Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
How to Avoid Phishing + 3 Tools for Ultimate Protection
The Internet has come a long way from the wild digital frontier it was in bygone decades.
But even today, when too much of it seems to be controlled or surveilled, cyber-attacks like phishing scams and malware assaults are commonplace.
Phishing scams are some of the most ubiquitous types of cyber-attacks you might encounter, and they affect millions of people every year.
How can you recognize phishing scams, how can you avoid them, and what are some tools you can use to make your Internet surfing safer? Let’s tackle all these questions and more.
What is Phishing and How to Avoid It
Phishing attacks have been around since the Internet first became popular and accessible in the early 1990s.
But the actual term was only coined in 1996, when certain hackers began stealing passwords and accounts from America Online.
As you might guess, the term first came about because of the method by which the cyber-attacks took place; the hackers used email “lures” to “hook fish” or vulnerable targets in order to acquire their passwords and other important financial data.
Like fishermen reeling in catches, these hackers drew in unsuspecting victims by preying on their trustworthiness. In fact, the above example is a great way to understand phishing attacks.
They’re most commonly carried out because a hacker or some other cyber-criminal wants to obtain personal information from their target.
The information they might target can include:
- credit card information
- account passwords or personal details
- Social Security numbers
- bank account information
All of these can be used in order to steal the identity of the victim, to make purchases using their financial accounts, to outright steal money, or to perform other crimes.
How Do Phishing Attacks Work?
Phishing attacks almost always work through a lure and a hook. Although they began through using email services, phishing attacks can also be carried out through phone calls, fake websites, downloads, or technically even in-person soliciting.
The age-old scam of the traveling snake-oil salesman or grifter is, in practice, really similar to a modern digital phishing scam.
Those who carry out phishing attacks almost always represent themselves as reputable or legitimate people or organizations. They might masquerade as known cell phone or Internet companies, social media accounts for well-known celebrities, or as officials for well-loved brands.
The “phisher” will attempt to collect personal details from the target by simply asking for them, banking on the fact that the victim will trust their name, social media account, or even tone of voice. The phisher will promise monetary rewards, bonuses, prizes, or any other kind of incentives in order to get the target to open up.
Once they have the information they need, they’ll drop the victim and make off with it.
What Are Some Phishing Examples?
There are several classic examples of a phishing attack you can use as reference if you aren’t sure if you’re seeing one.
For instance, you might receive an email from a web address or sender that looks very close but not exactly identical to the web address of a well-known company: for instance, “Ama-zon.com”.
The email will be totally fake, but it might look very similar to an official email you might get from the legitimate Amazon company. When you click on one of the links within the email, the page will be set up to reflect what you’d expect.
However, this email will usually have a hook in order to get people to click various buttons or input their personal information. For instance, they might advertise an unbelievable deal on certain technology or popular items.
Credit Card Phishing Scams
When you put in your credit card information to buy the item and click “buy”, what you’ve actually done is given that credit card information to the owner or creator of the email address. Now they have your financial information and can make purchases using your credit card… at least until you figure out what happened.
Another example could be a text message scam. Receiving a text message from a number you don’t recognize out of the blue, advertising a fantastic deal or free shipping on a type of product you purchase regularly, is indicative of a hook.
By sending in your credit card information, the hacker might get enough of it to break into your other secure accounts, likely by asking for “PINs” or other secure details.
What Are Some Types of Phishing Attacks?
Phishing attacks can show up under a handful of major categories or types.
As the name suggests, these types of phishing attacks are mostly concerned with getting your financial or identity credentials. These include your credit card information, Social Security number, or passwords to various secure accounts.
Most phishers will trick you into giving these passwords by sending you deceptive links or by directing you to webpages through your email that look like services you can reach through other means. For example, they might tell you to click only the link in the email.
Regardless of the exact form of the phishing attack, there will be a field for you to type your password or other identifying information. Never do this unless you’re sure the email is legitimate.
These creatively named phishing attacks are targeted toward individuals whose information is already partially learned by the hacker in question. They use the information they’ve already gathered through other means in order to make the phishing scam seem more legitimate.
As an example, they might passively gather from your social media information that you have two children. Then they might write an email about getting nice pictures for your kids from an event that happened when they were in school.
If you were to click on this email, you would actually provide a window into your computer through which a malware bug or another virus could silently insert itself.
These types of phishing attacks comprise any phishing scam that has the hacker impersonate a legitimate business or person. Many of them will have very well-made scam emails or websites and will use well-written language and a convincing personality to try to trick the target into providing their information.
They may also combine this type of attack with spearphishing, such as trying to impersonate someone from your family or your work.
These phishing attacks are restricted to CEOs and their employees. In a nutshell, whaling (also called CEO fraud) happens whenever a top executive or leader of a company has their personal information compromised and their identity subsequently assumed.
Then they can order employees to send funds to certain accounts, to provide in-depth information about the company, or to ruin company finances.
Another example of this type of phishing attack occurs when high-profile celebrities, politicians, or other individuals have their accounts hacked. Such hackers can often cause inordinate amounts of damage through these scams because of the unequal amount of social weight and financial power that such people usually have.
These types of phishing attacks rely on software utility collections that you download by mistake, such as by clicking on a pop-up link or clicking on a link from one of the scam emails detailed above.
After clicking on one of the buttons, the phishing kit will automatically install on your computer, then potentially even hijack your computer to send out more phishing emails to further potential victims.
They may also use the software to gather information about your identity surreptitiously, which can later be used to blackmail you, to hijack your bank or personal accounts, or more.
Pharming phishing attacks operate by redirecting your web browser to a malicious or vulnerable website, usually through hijacking your DNS.
This can force you to visit certain websites and can arrest all of your Internet mobility, making some people feel like they have to give in to the hacker’s demands.
A final common form of phishing involves the scammer pretending to be a login page for a major website or online service, like Amazon, Gmail, and more. People provide their passwords and personal information, which the hacker can then use at the legitimate version of the website they are impersonating.
How You Can Protect Yourself
Although the threat of phishing attacks is widespread and chances are high that you’ll eventually encounter at least one sooner or later, there are plenty of ways in which you can protect yourself.
How Do You Recognize Phishing?
The best way to stop yourself from falling to a phishing scam is to recognize them when you see them. Although hackers who perform these attacks spend a lot of time trying to perfect their illusions, it’s almost always possible to see through them.
You can normally recognize phishing scams, whether they are delivered by email, phone call, or text message, by noticing:
- incorrect grammar or poor spelling. Many people who carry out phishing attacks come from countries where English is a second or third language, and they may make mistakes
- if they address you by either extremely generic or extremely friendly terms (i.e. “hey you” or “hello, dear”). Legitimate companies will almost always use either your first name, your first and last name, or a formal mode of address like Mr. or Ms./Miss.
- that the email, text message, or other communication threatens you in some way shape, or form. A very common type of phishing attack involves telling the victim that the FBI has a warrant out for their arrest, and that only by conveniently providing their payment information will the government look the other way. Additionally, lots of these threats are vague about what exactly you are in trouble for – they may say things like, “you know what you did”
- that the communication tells you a story, usually designed to pull on your heartstrings and promise a big reward if you undertake certain steps. The “Nigerian prince” meme is actually an example of a tried-and-(unfortunately) true phishing attack that people have fallen for in the past
Lastly, any email or text message you receive that gives you a strange feeling is probably a scam. Your brain is pretty good at noticing when things aren’t quite right. Listen to your instincts and never give out your personal information or bank account information if you aren’t 100% sure of the legitimacy of the site or email in question.
While spotting phishing scams before they have the chance to infect your computer or steal your information is great, there are also several tools you can use to take the weight somewhat off your shoulders.
Installing and regularly updating security software on your computer and your mobile phone is the number one way you can stop phishing scams from affecting you regularly.
Virtually every modern piece of security software has phishing filters that they use to automatically get rid of scam emails and other communications. A few might still slip through here and there, but good security certainly gets rid of the vast majority.
You can even get free antivirus like Total AV, which does a great job of protecting your computer without requiring you to spend a single cent.
Total AV provides fantastic speed without taking up tons of your computer’s memory, just by running silently and smoothly in the background.
It also constantly monitors your computer and email for adware, malware, and other types of cyber-threats. A remote firewall for extra security is also included. Even better, it’ll work on your mobile devices.
Many security software packages come with password managers as an additional bonus. These aren’t just convenient tools; they’ll automatically fill in your passwords and keep track of which sites the passwords belong to.
Password managers aren’t as easily fooled as human brains, at least in this case; they’ll often refuse to automatically fill in a password in a field that they think is suspect. You can use this warning to study an email or website more closely and determine whether it’s a phishing attack for yourself.
The best password managers also let you create randomized passwords more easily than usual. This means, in the event that someone does get a hold of a password, they can’t automatically use that password for all your accounts across the Internet.
1Password is a fantastic example of a great password manager virtually everyone should take advantage of. It’s pretty affordable at less than $40 per year.
1Password features several excellent tools like a travel mode to prevent the government from seeing personal information while you travel on vacation or for a business trip.
While reviewing 1Password we found that it can be plugged into most browsers and works with every major operating system. Biometric login requirements like face and touch ID are also offered.
Lastly, Google Drive is an invaluable tool to help you avoid suffering a phishing attack.
You can get Google Drive for free, and you can use it to send and receive documents from various sources.
Say that you receive a MS Word file. Instead of opening it straight on your computer, you can upload the file to Google Drive, which will turn the document into an HTML file.
Instead of opening it straight on your computer, you can upload the file to Google Drive (or any other online document reader), which will turn the document into an HTML file.
This prevents it from installing malware on your device, and it lets you examine the content without risking yourself or your computer.
The tools you use to protect yourself from phishing are important. But you can also use several strategies to both limit your odds of suffering from a phishing scam and to stop them from going too far. For instance, you should always be updating the antivirus on both your computer and your phone.
Set these automatically update if possible, as it’s easier than remembering it yourself. Because phishing scammers are constantly updating their strategies and bugs, antivirus companies are also in a constant digital arms race against them.
Only by receiving the updated definitions of malware bugs or new code that can help your software recognize phishing scams will these antivirus programs be at their peak efficiency.
Multi Factor Authentication
You should also protect all of your accounts using multifactor authentication. If you aren’t aware, this just means that it takes multiple forms of identity proof before you can log in to one of your secure accounts.
It’s definitely more time-consuming than just using a simple password for all your stuff, but it’s well worth it in terms of the security it provides.
Multifactor authentication can take many forms, including:
- a passcode that you receive from a text message or a special authentication app
- a scan of something unique to your person like your retina, your fingerprint or even your face
- security questions with answers that you come up with upon account creation
If possible, try to use multifactor authentication for every important account that has sensitive information or financial stuff hidden behind your protective barriers.
This way, even if a phishing scammer does get a hold of your password somehow, they won’t be able to get into your bank account without also having additional information (some of which may be impossible for them to get, like your fingerprint).
How to Secure Yourself Against Phishing
You can also be a bit proactive in your defense against potential phishing scams that might get through your antivirus filter. You can verify emails from senders pretty easily, like by calling the organization that the email is supposedly from.
The customer service representative on the other end of the line should be able to tell you whether it’s a scam or legitimate in a couple of minutes. You can do this with scam emails that are supposedly sent from your family members, too – it shouldn’t be hard for you to call up that family member and ask whether it’s legitimate.
Furthermore, you should only ever put your personal information into sites with an address that begins with “https”. This indicates that the website has SSL certification, which is an enhanced level of website encryption and prevents hackers from easily getting the personal information of people who log into the site.
Any online business worth your time and money should have this certification to begin with. You can also tell that it’s certified by a padlock symbol located in the address bar.
Lastly, it might be helpful to back up any data that might be sensitive on an external hard drive that you can disconnect from your computer. In the event that a hacker does make it on your hard drive, they might not be able to get what they’re looking for if your sensitive stuff is physically separate from the main device.
What If You’ve Already Responded to a Phishing Email?
If you’ve accidentally responded to a phishing email or you think you might have given your sensitive information to a phishing scammer, don’t panic quite yet. You should immediately go to identity theft authorities like homeaffairs.gov.au. This site will allow you to both report possible identity theft cases and help you recover your identity as soon as possible.
You can also run a malware scan with your antivirus program. The program may be able to detect a phishing bug currently in your system and delete it before it manages to do any harm. Of course, don’t answer any other emails or send any emails until you are sure the phishing situation is well under control.
How Can You Report Phishing?
You can report anything you think to be a phishing scam to the Australian Cyber Security Centre. They’ll take your report and also have information on file that you can use to educate yourself about modern phishing scam trends and strategies you might need to look out for.
All in all, phishing scams are a fact of life on the Internet. They’re something that will likely never go away given how easy it is for hackers to create them and how some people will always be susceptible to their schemes. However, just because phishing scams are here doesn’t mean you have to be a victim.
Following the above strategies and using the tools we mentioned will go a long way toward protecting your identity from phishers. Stay sharp and stay safe!