What Is Phishing: Understand Cyber Threats and Prevention

It’s only natural to trust a familiar person, company, or brand that you know. But what if an email or text arrives from an imposter who is pretending to be someone you know? Can you trust every link that seems to come from a familiar source?

Many people fall victim to a tricky type of cybercrime called phishing, which has been around since the early days of the internet. Phishing attackers trick victims into giving them data or access to their accounts or their device. If an attack is successful, fraudsters can steal money or identities and even take control of a device.

If you want to avoid becoming a phishing victim, it helps to understand how — and why — phishing works. A little understanding can go a long way toward protecting your personal and financial data.

How Does Phishing Work?

Fraudsters can buy or steal your email or phone number. They can then send you messages that seem to come from trusted companies asking for personal information. Their messages can look exactly like real emails and websites. The messages may contain urgent warnings to make you click quickly on a link they provide.

If you click a link without thinking, phishing software can load malware (a damaging program or virus) that can harvest data from your computer or mobile device. Another tactic is to get you to provide your account numbers, identifying information, or other data on a web page that looks legitimate. After criminals get your information, they can use it to steal your identity and your money.

These are some common types of phishing attacks:

• Email Phishing: A scammer sends an email pretending to be a reputable bank or company.  The email often includes a link to a fake website.
• Spear Phishing: People or organizations receive an email that is designed specifically for them, based on detailed research. The message is personalized, so it’s more convincing.
• Smishing or SMS phishing: Victims get a text message that persuades them to provide their login information or click a link that installs malware.
• Vishing, or voice fishing: A real person calls victims by phone and convinces them to share personal information.
• Clone Phishing: Cybercriminals create a convincing copy of a legitimate email, but with malicious links.
• Whaling: High-profile company employees, such as executives, receive a communication that gets them to reveal sensitive information or give up money.

Criminals who use phishing take advantage of two things: human feelings and outdated technology.

How Phishing Uses Social Engineering

Phishing attacks that target human emotions use social engineering. Social engineering is a tactic that plays on feelings like trust, opportunism, and fear to get victims to take action.

Attackers know they have a better chance of success when victims feel urgency, sympathy, familiarity, or a relationship with the sender. An attacker might pretend to be a well-known retailer or local utility. For instance, they might send an email that appears to come from Amazon or Google and asks you to verify account information. In these cases, the attacker is “spoofing” the well-known company. Spoofing is a common tool used in phishing attacks.

The goal is to not raise the victim’s suspicions and to trick recipients into taking action quickly, without thinking. For this reason, many employers have rules that prohibit employees from opening external links and unusual emails. Data breaches, in which fraudsters steal large amounts of customer or patient data, can occur if malware infects a business or organization’s computer system through social engineering.

What are the signs of social engineering?

• Social engineering uses words to create a sense of urgency or fear. Techniques such as threats and free offers or promotions are common. For example, a phishing email may claim that if you don’t respond immediately, the company will close your account. Or it might offer fake rewards on a short deadline.
• Spoofed messages often request your username, password, or credit card details to “resolve” an issue. They ask for information that real government offices, utilities, banks, and retailers don’t ask for.
  • Messages may contain typos or awkward phrasing to bypass spam filters.
  • The sender’s address might resemble a trusted entity but with slight variations.
• Fake websites often mirror legitimate sites almost perfectly.  Phishing emails or messages may contain links that direct you to fake sites, where they hope you will provide your personal data.

To protect yourself, learn the signs of phishing. Individuals and businesses can take steps to defend against these threats if they understand the tactics used in phishing attacks. It’s crucial to stay informed to avoid falling victim to this type of cybercrime.

Defend Against Technology Gaps

Your devices have built-in protections against fraud, and service providers try to intercept fraudsters’ messages before they can reach you. However, phishing tactics are expanding almost as fast as protections, and it’s difficult to keep up.

Boost your safety by taking these steps:

• Accept updates to your operating systems and applications. The updates often contain security improvements to identify and block malware.
• Turn up privacy and security settings on your device, and pay attention when your operating system warns you that a sender is suspicious. Spam filters can help detect and block phishing emails, but staying vigilant is essential.
• Consider purchasing a subscription service that monitors the health of your device and scans for malware.

These measures can help block phishing threats before social engineering can even occur.

Recognize and Respond to Phishing

If you receive a phishing message, act quickly to prevent identity theft and financial loss.

• Look for poor grammar or misspellings in communications from a legitimate website or organization.
• Beware of urgent language meant to create panic.
• Be suspicious of requests for your financial information, passwords, or social security numbers.
• Always verify email addresses closely and check for mismatched URLs. If you are on a computer, use your mouse to hover over hyperlinks to verify their legitimacy.
• Investigate any links before clicking; malicious links often look real but may lead to a harmful site. Or better yet, go to the organization’s official site or platform to check on your account status.

If Phishing Happens to You

If a phishing email tricks you into clicking a suspicious link, take action immediately.

• Disconnect your device from the internet to stop further data transmission.
• Change your passwords, focusing on financial websites first.
• Report fraud to your financial institutions. To report to UFCU, contact Member Services at (512) 467-8080 or (800) 252-8311. Also see our web page about options if you have lost money.
• Enable security alerts on your accounts to monitor suspicious activities.
• Request and review your credit report on a regular basis. UFCU provides a way for you to do this easily through our Credit Coach program.
• Consider purchasing identity theft protection services to watch for misuse of your personal information.
• Report any incidents to law enforcement. Notify anti-phishing groups¹ and file a report with the Federal Trade Commission to help combat scammers.

Phishing is not only a cybercrime, but also breaks broader laws against fraud and theft. If phishing happens to you, report it so you can help stop it and bring cybercriminals to justice. The United States’ Computer Fraud and Abuse Act (CFAA) makes it illegal to access computers without permission, among other cybercrimes. The US participates in international partnerships to catch and prosecute cybercriminals, which is important because phishing often crosses national borders.

You can report an attack to local and national law enforcement agencies which jointly investigate reported cases and take action. For example, the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) acts as a hub for reporting cybercrimes, including phishing.

If sentenced, fraudsters face financial penalties and even imprisonment, depending on the attack. These measures make sure that cybercriminals cannot continue to victimize people.

How Your Financial Institution Combats Phishing

Your security is one of our top concerns. Like most financial institutions, UFCU never requests sensitive information by phone or email. Our employees follow strict policies when verifying account ownership over the phone and at our branches. We provide a secure communication channel in our Online Banking and Mobile app.

You can immediately change your password on our site 24/7. Our Mobile app allows you to change your credit or debit card PIN and lock your cards whenever you choose. If fraud forces you to change your card number, replacements are available on a same-day basis at any branch.

We offer helpful articles (like this one) and other assistance to help you fight fraud and build good defenses for your data and your money. Working together, we can keep attackers far from your funds.

1 For example, https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams