Yes, You Can Be the Victim of a Phishing Attempt

You've probably experienced phishing. We all have. It typically involves e-mails that show up in your Inbox, supposedly from some reputable source that you have dealt with before, and usually with a subject heading warning about some dire event that will occur if you don't ACT NOW!

Whether it's purportedly from the government warning you about delinquent taxes, from your email provider warning you that your account is about to be suspended, or some online business demanding payment for something you never bought, the solution seems simple enough: just click on the helpful link provided in the post that will take you to some official website.

Except, of course, what the link actually does is take you to a spoofed (fake) site where you will promptly be asked to enter account information or other personal details (social security number, ATM PINs, credit card number, etc.). Once phishers get this information, there is literally no limit to what they can do to your legitimate accounts, financially or otherwise.

The main reason that phishing attempts are so common is that they work all too often. And it's hardly limited to email since phishing attempts can be made by text messages, official looking snail mail letters (yes, there is still mail fraud, quaint as it seems), and, especially for seniors and immigrants, voice calls purporting to be from the government. I've personally received a half-dozen calls, supposedly from Canada's Revenue Agency threatening me with jail for unpaid taxes, and I can only imagine how frightening such calls can be for people with limited English skills or education.

Phishing Attempts Are Becoming More Common and More Sophistocated

And the problem isn't getting better. According to the latest "State of the Phish" report, nearly 90% of organizations experienced targeted phishing attacks in 2019, 84% reported SMS/text phishing (a.k.a. smishing), 83% reported voice or VoiP phishing (a.k.a. vishing), and the volume of reported e-mail increased 67% year over the previous year.

Not only does the soaring number of phishing attempts mean increased danger of becoming a victim, but people have become naturally more suspicious of Internet commerce in general due to often legitimate fears about whether even official looking sites might lead to a phishing attack.

Almost inevitably, phishing attempts have become increasingly more sophisticated in targeting potential victims. That means that the old brute-force approach has given way to much more advanced techniques. These include:

• Business E-mail Compromise (BEC) occurs when cybercriminals send emails to lower-level employees in a company's accounting or finance department. Apparently sent by a company executive, manager or supervisor, the email prompts the targeted employee to send company funds to a bogus account. Since most employees tend not to question their higher-ups in the company, this approach can be surprisingly effective. In 2019 alone, data from the FBI’s Internet Crime Complaint Center (IC3) showed 23,775 complaints about Business E-Mail Compromise attacks, resulting in more than 1.7 USD billion in losses
• Smishing (or "short message phishing") relies on text messages, which, by bypassing the spam filter completely, can often reach more potential victims than email phishing would. Similar to this is "vishing" or "voice phishing," this works much the same way with voice messages.
• Spear phishing: Using keyword searching, spear phishing scams are aimed at specific victims to create a much more personalized scam. For this reason, they often appear much more legitimate than the usual broad-based phishing emails and, unfortunately, this can make them much more effective. A specific form of spear phishing is known as whaling in which email or text messages are sent to high-level executives in a company to trick them into revealing sensitive information for phishers to use.

Part of the problem with these different kinds of phishing is that they do not require any special expertise in computers or telecommunications. Phishing kits are often available that allow even complete novices to launch phishing attacks using pre-built phishing packages. There are also phishing-as-a-service sites allowing novices to hire more experienced phishers to do the actual phishing attacks for them.

Many Internet users are often caught off guard by the more sophisticated phishing attacks they might encounter, usually because they assume their antivirus software would protect them (it doesn't necessarily) or that they can recognize spoofed emails and websites (most can't). There also does not appear to be any real correlation between a person's level of sophistication when using computers and whether they will be fooled by phishers.

According to a recent study published in the journal Victims and Offenders, phishing attempts appear to be evolving towards a much narrower focus that might enable a much larger payoff than the standard "wide net" approach aimed at thousands of people. And the rationale for this is simple enough: Why cast a wide net to bring in many small fish when a much narrower and effective net might bring in the occasional "whale" providing a much bigger payoff?

Law and Crime Essential Reads

10 Mistakes Fiction Writers Make About Forensic Psychology

The Cruel Practice of Rolling Coal

And that payoff can come in many different forms. One prominent example of this is the Celebgate scandal of 2014. Through a series of spear phishing attacks aimed specifically at female celebrities (and some male celebrities), the perpetrator was able to collect computer security information using a bogus email "appleprivacysecurity." This led to over 500 nude pictures being obtained by accessing the accounts of the different celebrities. The pictures were later posted to an online imageboard.

What made this particular scheme work was that many of the celebrities contacted lacked the technical knowledge to realize that they were compromising the security of their online accounts. Since most breaches occur using a "front door" approach, i.e., opening an account after obtaining the password, spear phishing attempts use publicly available data to make an apparently legitimate email that is nothing of the kind.

How to Protect Yourself from Phishing Attacks

So how can people protect themselves? Sadly, this is much harder than you might expect. If you think you might be the victim of a scam, most cybersecurity experts recommend that you immediately change all your passwords and safeguard them carefully. This also means updating any sites you might visit frequently, especially if they provide access to sensitive information. Also, if the phisher has gained access to bank accounts or other financial information, immediately contact your bank and credit card companies to warn them that you might have been the victim of fraud.

It's also advisable to run a full system scan on your computer with antivirus software from a reputable company (you have been doing that regularly, right?). Some phishing sites might download malicious software onto your computer to track all future activity.

Perhaps most importantly, be alert for any potential fraud directed against a family member or friend who might not be as computer-savvy as you are. That includes elderly parents or recent immigrants who tend to be regularly targeted by phishers because they are more vulnerable.

Unfortunately, as phishing scams become more sophisticated, dealing with them becomes harder than ever. Though there are technological solutions that show some promise, including developing machine learning algorithms to catch phishing attempts as well as multi-factor identification requiring two or more pieces of identification to access an account, all it takes is a momentary lapse in judgment for a phisher to get through and embroil their victims into a financial and legal nightmare that can take years to overcome.

For now, it helps to be extremely cautious whenever you are approached by someone you don't know, because they are probably are out to get you.