Phishing is a cybercrime that uses various digital and
telecommunications modes to lure victims into revealing
personal or sensitive information. Cybercriminals contact
their targets by email, text messages (SMS & chats), call,
or other means to approach them, where these targets could
be ignorant individuals, groups, or large organizations.
Phishing by itself may not seem very damaging at first
glance, but it is all just a ruse to trick you. Based on the
type of phishing (social engineering) attack, the
cybercriminal can either deploy malware to the target
system/network, or extract information such as personally
identifiable information, banking, credit card details,
passwords, etc., which could be used for either identity
theft or financial gains. With the right security awareness
training, business owners and CISOs can avoid them easily.
What Is Phishing and How Can It Be Solved with Security
The word "Phishing" sounds like and suggests "fishing" where
bait is placed onto the hook to lure prey; similarly,
phishing attacks lure the target to click on a link, open an
attachment, provide their information, etc.
Phishing activities have been on a continuous rise since
2019, with 71% being motivated by financial gains. Security
experts have reported that out of all the breaches involving
phishing, 29% of them involved the use of stolen
credentials. Similarly, it has also been reported that 33%
of breaches involve the use of some or the other types of
social engineering attacks. It is common to assume that
these attacks don’t have much to gain from individuals, and
the money gained might not be worth the effort, but contrary
to these assumptions, the United States FBI’s Internet Crime
Complaint Center has recorded an approximate loss of $57
million to phishing attacks.
Security awareness training helps employees to identify
cyberattacks and prevent them from making usual yet,
6 Common Phishing Scams That Can Be Stopped with Security
Email Phishing: Email is one of the
prominent modes of malware delivery, with a report
94% of malware
is propagated through emails. Cybercriminals are posing
as legitimate organizations (i.e., your bank, e-commerce
website, NGO's, etc.), to send malware as an attachment
with a misleading file name (reward, coupon, invoice,
free app, etc.) or a link to a malicious site, which,
upon downloading and running the file, could lead to the
installation of malware on your device. The installed
malware could either encrypt all your data (ransomware)
and then the cybercriminals could ask you to pay ransom
to unlock or decrypt it; or it could exfiltrate all your
sensitive data (personal data, financial data, username
& passwords, etc.), which could provide them with
Spear Phishing: When cybercriminals
take the effort to personalize their phishing emails
through reconnaissance, it is called spear phishing. To
look less suspicious and increase the probability of you
taking the bait, cybercriminals get more information
about you from easily accessible sources such as social
media. As the probability of you opening an email from
known sources is higher, finding trivial but personal
information about you such as the institutes, websites,
or sources you follow, the company you work for, your
bank or financial institutes that you invest in, etc.,
could help them create a personalized phishing bait.
Spear phishing is surging in use, with
65% of cases using spear-phishing
as the primary vector for malware deployment.
Voice Phishing: This type of phishing
attack uses phone calls (hence, voice phishing or
Vishing), where the caller falsely impersonates a
legitimate organization and primarily intends to extract
personal and sensitive information such as bank account
number, username, password, OTP (one-time-password),
pin, etc. Using advanced methods such as AI (artificial
intelligence), cybercriminals carry out the attack more
effectively. For example, by recording and analyzing the
voice pattern of someone you know or are familiar with,
calls could be recreated with unlimited responses to
request and order an immediate transfer of the huge sum
SMiShing: SMS phishing or SMiShing,
involves the use of text messages to deceive people into
divulging their sensitive and financially damaging
information. It is said to be one of the oldest and
commonly known scams, where the threat actor targets
Social Media Phishing: This type of
attack uses social media sites to build trust between
the cybercriminal and the target. Some studies suggest
that social media helps establish a greater degree of
trust between people. The cybercriminal uses this to
perform a social engineering attack, where the fake
profile is created, the target is befriended, and
personal and sensitive information is extracted. The
cybercriminal could also spread malware as suggested
apps or executable files. Creating a fake profile is
said to be an easy task, and this could be supported by
the fact that in the year 2014, Facebook
found 14% of the profiles
on its platform to be fake.
Website Forgery: This type of attack is
said to be one of the most effective strategies against
individual users. As its name suggests, cybercriminals
create fake websites or modify the malicious website's
address bar to look exactly like the original site. In
some cases, the attackers used pre-existing flaws in a
trusted website's scripts to hijack that particular
webpage; these types of attacks are known as cross-site
scripting. Using these sites, the cybercriminal gains
personal and financial information of the user, which
the individual users provide by filling subscriber form
or payment card/net banking details.
How to Avoid Phishing Scams?
Individual users could prevent phishing attacks through
awareness, adopting and implementing some degree of caution
when performing digital activities (such as providing
personal or financial data), and using cybersecurity tools.
The most prominent methods that people could adopt to avoid
phishing attacks could be listed as:
Anti-Phishing Tools: Using
anti-phishing tools and software provides many benefits
and different features such as spam filtering, scanning
attachments, detecting phishing emails, blocking
suspicious identity, etc., to detect and prevent
phishing emails from reaching you.
Email Handling: Irrespective of whether
you have an anti-phishing solution installed on your
device, every user should analyze and confirm whether an
email is legit. This could be done using the following
Check if the sender is a known person, i.e., whether
the mail is solicited or unsolicited.
Check if the domain name (@xyz.com) belongs to the organizations it represents
Check if the domain name (@xyz.com) belongs to the organizations it represents
Think of the content if legit, i.e., if it's too
good to be true, then it might be spam
Do not open short links, hyperlinked text, or
buttons directly; moving the cursor over the link
gives you the actual URL; also, check for the domain
name and its spelling in the link.
Do not open any attachment unless you scan it; also,
do not open any attachment with unknown extension or
with .exe extension; no person or organization sends
executable files in the mail.
Vishing and SMiShing Safety Precautions: There exist multiple points that you could look out for
while dealing with suspicious messages and phone calls.
Use trusted applications that validate mobile
numbers and act as spam filters for
Do not share any personal information through
messages or on-call; there exist proper procedures
to submit such details.
Do not share a username, passwords, or
authentications pins with anyone on call or message,
even if the person claims to be from your bank;
receiving money does not require any authentication
password implying that OTP's are only to be used by
you and no one else.
If you suspect that the call is a type of robocall,
then try to ask additional and atypical questions.
Online Phishing: Whether it be social
media or malicious websites, there are some things that
you absolutely must not do, or at least tread carefully
while doing. Malicious sites contain multiple hints that
suggest it is not legitimate.
Do not share any personal or financial information
on social media platforms, even if you know the
other party personally, causing non-encrypted
connections to be vulnerable.
Always operate on secured websites; you can tell
whether a webpage is secure or not by looking at the
SSL certification, i.e., the lock symbol in the
address bar, which implies that the data transfer
between the site and your system is secure and
Similarly, also check whether the links have HTTP or
https, as https (Hypertext Transfer Protocol Secure)
links are more secure than HTTP links.
The immediate mitigations against any successful phishing
attacks require consulting a security expert or your
government body dealing with cybercrime, along with security
training and awareness programs, as only knowing about
Phishing theoretically may not be sufficient for you to be
able to differentiate between a benign and malicious email
when faced with an actual phishing email. Thus, it is
important to have practical experience in dealing with
The prevention of Phishing for a non-technical
person is improved with anti-phishing education
and awareness provided by many reputable
organizations such as Aware.