Phishing Scams in the Digital Era: How to Protect Yourself Online

People tend to believe that they cannot fall victim to a phishing attack, even though real-life situations have shown that anyone could fall prey. Here’s a typical example: A new CFO, let’s name him Shola, who recently got a job, receives a message from an email that looks like the CEO’s. The CEO requests that Shola transfer some money from one account to another. Shola looks at the email and doesn’t suspect anything wrong with it. He had assurance that the email was from the CEO. He wants to do his job by sending the money since it is his first week at work.

Meanwhile, Shola does not know he is not communicating with the CEO but with a phisher. The attacker has transposed the CEO’s email from [email protected] to [email protected]. Making changes to an email address is very easy for attackers to do. Since Shola just started the job, he is seen as a target for a cyber attack on the organisation. Had it not been for Shola sending the money, the attacker would have gone away with it, but in the middle of the chaotic situation, the CEO walked up to Shola just to catch up with him, but Shola explained to the CEO the situation that he was about to send the money. Luckily, the CEO could resolve it, and no money was lost. This shows how tactical phishing attacks can be. 

Phishing is a type of cyberattack in which attackers deceive individuals by sending persuasive messages via email, text, phone calls, or other communication channels.  Phishing can be a great threat to anyone who uses the internet for different purposes. The sole aim of phishers is to gain access to the private information of their target, thereby exposing them to cyberattacks. It is a form of using deceptive means to get the attention of their target audience. Due to the expertise of those who perform this act, similar information, such as previous mail, close relatives, and work information, can all be used to create an enticing email or initiate a call that looks like real acting to be sent from a genuine source. Sometimes, people are tricked into clicking on malicious links that can expose them to digital threats. Phishing can happen to anyone, in the workplace or in their personal life. Phishing works in different ways but with a singular objective to get people’s personal information for digital fraudulent acts. Below are the different kinds of phishing. 

Types of Phishing 

Email Phishing: This happens when phishers design an actual email bearing the name, signature and identity of a reputable organisation to deceive people into making a decision for an opportunity. To some people, relativity makes it look legitimate to believe it is genuine.  Also, some of the mail comes with an act of urgency, either demanding a payment or to fill out a required form. Another way email phishing works is by cloning a legitimate message previously received by users with a dubious duplicate. A typical example of this is an email sent to a user who claims a Google Doc has been shared with an instruction to complete it with a link. Most times, the link redirects to a fake Google login page, where if the user logs in, the scammer can steal the user’s login details. 

Spear Phishing: This is a type of phishing that targets a specific individual or group of people using pre-informed details about their relatives, place of work or any other information

Whaling Phishing: This is commonly targeted at high-level officials and senior executives. To be successful, carrying out whaling phishing requires a subtle approach that is beyond URLs and malicious links. The image below represents an example of whaling phishing. 

Angler Phishing: Angler Phishing is another example of phishing in which phishers act as customer service agents on social media. Phishers try to provide support for users based on their complaints, which are accessible online. 

Voice Phishing: This is achieved by making a call and impersonating a known person or company to deceive users. The phishers most of the time keep the user on the call to urge them to take action or wait till they reveal sensitive information. 

Why Does Phishing Work?

1. Limited understanding of computer systems: Many internet users have limited knowledge of how operating systems work. The inability to distinguish between real and fake websites works on the limited knowledge of people. For instance, some users can not make a clear difference between legitimate URLs and fake ones. E.g. www.paypal.com (Real) and  www.amazon.com (Real) are the official websites for both organisations, while any other related website is fake. 
2. Insufficient awareness of cybersecurity practices and threat indicators: Many users lack understanding of key security cues and warning signs. For instance, many users do not know the reason for the signal of a closed padlock icon in the browser. Meanwhile, It helps to certify that the page being viewed was secured by Secure Socket Layer. Users may be misled by the presence of this icon displayed within the webpage content.

How to Spot Phishing 

1. Urgent call to action or threats: Most phishing comes with an urgent instruction, either to click on a link or to submit sensitive information to the user. 
2. Spelling and Grammatical errors: Unlike formal organisations where editorial is available to verify all forms of the communications output of the organisation, phishers often fail in this aspect by sending messages that either contain wrong spellings or grammatical errors. Meanwhile, the availability of AI tools has strengthened the genuineness of their messages. Phishers can easily use AI tools to improve their writing, which can convince users to fall prey. 
3. Generic Greetings: Phishing messages often address users with Dear Ma/Sir, which is quite different from a personalised message a user could have received from their respective organisation. 
4. Inconsistent email domain names: An email from a reputable organisation will always carry its name as the domain. Seeing an email with a Gmail address should signal to the user that it is suspicious.  
5. Unfamiliar links or unsolicited attachments: Once a message containing unfamiliar links and attachments is discovered to be a scam, it is advisable not to click on them. 

What to do to Safeguard Yourself against Phishing?  

1. Update Security Software Regularly: To protect your computer or phone against any form of cyber threats, it is necessary to update the security software regularly.  This will prevent the phishers from getting into your system. 
2. Use Strong Passwords and enable Two-Factor Authentication (2FA): Using a strong password can limit the rate at which phishers get into your system. However, a strong password can also be vulnerable to hackers. This is where two-factor authentication comes into play. It will add another layer to the security of the account. 
3. Do not open the email: Once an email is discovered to be a phishing email, it is best not to open it to prevent the user from being a victim through the attachments or links provided. 
4. Be on alert: Having a mindset that anyone can fall prey to phishers’ techniques will significantly enhance your self-awareness of cyberthreats. 
5. Be cautious: it is important to be cautious when handling sensitive mail information. For instance, instead of clicking on suspicious links in email messages directly from the mail, the URL can be copied and opened on a web browser so as to confirm the legitimacy of the site. 
6. Avoid placing trust in messages that use fear or urgency to get your attention: when you receive messages demanding sensitive information from you urgently, delete them without hesitation and then confirm from the respective organisation if they are the ones who initiated the message. 

Key Takeaway

In today’s digital age, phishing scams remain a persistent and evolving threat which anybody could fall prey to. From emails and calls to social media and fake websites, attackers use sophisticated tactics to exploit human vulnerability. However, there is good news, and it is that awareness and vigilance are potent tools in combating these threats. Therefore, by understanding how phishing works and taking proactive steps like verifying links, using strong passwords, and staying informed, users can significantly reduce their risk of falling victim. Monsur Hussain, innovation team lead at the Centre for Journalism Innovation and Development, shared his view from an organisational perspective. He noted that workplaces should foster a culture of verification and scepticism by empowering employees with regular training on cybersecurity. Additionally, regular phishing tests should be carried out to help employees develop a consistent habit of caution.