with a specific goal or motive, and targets people within a specific company or organization. It works by sending employees fake emails allegedly from another employee or company partner. The goal is to steal an employee's identity information or clearance permissions, which the scammer then uses to impersonate them and/or hijack their computer. Then, the scammer attempts to gain access to restricted company information, which could include trade secrets, military intelligence, or payroll data.
As spear phishing is a targeted attack, you probably won't run into it as an individual Internet user. However, if you work for a company that deals with a lot of sensitive information, you may want to be aware of this type of scam so that you can avoid it while in the workplace.
How to prevent and avoid phishing scams
As scary as phishing scams can be, many can be avoided by following many of the same common-sense precautions that are used to deal with spam.
1. Use the same techniques as you do when checking for spam.
Often, phishing scams follow similar patterns to other types of spam emails. Look carefully at the contents of an email, including who it's from, to see if you can spot any of these giveaways for phishing scams:
-
"Too good to be true" offers or contest prizes
-
Numerous obvious spelling or grammar mistakes
-
Misspelled or otherwise odd-looking sender addresses or hyperlink addresses, or ones that you've never heard of before
-
Requests — either directly or indirectly — for personal information or money
One or more of these things in the same email should give you a clue that it's a phishing scam, and that you should ignore it. Be sure to look for these things in all emails that you get, even if they look like they're from someone familiar.
2. Never send personal information over email.
It's generally never a good idea to send any type of confidential identity-related or financial information over email, for at least two reasons. The first is that email isn't necessarily the most secure method of communication out there, which means that someone other than the person directly scamming you could intercept your email and get a hold of your info. The second is that many legitimate businesses and organizations actually have it written in their policies that they will NEVER ask for personal information or money over email, so you can safely pass off emails that do this as scams.
3. Don't interact with a phishing scam outside of deleting it.
Even if you follow tip #2 and don't directly reply to a phishing scam, there are some that don't need you to in order to catch you. Like other forms of spam, once you identify a phishing scam, just ignore it or otherwise get rid of it. Don't click on any hyperlinks within the email, and don't open or download any files attached to the email. Doing so could infect your computer with a virus or spyware program, which could mean that you end up getting your personal information stolen anyway, and possibly sustaining other damage to your computer.
4. If possible, report the scam.
There are some email clients, such as Microsoft Outlook, that allow you to mark emails as spam (or even more specifically as phishing scams), like so:
If you are able to do this, it is probably a good idea to do so. In addition to deleting the email and blocking further emails from whoever sent it to you, it may also help your email client develop better spam-detection rules that can keep the scam from even reaching other people who use the same email service. So, in that sense, you're not only keeping yourself safe, but you're keeping your email community safe as well!
Phishing Examples
"You won a prize" phishing
Notice that this one has an attachment which may be used to hide a virus, and the only content besides the subject line is an instruction that tells you to open the attachment. Who is the donation from? Why are they donating it to you? How are they going to get the money to you? There are too many unanswered questions for it to be a legitimate email.
"Too-good-to-be-true advertising" phishing
Notice that this one has a rather vague-looking hyperlink to a website, which may be one that gives you a virus or spyware program. It also even tells you how to get around your email client's system for classifying it as a phishing scam. Also notice that it has no subject line and a strange-looking sender name, which are both signs of a phishing scam or other suspicious email.
Well, that wraps up our general explanation of what phishing scams are, and how to keep yourself from getting "hooked" by them. We'll finish off this section by discussing a specific and very common type of phishing scam called advance-fee fraud.
