Understanding and preventing phishing attacks

What is Phishing?

“Phishing” is a cyber scam that relies on fooling the victim into voluntarily disclosing confidential information or making a payment. Phishing is usually conducted via an email message that appears to be legitimate but links the victim to a malicious website.

The goal of a phishing attack is usually to steal login credentials to common banks, utility companies or social media sites. However, sometimes phishing attacks may be just the first step of a larger scam like ransomware. Individuals can become victims of phishing both at home and at work.

While typically phishing attacks are conducted against very large numbers of email addresses, sometimes phishing is used against a single individual. This is called “Spear Phishing.” Spear phishing attacks may be conducted in order to obtain the individual’s credentials or to get them to perform a specific action. For example, in the business setting, a spear phishing email that appears to come from the company’s CEO may ask a accounting manager to wire money to a “new contractor” or “supplier.” This is also known as “CEO fraud” scam.

How does Phishing work?

Phishing is a very simple and very scale-able attack. The attack begins with  an email message that appears to come from a legitimate source. It appear to come from your bank, asking to confirm certain activity, or from one of your social networks, telling you that you were mentioned in a post. Here is an example of a phishing email message designed to look like a legitimate USAA bank email.

When the victim clicks the link in the phishing email, he or she is taken to a fake web site that looks every bit like the real thing. The login form will harvest the victim’s username and password, and will forward the victim to the real site, so as to not arouse their suspicion. Normally, the victim will have no idea they just had their credentials stolen.

Today, phishing has become very technologically advanced and extremely simple to perpetrate.

How can you protect against Phishing?

While modern email spam filters capture a large volume of phishing emails. some still get through. These messages are typically more carefully crafted, and you will need to pay attention to the details in order to notice red flags:

From field
Your email may show a person’s or business’ name in the From field. If you can’t see the actual email address of the sender, try clicking the name or selecting the “view headers” option, depending on your email application. Phishing emails will often have senders with email domains not matching the domain of the company they are trying to “fake.” The more advanced phishing attacks can spoof the From address so it looks legitimate.

Salutation line
Phishing emails will usually have a generic salutation (for example, “dear customer”), while legitimate emails will usually address you by your name. This is because hackers usually don’t know the full name associated with the email address they are attacking. Even if they do, they will usually not go through the trouble of merging names into the thousands of email messages they are sending out. Of course, in case of a spear phishing attack, you can expect to be addressed by your proper name.

The links are usually the most telling sign. Hackers need to lead you to a malicious web site, so the URL in the link will tell the tale. Hover of the link or button in the email and observe what URL is revealed by your browser or email client. Phishing emails will point to URLs that don’t match the domains they attempt to fake. You may see a series of numbers or letters int he URL, or unfamiliar domain extensions (not .com or .gov).Some attackers will fabricate clever URLs that resemble the domain names of the sites they are attempting to fake.

One trick is to use sub-domains. For example, in the following URL, “www.facebook” is made up of sub-domains under the main site’s domain: may also use special characters and optical illusions to make the URL look like the legitimate domain name.  For example, in, “r” and “n” together look like an “m”, but this URL is completely different from the legitimate URL for Commerce bank.

Another common trick is using international domain extensions. For example, is not a Citibank website, and uses a Nigeria domain extension.

The best defense against phishing is to not click on the links in the email messages you were not expecting to receive. If you are unsure if the message is legitimate, but it seems important, log on to the sender’s website directly (not via the link),  or call them on the number from their website.

No comments

Comment on this article