Phishing Works

hooked fish

Phishing continues to be a significant part of the increase in identity theft. Phishing happens when attempts are made to fraudulently acquire sensitive personal information like usernames, passwords, credit card, or health insurance information by a person or group masquerading as a trustworthy company, organization, or agency.

Phishing Works

A recent study by Google and the University of California found that phishing is even more effective than was traditionally thought. The study found that on average, phishing sites work 14% of the time. What I thought most amazing is that the best-created phishing sites worked 45% of the time. The fact that almost 1 in 2 people are convinced by a fraud is an alarmingly high rate.

The best phishing sites work 45% of the time.

Part of phishing’s effectiveness is the constant news of new data breaches, like the information from one recent high-profile breach. Swindlers are able to create a situation where individuals think their account or personal information has been compromised. By using our fear of identity theft, they prey on our social conditioning to elicit a response to their fraudulent communications.

One of the most popular versions of the phishing scam is to make the emails appear as if they come from a trusted financial institution, like a bank or credit card company. According to Kaspersky Labs, 41.85% of July Phishing attacks were related to financial companies or organizations.

While the content of the emails differs, the intended goal of stealing personal information is always the same. The entire swindle is predicated on the ability to make the communication seem like it comes from a trusted source.

Be Cognizant of What You Share Online

Phishing is also very popular across social media. Popular social networks, like Facebook and Twitter, actively fight phishing, but with the ease of creating an online account, it is virtually impossible to stop the attacks before they start. Some estimates claim as many as 1 in 5 phishing attempts are now coming through social media sites. According to a survey by the Identity Theft Resource Center, 54% of respondents on social media claimed to have been the target of an identity threat.

Targeted Attacks and Spear Fishing

Recently, a highly specialized version of phishing has been gaining increased prominence. Spear phishing is where the members of a group or organization are specifically targeted. This specialized form of phishing usually piggybacks an event like a conference or trade organization gathering. Often thieves will glean data from social networks and then incorporate it into their phish.

Spear phishing can be 90% effective.

Unlike random phishing, the spear email will usually look like it is a follow-up from a recent event. Spear fishing can be extremely effective, with one industry analyst claiming up to a 90% effective rate.

Phishing Requires Action From You

No matter what type of phish is used, they all require action on the part of the recipient. It is for this reason that typical phishing attempts will have multiple call-to-actions with anything the recipient clicks on or responds to leading to the same result. The creation of a false sense of urgency allows the scam to be very effective.

By forcing action to be taken immediately, the perpetrators of the scam hope in this hurried state that people become careless. This is often done by mentioning that without an immediate response the person’s account will be suspended or closed. Carefully crafted phishing emails often have multiple actions. These actions can include requesting information be downloaded, clicking on a link which leads to a fake website, or emailing sensitive information directly back to the sender of the email. Some of the more sophisticated phishing frauds even utilize a working toll-free number.

Where the average Internet user knows not to click on spam even a savvy Internet user can be taken by a phishing scam. The most important aspect is that you are vigilant. There are a number of ways to protect yourself from phishing attempts.

Protecting Yourself From Phishing

Don’t take any actions on questionable emails

This means don’t click any links, open any attachments, or download any files. If you are unsure whether the email came from a legitimate source, your best course of action is to contact the company or organization directly.

Check the URL of a link before clicking

Before you click on a link in an email, you can hover over the link and it will tell you where the link is pointing. You want to compare the link with the legitimate business or organization’s website. Scammers will often choose a URL that has a slight variation. A common example is using a website with a different ending .net instead of .com or one that contains an extra character.

Don’t communicate personal or financial information by email

The only way to transmit personal information is by phone or using a secure website. If you are not sure whether a website is secure, then it is better to err on the side of caution and only send the information by phone.

Be wary of emails with attachments

If you are not sure why the sender of an email has included an attachment, it is a best practice to delete the email or contact the sender about what they were sending. Attachments offer an easy way for hackers to hide malicious software or programs.

It is especially important to take note of the file’s extension. If you see an attachment with what looks like two extensions or one ending in .exe, then your first reaction should be to delete the email. Just clicking on an executable (exe) file extension can cause the malicious software to install on your computer.

Identity Theft Insurance – Additional Layer of Protection

No matter how astute or aware an Internet user is, anyone has the potential to be victimized by a phishing scam. Being a victim and having your identity compromised can be the source of numerous headaches.

For this reason, some people choose to protect themselves with identity theft insurance. This type of coverage works to clean-up the problems associated with identity theft. These types of policies vary in what they cover so it is important to speak with an insurance professional about the particular details if you are interested.

About Kevin O’Brien

Kevin O’Brien is Client Services Coordinator for Willis Personal Lines, responsible for that practice's marketing…
Categories: Cyber Risk | Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *