Chances are, your mobile device doesn’t have the same security defenses as your work laptop or desktop computer. That’s why it’s important that you, the end user, do all you can to protect yourself from cyber threats. This article will focus on phishing — how to recognize if you’ve been phished, how it happens and what to do about it.
How does phishing work?
Phishing is a type of social engineering attack hackers use to steal user data, including login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity to dupe a victim into opening a message and clicking on a link. Once the link has directed the victim to a fraudulent website, the victim is then duped into entering their login credentials or financial information, which is funneled through to the hacker.
Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal, financial and corporate information. The aim and precise mechanics of the attack can vary, but they are usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.
Phishing is not only very common — it’s also one of the most damaging and high profile cybersecurity threat facing enterprises today. According to the IBM 2023 Cost of a Data Breach Report, phishing tops the chart at 15% of all data breaches, costing organizations $4.76 million on average.
Phishing usually begins with a form of communication to an unsuspecting victim: a text, an email, in-app communication and more. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or, more simply, the opportunity to gain access to a service like social media, bank accounts or work email.
In order to solicit personal information from the victim, the attacker will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site or the data could be harvested and sold on to others on the dark web.
Types of phishing attacks
If you’ve been phished, chances are the attack was delivered in one of these ways:
- Text messages: Also known as “smishing”, bad actors send users an SMS message containing a link to a phishing site, often with the intent to steal user credentials.
- Whatsapp: Also known as “whishing” and similar to smishing, bad actors send malicious messages in Whatsapp.
- Email: Email phishing can be to personal or corporate emails, and may an organization or website the user is familiar with. These emails may ask the user to log in to software they use, ultimately sending the user to a malicious but legitimate-looking site.
- Voice phishing: Voice phishing, or “vishing,” can involve spoofed numbers that appear as legitimate institutions. These attacks may use a text-to-speech program or a real voice, and are often used to obtain financial information from their victims.
- Spear phishing: These attacks are sent to a specific target and may be through email, text or other means. Bad actors may impersonate an individual the user knows, possibly asking for assistance or their personal information.
- Whaling: Whaling attacks target high-profile targets like CEOs or other executives. Bad actors may impersonate other executives to appear legitimate, eventually sending their victims to a spoofed site to harvest credentials.
- Social media posts and direct messages: Bad actors may use social media to reach their victims. Like other methods, this usually involves sending the user to a spoofed site to gather their information.
How to recognize a phishing attack
Hopefully, you’ll spot some signs you’re being targeted by phishing before you get to the point of handing over your valuable information. Look for:
- Unsolicited and suspicious messages, emails and social posts containing shortened links
- Web pages that ask for login credentials or other sensitive information
- Suspicious emails with uncharacteristic language
- Web pages with suspicious or copycat URLs
- Misspellings, special characters or grammar mistakes (though note that AI is helping bad actors improve in this regard and some sites and messages may look totally legitimate)
In the example phishing attempt below, the message includes a shortened link and a demand for action (as users would want to dispute a purchase they didn't make). The shortened link makes it difficult to vet its legitimacy, while the lack of obvious errors makes the attack less obvious. The best course of action would be to ignore the link and manually log into any banking or payment card accounts, checking to see if the purchase did indeed happen.
If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve taken the bait. Phishing attacks vary and because they are often packaged up with other threats, like as a way of delivering malware for example, the symptoms can be very broad. Here are some signs that a basic phishing attack has been successful:
- Identity theft
- Unfamiliar transactions
- Locked accounts
- Unprompted password reset requests
- Spam email coming from your account
What to do if you think you’ve been phished
So you’ve been phished, what now?
- Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured by the hacker.
- If you entered your credit card information in the phishing page, cancel your card.
- Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists.
- Contact the company or person that the phishing attack impersonated, if any — it might be your CEO, it might be a friend or it could be a major company or bank.
- Scan your device for viruses; clicking malicious links can instigate silent downloads of malware that corrupt devices without your knowledge.
- Watch out for warnings of identity theft and put a fraud alert on your credit account.
Proactive steps you can take to protect yourself
Mobile devices are particularly vulnerable to phishing attacks. Their smaller screen and on-the-go use makes it more difficult to closely inspect links for legitimacy, and users are often in too much of a hurry to do so regardless. Additionally, while many users download threat protection to their computers, less do so on their phones. This is why careful scrutiny is required.
The best remedy is prevention. Stay safe from phishing by following this guidance:
- Don’t click on suspicious links
- Don’t enter your credit card information into unknown or untrusted services
- If a link directs you to your banking website, open up your banking site in a separate window by typing the name in manually
- Don’t fall for more obvious scams that claim you’ve won a prize
- Check the address bar for suspicious or copycat URLs like my.apple.pay.com
Organizations can takes steps to prevent phishing on their corporate or BYOD devices, including:
- Training employees on phishing attacks and how to avoid them
- Implementing anti-spam filters so attacks don’t reach employee inboxes
- Using MFA to prevent stolen credentials from being used
- Deploying threat prevention software to block access to phishing sites even if they are clicked on
- Using password managers that auto-fill based on site domain (therefore not working on illegitimate sites)
- Keeping devices and software up to date
