Cyber Security Awareness Month (Cyber Month) is an internationally recognized campaign held each October to help the public learn more about the importance of staying safe online. This October, the focus is on phishing scams and how to fight back against them.
What is phishing?
Phishing is a type of online fraud that involves tricking people into revealing personal information or clicking on malicious links and is one of the most common scams affecting Canadians. During phishing attacks, criminals send emails or text messages posing as a trustworthy source to try to gather personal information such as login credentials, banking information, or credit card numbers. They may also try to install malware on your device or redirect you to a malicious website.
How does a phishing attack work?
There are basically three phases to a phishing attack.
Phase 1: The bait. The scammer tailors a message to look like a legitimate one from a trusted source like a bank or online retailer. Spoofing the trusted source, the message is sent to recipients, knowing that some will take the bait and fall for the scam. The message usually contains a message to take urgent action, like resolving an issue with an online account.
Phase 2: The hook. The victim believes the message is from a trusted source, clicks the link in the message, and is re-directed to the scammer’s fake version of the real website. The victim provides sensitive information like their login credentials or credit card number which are captured by the scammer. The victim’s devices may also be infected with malware when they open a malicious attachment.
Phase 3: The attack. Now that they have the victim’s credentials, the scammer can access the victim’s account and, in the case of an email account, send more phishing emails to the victim’s contacts. If the victim’s device has been infected with malware, the scammer can steal even more data or lock access to their files until a ransom is paid.
How can you spot phishing messages?
While scammers have been perfecting their attacks, there are still some telltale signs that can help you identify when you’ve received a phishing message.
Something may be phishy if:
you don’t recognize the sender’s name, email address, or phone number
you notice a lot of spelling and grammar errors
the sender requests your personal or confidential information, or asks you to log in via a provided link
the sender makes an urgent request with a deadline
the offer sounds too good to be true
The keys to avoid becoming a victim if you think you’ve received a phishing email are don’t reply to it and don’t click on any links or attachments. If you’re unsure because the email looks like it’s coming from a trusted sender, like your bank or government, try to contact them using the information on their official website and ask them to confirm whether the message is legitimate.
While there isn’t a foolproof way to spot every phishing attempt, knowing how they work and the most common signs to look for can help you avoid becoming a victim of fraud. Trust your instincts and, if a message seems too good to be true or inconsistent with messages you normally receive from the sender, it’s better to delete the message than to respond to it. Checking with the sender to make sure a message is legitimate is much simpler than having to recover from identity fraud.