Gone Phishing: How Phishing Leads to Hacked Accounts and Identity Theft

gone-phishingA user browsing their social media feed sees a link that supposedly shows an "exclusive" video that's related to a current hot topic. Clicking on the video link goes to a page with a pop-up window that requires the user to log in (again) with their social media credentials, or register with their email and other details on the site to view the exclusive content. After logging in, the user gets redirected again to another page that may or may not have anything to do with the viral topic, closes the window, and goes back to browsing.

That's a fairly common scenario these days, where links—either found on a webpage, a social media post, or an email—to seemingly interesting or important topics and promises of "exclusive" content lead to nothing but an endless chain of pages with registration or log-in requirements, pointless surveys, annoying pop-ups, and app or tool downloads. Anyone who uses the Internet on a regular basis has likely run into these types of links and pages, and if you've ever logged in with your credentials or gave out your details to get somewhere or see something, it might be a good idea to change your passwords now, because you could be a victim of a phishing scheme.

Have you ever lost access to an online account, had friends tell you that you just sent them weird emails, or found that "you" somehow posted weird, uncharacteristic content or spam links on social media, and wondered how it could have happened? You can trace it back to that time when you tried to follow an endless trail of links and pages—like a digital donkey following the proverbial carrot on a stick—but got nowhere.

Phishing has always been a popular way for online scammers and cybercriminals to trick users into giving out their personal information, such as log-in credentials, credit card and bank account details, Social Security numbers, and other important personal information. It is a form of identity theft—or at least one of the methods used to pull it off—wherein a scammer uses an authentic-looking page or email from trusted companies, such as online payment firms, banks, to lure unknowing users into giving out their information.

[More: Identity Theft and the Value of Your Personal Data]

The spoofed email message or website urges the recipient to click on a link to update their personal profile or carry out some transaction. The link then takes the victim to a fake website where any personal or financial information entered is routed directly to the scammer. The types of phishing varies from spear phishing, vishing (voice phishing), and Smishing (phishing by SMS/texting). Spear phishing is a method used to obtain information of targeted individuals, usually employees of large organizations. This tactic is used to gain access to a company’s crown jewels, and is a common component of a targeted attack. Vishing is the telephone equivalent of phishing, and a common social engineering method used to obtain a user’s information, while Smishing is done via SMS/text.

[READ: 9 Social Media Threats You Need To Be Aware Of]

Knowing about phishing isn’t enough. It’s critical to understand how it works and how it can affect you so you can avoid becoming a victim. There are many ways in which one can end up trapped in a phishing scam. Some of these tactics involve email, web-based delivery, instant messaging, social media, Trojan hosts, link manipulation, keyloggers, session hijacking, system reconfiguration, content injection, phishing via search engines, phone phishing, and malware phishing. These phishing techniques could be lumped into certain categories.

Phishing is also a popular tool used in social engineering. Before people were made aware of online scams, many would fall victim to these types of online threats. Remember the Nigerian (419) letter? Many, if not all online users have found this infamous email in their inboxes, and sadly, plenty have succumbed to this attack and replied with their personal and financial information. Here are some of the most common phishing tactics:

Email – one of the most common phishing lures is done via email. It could take the form of anything that bears urgency or distress. Phishing emails appear to be from a legitimate sender. To make it appear so, cybercriminals use forged logos, signatures, and text and use deceptive subject lines. The messages are attractive and often come with a promise, a prize, or a reward, in exchange for a registration or a log-in of some sort that gets the user's information or online credentials.

Websites – a typical phishing website comprises of genuine-looking content, similar domain names of the legitimate website, forms, pop-ups windows, and even fake IP addresses.  Cybercriminals use forms that are similar to legitimate websites to collect information from visitors. Additionally, scammers use scripts or HTML commands to spoof URLS to create fake address bars.

Social media – because of its popularity as a platform for sharing viral content, cybercriminals look for potential victims on social networks. They use catchy or viral come-ons that go to pages that require users to register, download something, or log-in with their social media accounts.

[READ: Cybercrime Exposed Part 1: The Security Risks of Phishing]

How to Avoid Phishing Scams

Let’s go back to the scenario illustrated earlier. Now that you know that phishing typically begins with opening links from messages or social media posts that are designed to "phish" your credentials, your wisest course of action should be to stay away from "fishy" looking emails and websites. Whether you’re busy chasing deadlines, shopping online, or simply browsing for leisure, it’s best to avoid links and emails that do not seem right to begin with. But what are the signs? Remember, stopping a phishing attempt is similar to that of playing whack-a-mole, where people would conclude that random attempts to hit the mole would improve their chances. But with so many holes, the mole will proceed unabated. As such, here are some helpful tips for recognizing a phishing attempt and how to hit them right:

Legitimate websites or financial institutions asking for personal information - beware of organizations, (including government bodies) that ask for your personal information as they rarely, if ever, do this… unless you really are registering for something. However, opening statements in emails that mentions your real name instead of "member" may come from legitimate sources. But be wary and always verify with the company before taking action.

Emails or pages that have spelling and grammar errors – companies value their reputation and proofread their websites and the letters that they send out to their customers. As such, it could be easy to tell apart a legitimate email from a phishing one.

Intimidating or alarming subject lines – cybercriminals get a users’ attention by using scare tactics and emotional language. Avoid such messages and delete them right away.

"Phishy" links in emails and social media posts – it could be pretty hard for the untrained eye to spot malicious links. However, one of the easiest way to tell that it's a phishing attempt on social media—and one of the most common social media phishing tactics—is when a link asks you to log in again with your credentials. Verify where the links go to and stick to getting your content from known sources.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.