red envelope hanging on a hook representing an email phishing

As an experienced IT expert with over 25 years in the field, I would like to help you protect yourself from one of the most damaging threats on the internet: phishing. Phishing is a type of cyberattack that uses deception to trick you into giving away your sensitive information. It can take many forms, from emails to phone calls to text messages. In this blog post, I will explain the distinct types of phishing and provide you with the knowledge and practical steps to protect yourself and your business.

Why is Phishing so Damaging?

Phishing is a serious threat because it can lead to identity theft, financial loss, and other types of fraud. Phishing attacks are designed to deceive you into thinking you are communicating with a legitimate entity, such as a bank via their website or social media, when you are actually interacting with a criminal. These criminals can use your personal information to access your accounts, withdraw your money, and even steal your identity. My hope is that after reading this blog, you will gain the security awareness and foresight to spot online scams and stay safe in the long term.

First, let’s talk about internet addresses

Before I can explain to you how phishing works, you need to know how to identify addresses on the internet.

Online addresses often refer to an email or website. Both contain a domain name. This is usually divided into two sections. First, at the end of the address, you’ll find an extension. Common extensions are “.com”, “.co.uk”, and “.gov” but there are hundreds of different and new variations being added as the internet continues to grow larger. The more addresses that are needed by new websites = the greater the number of extensions which need to be created. The other main part of an online address is the actual name of the website, which for example, often refers to a company or organisation such as Microsoft, LinkedIn, Amazon, or HSBC, etc.

However, not everyone realises that another extension can be added in front of the second part. This is called a subdomain. To make this less abstract for you and give you a real-world example, let’s compare this to a normal postal address in the UK. For instance; 29 New Bond Street, London, UK (You’ll notice I’ve omitted the postcode since this is just an example).

Assuming you live in the United Kingdom, the end of your address would be ‘UK’. Similarly, if your website is based in the UK, there is a big chance that the extension would be CO.UK. The next line of your postal address would be the city or town, whereas on the internet it’s likely to be your website name. For this example, let’s use Microsoft.

For now, our address looks like this: microsoft.co.uk while our postal address example looks like this: London, UK. Of course, with a postal address you need much more information to reach the right destination. What do you need next? A street address of course and this is what a subdomain is like for an online address. It’s a further narrowing down of the address to indicate a specific space. For example, news.microsoft.co.uk. This indicates that you’re not just visiting Microsoft’s UK website, but their news page specifically.

So how do criminals utilise this to their advantage?

In short, they hide the true domain as far to the right of your screen as possible to fool you into thinking that you’re clicking on a legitimate web address. How? Well, if the address is super long and ends up automatically truncated on screen, it is often only the part on the left that is displayed. For example, if you receive an email that appears to be from your bank (or another legitimate source), it may look like this when truncated:

Click here to access your bank’s websitebwww.hsbc.co……..

However, if you hover your mouse above the link, you will see the full address and you’ll realise you’re being targeted by a phishing attack. It would look something like this:

www.hsbc.co.uksdkasdkal.kdlaskdapoiop.poiopiopioasdwdajk.some.random.website.jp

As you can clearly see, this website is not from HSBC at all, and the country of origin in this example is not UK but jp, which is Japan.

So, why did no one stop the owner of this website from doing this?

The truth is that the owner is most likely unaware that their website has been hacked and used for such purposes. When criminals gain access to websites, they will try to hide their actions so the legitimate owner is unaware of the situation and there is a smaller chance something can be done to remove access. Now, let’s back to our discussion of phishing attacks and the different variations.

Phishing Emails

Phishing emails, like the attack we described above, are one of the most common forms of phishing. They are emails that appear to come from a legitimate source, such as a bank or an e-commerce website, but are actually from a criminal. These emails often contain a malicious link or an attachment that, when clicked, can install malware on your device or take you to a fake website where you are asked to enter your login credentials or other personal information.

To protect yourself from phishing emails, you should always be cautious of unsolicited emails, especially those that ask for personal information. You should also check the sender’s email address and look for spelling or grammar errors in the email. If in doubt, do not click on any links or attachments and contact the sender directly to verify the legitimacy of the email. One effective way to prevent phishing emails from being successful is to either check the entire link or web address, not just the beginning, as we described in the section above.

What about the difference between Spam Emails vs Scam Emails? Spam Emails are very interesting as there is no clear technological division between non-spam and spam emails. Both can come from legitimate companies; the only difference is whether the user finds the content of the email interesting to them or not. If I am considering buying a product and I receive unsolicited messages that provide information about such a product there is a big chance that email will not be categorised as spam by the user.

On the other hand, emails about any other product or service that we don’t need automatically can be categorised as spam. In many cases, it’s our mailbox that does this job for us of course. Most of the time the emails it puts into spam deserve to be there, but every now and then a genuine email slips through so it’s worth checking your spam every now and then just to be safe. However, you must be vigilant not to accidentally click on a link in a phishing email.

A massive red flag to look out for when reading any potential phishing email is a message that tries to convey a serious sense of urgency i.e., click on this link NOW to protect your bank account etc. If in doubt, always speak to a trusted friend or colleague to check if what you’ve read makes sense and looks legitimate.

Vishing (voice call phishing or voice phishing)

Vishing, or voice phishing, is a type of phishing that uses voice calls to deceive you into giving away your personal information. These calls often appear to come from a legitimate source, such as a bank or government agency but are actually from a criminal. They may ask you to verify your personal information or even ask for your credit card number.

To protect yourself from vishing, you should be cautious of unsolicited phone calls, especially those that ask for personal information. You should also hang up if you are unsure of the legitimacy of the call and contact the organisation directly to verify the authenticity of the call.

The important part when dealing with voice phishing is to understand that the people behind these attacks will be very persistent. If they feel you are about to fall for their phishing attempt, they will be relentless. I have seen cases where vulnerable customers have been called hundreds of times over a period of hours or days. These criminals will simply not take no for an answer. One of our customers was bombarded for 3-4 days with calls every few minutes going all day and night, as a result she eventually slipped up and disclosed part of her credit card number. Fortunately, our customer realised something was not right and acted before the criminal was able to empty her bank account. How could criminals be so brazen? They do it because they are usually based abroad and the risk of them being prosecuted (or even traced) is very slim, so they can be very bold in their attempts to trick and rob you.

Phishing Websites

Phishing websites are fake websites designed to look like legitimate websites. Some of the most common sites to be impersonated are banks and e-commerce websites. These fake websites are used to trick you into entering your personal information, such as your login credentials or credit card details.

To protect yourself from phishing websites, you should always check the website’s URL and look for spelling or grammatical errors like those I have mentioned above in the section about internet addresses. You should also never enter personal information on a website that you do not trust.

What you should do instead is to use a search website such as google.co.uk, bing.com or duckduckgo.com and look for the real equivalent or just type in the address that you know is correct. This is especially true for financial institutions or e-commerce sites.

Smishing (SMS or text message phishing)

Smishing, or SMS / text message phishing, is a type of phishing that uses text messages to deceive you into giving away your personal information. This phishing message often appears to come from a legitimate source, such as a bank or a government agency but is actually from a criminal. They may ask you to verify your personal information or even ask for your credit card number. They work in a very similar way to email phishing; the only difference is that instead of sending emails they will send text messages.

To protect yourself from smishing, you should be cautious of unsolicited text messages, especially those that ask for personal information. You should also delete the message and contact the organisation directly to verify the authenticity of the message.

Whale phishing

Whale phishing, also known as CEO fraud, is a type of phishing that targets high-level executives in a company. These attacks are designed to trick executives into giving away sensitive information or transferring money to fraudulent accounts. Whale phishing attacks often use social engineering tactics to build trust with the target before asking for sensitive information.

To protect yourself from whale phishing, you should be cautious of unsolicited emails or messages that ask for sensitive information or financial transfers. You should also verify any requests for transfers or sensitive information with the individual or organisation directly, using a separate means of communication.

Whale phishing is more of a niche attack, but it is very dangerous, nevertheless. The more targeted the attack, the bigger the loss can be. Hackers or Threat Actors (an industry term for a type of cyber-criminal) know that attacking a person with substantial wealth can be more lucrative than going after a larger number of people who have average wealth.

Spear phishing

Spear phishing is a type of phishing that targets a specific group of people, such as employees of a company or members of a particular organisation. These attacks are often more sophisticated than traditional phishing attacks because they are tailored to the target’s interests or position. Spear phishing attacks often use social engineering tactics to build trust with the target before asking for sensitive information.

To protect yourself from spear phishing, you should be cautious of unsolicited emails or messages that appear to come from a colleague or a trusted source. You should also verify any requests for sensitive information with the individual or organisation directly, using a separate means of communication.

A good example we came across recently was from one of our customers. One of their interns received an email pretending to be from one of the senior partners. The message told the intern that they had an important meeting and needed gift cards to be urgently purchased for a customer because their personal assistant was away. This email didn’t contain any dangerous links, but it contained the name of a senior partner in the business.

This attack leveraged social engineering techniques by using the partner’s name, as well as an urgent and serious tone of voice, to put the intern under psychological pressure to agree to what might have otherwise seemed an unlikely request to buy hundreds of pounds worth of gift cards.

Microsoft 365 phishing

Microsoft 365 phishing is a type of phishing that targets users of Microsoft 365, a popular cloud-based productivity suite. These attacks often use fake login pages or other techniques to trick users into giving away their Microsoft 365 login credentials. Once the attacker has access to the user’s Microsoft 365 account, they can access sensitive data or launch further attacks. Frequently, users will receive malicious emails which contain login forms to the Office 365 portal. Unfortunately, and in part due to our busy lives, when we see a well-known page that appears to look legitimate, such as an Office 365 login screen, users will often automatically login without thinking and by doing so accidentally grant Threat Actors access to their entire Office 365 account.

To protect yourself from Microsoft 365 phishing, you should always check the URL of the login page and make sure it is the correct address for Microsoft 365. It would help if you also used multi-factor authentication to add an extra layer of protection to your account.

Social media phishing

Social media phishing is a type of attack that targets users of platforms such as Facebook or Twitter. These attacks often use fake login pages or other techniques to trick users into giving away their social media login credentials. Once the attacker has access to the user’s social media account, they can launch further attacks or steal sensitive data.

To protect yourself from social media phishing, you should always check the URL of the login page and make sure it is the correct address for that social media platform. It would also be best if you also used multi-factor authentication to add an extra layer of protection to your account.

End of Part One

Okay, that’s a good place to stop for now. I hope you’ve found part one of our deep dive into phishing both interesting and eye-opening. In part two, we’ll explore how phishing can affect your business and crucially, how to stop it! Click here to continue reading: How to stop phishing- Part Two.

If you’re concerned about cybercrime and cybersecurity in the meantime, please contact our friendly team of experts for help- Click here.

Sign up below to join the Operum newsletter