A Comprehensive Guide to Email Phishing Scams and How to Protect Yourself

A Comprehensive Guide to Email Phishing Scams and How to Protect Yourself

Lyton atinga

You have probably at one point in your life received a fraudulent email or a text message which appeared to be very legitimate and could not differentiate it from a fake one. Let me share with you my story. There is one particular time I had applied for a job from people who claimed to be from USAID. The job advert was extremely convincing and looked genuine. After about two or so weeks, I received a text message with a brand name ‘USAID-Amopath’ notifying me that I met all their requirements and had successfully secured a chance in their company.

There was no way I could tell that it was a scam. The text message that I received had no ’07-****’ numbers, it only had the brand name, ‘USAID-Ampath’.Who can doubt this? Two days later, I received an email from the said ‘organization’. Again, there was no way one could convince me that the job was not real. The email address looked authentic!! It was not until they started asking me to pay some cash for training that I started smelling a rat. I was almost conned!

The above story is an example of a phishing scam. It is fraudulent, with the main aim of obtaining the victim’s credentials, or sensitive information like passwords and user names, or to trick the victim into sending some cash.

Most common Types Of Phishing Scams

  1. Deceptive Phishing

This is the most common type of phishing. It normally has an urgency tone, or rather a message that aims to scare the victim into doing something the attacker wants normally with the main aim of stealing the victim’s cash, personal information and credentials such as username and password. The phisher will try to impersonate a legitimate company. For example, you may get an email from a bank asking you to verify your account details, or to rectify a discrepancy in your account.

After clicking on the provided link, it will lead you to a fake page where you will be looted.

How to protect yourself

  • Inspect all URLs carefully to see if they redirect to an unknown website.
  • Check if there is any generic solutions, grammar mistakes or spelling errors in the email.
  1. Spear phishing

In this type of attack, the phisher spends most of his or her time in profiling the victim, getting the victim’s personal information from social sites such as Twitter and LinkedIn. The phisher will obtain the victim’s full names, the victim’s contacts and email address. This is done majorly to make the victim think that there is a connection between him or her and the attacker, and to make him believe that in deed the email is directed to him. The attacker’s main aim is to lure the victim so that he can click on the malicious URL or attachment which may end up stealing the victim’s credentials and personal data. It is often the first step in penetrating an organization’s defences to carry out a targeted attack.

How to protect yourself

  • Try and look if there is any ‘alarming’ threats or ultimatums in the emails.
  • Organizations should conduct ongoing employee security awareness training and emphasize on discouraging employees from publishing sensitive personal and corporate information on social media.
  • Companies should also invest in solutions capable of analyzing inbound emails for known malicious links/email attachments.
  1. Clone phishing

Some people refer to this as email-phishing scams. This is a type of phishing where the phisher creates a nearly identical replica/copy of a legitimate message with the main aim of luring or tricking the victim to think it is legitimate and therefore end up conning them, or stealing their personal data. Both the email address and the body of the email resembles the legitimate email.

The only difference is that the attachment or the link in the email has been swapped with a malicious one that redirects you to another page where you can be conned. The attacker may add something along the lines explaining the reason for sending the same email twice, for example claiming that it is the most updated one. If the attacker succeeds in conning one person, he uses the same method with another person who had also been sent the original email so that it can appear to be more real.

How to protect yourself

  • Don’t click any links or download any attachment in the suspicious email. Instead, visit the website in question by typing it in the URL bar.
  • Be vigilant and pay attention. Phishers use spoofed email addresses similar to the legitimate ones. They can however misspell the address slightly or come from a spoofed domain.
  1. Pharming

This is a type of phishing where the attacker resorts to a method of attack which stems from domain name system (DNS) cache poisoning. The attacker infect the user’s computer’s or website’s DNS server and redirect them to a fake page or site, even when the correct URL is fed in. Normally, internet’s naming system uses DNS servers to convert alphabetical websites names, for example ‘www.fleekbook.com’ to a numerical IP address used for locating computer services and devices. Therefore, the attacker poisons the DNS cache and alters the IP address associated with the alphabetical website name. When the victim is re-directed to a fake site, his credentials and personal information are stolen.

How to protect yourself

  • It is encouraged to enter log in credentials only on HTTPS – protected sites.
  • You should also install anti-virus software and implement virus database updates along with security upgrades issued by a trusted Internet Service Provider (ISP) regularly.
  1. Pop-up warning scams

I’m pretty sure that you have occasionally bumped into these pop-ups advertisement at the bottom of your devices’ screens when you are browsing. For instance, let’s say you are browsing in a site selling cars. A pop-up message can emerge, normally with contents related to the contents you are viewing on that specific website, for example, a pop-up advert of trailers. Upon clicking on it, you will be linked to another website with similar contents.

Malicious pop-ups designed by attackers, however, can be terribly intrusive making it difficult to close the pop-up window. A message is then displayed stating that your device is infected with virus and then asks you to feed in your phone number to help you remove the virus. With your number, the phisher can go ahead and exploit you in a different number of ways.

How to protect yourself

  • Carefully examine the message closely to check signs of fraud such as misspelling, bad grammer, unproffessional imagery etc.
  • Don’t click on the pop-up when in doubt.
  1. Whaling

Some people refer to it as the CEO fraud. This is a type of phishing where the attackers go after a ‘big fish’ like a company’s CEO. The victim is normally of high value and the stolen information will be more valuable than what a regular employee may offer. When the CEO’s credentials are stolen, you can only imagine the extent of damage this can cause in the company. The main aim of this type of phishing is to steal data, employee information and money. The attacker however needs to do a lot of research on the intended victim for example who he or she communicates with and the kinds of discussions they have etc.

How to protect yourself

  • Don’t give personal information over the phone; hang up and investigate if the number is genuine and call the company directly to ascertain if it is a legitimate call.
  • Never call the number the caller provides.
  1. Vishing scams

This is also called voice or VoIP phishing. It is a voice version of email phishing. ‘V’ stands for voice. It is simply a phone scam where individuals are lured or scared into handing over a valuable financial or personal information to scammers. The scam attempt is same as email phishing.

How to protect yourself

  • Don’t give personal information over the phone; hang up and investigate if the number is genuine and call the company directly to ascertain if it is a legitimate call.
  • Never call the number the caller provides.

Share this post

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on reddit
Share on whatsapp
Share on email