One of the top-grossing fishing movies was the 2000 release of The Perfect Storm, starring George Clooney, Mark Whalberg and Diane Lane. It was the story of the Andrea Gail, a 72-foot fishing vessel that sank in 1991 during “the perfect storm,” where 3 different weather fronts combined off of the east coast of the United States to form an extremely powerful hurricane that caused massive devastation up and down the eastern seaboard. The storm killed all 6 crew members aboard.
Today, there’s a different phishing story playing out across the country that is also based on a “perfect storm”. That includes 15 billion spam emails sent each day, cybercriminals who relentlessly send those emails and, according to the FBI, over 241,000 victims of the phishing attacks in 2020, which was double the amount of the previous year. Unfortunately, many people don’t report phishing email scams, which means the number of victims can actually be much higher. Damage is often extensive, as 32% of data breaches involve phishing emails, and 94% of malware is delivered via scam emails.
They’ll Get You Hook, Line and Sinker
As with other types of cybercrimes, there are multiple types of phishing attacks. First up is “spray-and-pray” phishing emails, where the cybercrook sends out thousands of spam emails and “prays” that a few will be opened. That’s all it takes for a cybercrook to be successful. Even if the number of people opening spam emails is low, and it is – just about 3-4%, if a cybercriminal sends out 10,000 phishing emails, 340 people who open them are potential victims. That’s the numbers game that makes it worthwhile for a cybercrook to make money.
A more refined and targeted tactic is “spear phishing,” where the cybercriminal refines their approach and uses a much lower number of spam emails but achieves more effective results. That’s because these phishing emails contain numerous personal details that make the recipient believe that the spam email is actually a legit message.
There is also “whaling,” which also is highly targeted, but takes things a step further by impersonating members of the company or group. Because they use information that is believable, the cybercrooks are often able to obtain highly sensitive financial or other important business data that can lead to a big payday for the cybercrook. These are sophisticated phishing attacks that use spoofed emails and spoofed websites to make the entire scam convincing. One other difference is that the cybercriminal will be patient and take his or her time sending out multiple emails over a period of weeks or longer – all to earn the trust of the intended victim.
The Cybercriminal Sets the Bait
How do cybercriminals create phishing emails that bring in enough money that it makes it worth their time and effort? They start by researching their targets, particularly when “spear-fishing” and “whaling.” They want personal details and information that makes the recipient think the emails are real, so they head on over to people-search sites to gather the needed data. It’s all unauthorized, but it’s legal to sell it to whoever wants to pay for it.
Next, they’ll develop a believable email address. Because the email address can be an instant tip-off that it’s a scam email. They’ll create a subject line designed to get attention, something that might shock a reader. This could be as simple as, “warning, final notice!’ or something far more sophisticated. The cybercriminal will also create a strong and convincing message, and if they’ve done their job well, the email will also contain a link that the recipient will click on to download malware. That’s the goal of all their work.
Avoid Taking the Bait
The cybercrook set the bait, and they’re waiting for you to act. But here’s where you can protect yourself from their tactics – proactively. Since they’re going to try to get your personal details from people-search sites, go there first and delete your information and opt-out of the sites.
If your email provider doesn’t have strong phishing prevention protocols, change to the one that does. For example, Gmail has excellent phishing prevention software that places most spam where it belongs – in your spam folder. Make sure your email provider has an aggressive anti-phishing protocol in place or switch providers.
Make sure you are using the very latest operating system. There’s a reason why software has updates – it’s to fix security lapses that could be an open door for scammers. Having the latest OS will help to minimize any potential threats. Also, pay attention to any news relating to email scams – Microsoft and the IRS both spent a lot of money and time alerting people on potential frauds. Knowing what might be coming will help prevent you from being a victim.
What to do if You Took the Bait
If you become one of the cybercrook’s victims, report it! File a report with the Federal Trade Commission (FTC) whenever you’ve responded to a phishing email. If you fell for an IRS scam, report it to the Internal Revenue Service. Plus, if you took a financial hit from the phishing mail, report it to the Treasury Inspector General Administration. And if you did respond to a link in a phishing email – immediately change your password to a stronger one – 12 characters long that includes numbers, letters and symbols.
By following the information and suggestions in this article, you’ll help to protect yourself from phishing emails and the damage they can do.