Types of Phishing: Tips to Prevent, Spot, Report Scam Emails

October is National Cybersecurity Awareness Month and it's an excellent reminder that protecting your personal information online is important. One way to do that is to recognize and avoid phishing scams.

What is Phishing, and How Does It Work?

Cybercriminals use social engineering, which is the art of manipulating people into divulging information or doing something they wouldn't normally do to steal information, said Judith Dionne, an information security awareness and training manager for Southern New Hampshire University (SNHU). Dionne has been working with information security at SNHU for the past five years, including managing a phishing simulation training program and designing a variety of other trainings.

She said that phishing is the most successful form of social engineering that cybercriminals use, because it works.

How does it work? It's a tactic scammers use to impersonate legitimate companies or individuals using email, text messages or phone calls to trick people into revealing sensitive information such as usernames, passwords, credit card details, other banking and payment information and more.

Think of how fishermen use bait to catch fish — your personal information is the fish in this scenario, the scammer is the fisherman and the bait is the fraudulent email they send you. For example, the email might ask you to click on a link and update your information.

What Are 8 Types of Phishing?

There are many types of phishing to be aware of, according to Dionne; It's not just in email anymore. Here are some of the more common types of phishing:

1. Email phishing: This is the most common type, where attackers send fraudulent emails that appear to be from legitimate sources, attempting to trick recipients into revealing personal information or clicking on malicious links or attachments.
   
   
2. Smishing (text-message phishing): Involves sending text messages that trick recipients into revealing personal information or downloading malware. Messages may claim to be from banks or delivery services.
   
   
3. Vishing (voice phishing): Uses phone calls to impersonate legitimate organizations (like banks or tech support) to extract sensitive information from victims.
   
   
4. Quishing (QR code phishing): Uses QR codes that will take the victim to a fake website where they may be asked for credentials or malware to be downloaded.
   
   
5. Website phishing: Attackers create fake websites that closely mimic legitimate ones to capture login credentials and sensitive data. Users are often directed to these sites through phishing emails or ads.
   
   
6. Social media phishing: Involves using social media platforms to send messages or posts that trick users into providing personal information or clicking on malicious links.
   
   
7. Business Email Compromise (BEC): This sophisticated form of phishing targets companies by impersonating an executive or vendor to authorize fraudulent transactions or data transfers.
   
   
8. Search engine phishing: Attackers use search engine optimization techniques to place malicious links at the top of search results, leading unsuspecting users to phishing sites, "sponsored" links can also be malicious, so be careful with those, too.

What is an Example of Phishing?

One example Dionne provided was when a cybercriminal seeks usernames and passwords. In this case, an alarming email is sent warning the recipient that an account has been compromised and the password must be reset, she said.

"The email would include a link to a site to help the person reset their password, but the site is spoofed," said Dionne. "Following the link would take them to the fake site that is branded to look like it belongs to the business, and they would be prompted to enter their existing username and password to create a new one. For example, if you have a bank account with Bank of America (BOA), the phishing message would have the BOA logo, and the link the site brings you to would look like a BOA log-in page."

Typing in your credentials would send them directly to the cybercriminal. After you type them into the fake site, nothing happens on it, and most users think it's a faulty link and won't question it. In reality, the cybercriminal just learned the username and password for your bank account.

How to Spot a Phishing Email

At first glance, it can be easy to miss a phishing attempt.

Robin Sullivan, director of portfolio for Technology Services at SNHU, shared some red flags to be aware of to help identify potential phishing emails; these include:

• Poorly written emails with misspellings or spoof display names, although, Dionne said that AI can help cybercriminals craft more professional emails today.
• Language trying to instill a sense of urgency
• The web and email addresses don’t look genuine
• They ask you to confirm personal information

Dionne noted some additional signs to look out for, include:

• Links and attachments in the email
• Unusual requests (such as transferring overdue funds)
• Unsolicited offers for part-time employment or work-from-home jobs

So, What Happens If You Open a Phishing Email?

Most phishing emails are relatively safe to open as long as you don't interact with them, said Dionne. Just be sure you don't click on links or open/preview any attachments. If that happens, she said you could be opening yourself up to potential risks, such as:

• Computer worms
• Keyloggers
• Malware
• Ransomware
• Spyware

If you open a phishing email and click on a link or attachment, there are a few things you can do to try and protect your information.

To start, you should immediately close all your tabs and browsers, according to Identity Guard. Next, check for any automatic downloads that may have started and delete those too.

Identity Guard also recommends potentially changing your usernames and passwords. Remember the Bank of America scenario? In that case, change your username and password immediately to prevent unwanted access to your account.

If you use the same password for multiple accounts, change your passwords, too. Identity Guard recommends considering a password manager, which can help you create and organize your usernames and passwords. Added bonus, a password manager can create strong and secure passwords for you.

For some additional peace of mind, you could consider installing anti-virus or anti-malware software that can scan and remove potential threats from your devices.

If you interact with phishing on a work device, be sure to notify the appropriate contact at your organization to follow company protocol and next steps.

How to Protect Yourself from Phishing

Phishing scams can be costly to businesses and individuals.

“Compromised information as a result of phishing can cause significant damage to a person or an organization," said Sullivan. "It can lead to identity theft, financial loss, loss of access to email and loss of personally identifiable information.”

So, it’s important to know how to try and prevent falling prey to phishing attempts.

Sullivan and Dionne offered these tips to protect yourself:

• Use strong, unique passwords for each of your online identities. Never re-use the same password for multiple online identities. Choose different letters, numbers and symbols and avoid using anything familiar that others can publicly research about you, such as your date of birth or a pet's name.
• Never click links in an email. For example, if you receive a notification from your bank, log in directly to the bank’s website instead of using the link provided in the email.
• Never share personal or financial information in an email.
• Always be suspicious of unsolicited emails, text messages and phone calls.
• Never scan QR codes unless you know the source of it.
• If it sounds “too good to be true,” it probably is, for example, a work-from-home job.
• Use anti-virus, email filtering and firewalls to reduce phishing traffic.

Dionne said another tip is to slow down when reading emails. She advised taking your time and considering these questions:

• Do you know the sender?
• Are you expecting an email from the sender?

With regard to the tone of the email:

• Is it urgent?
• Does it tell you that you missed a payment or that someone jeopardized your account?

"Cybercriminals may send one message to many people at once and at odd times of day," Dionne said. If the message looks unusual or suspicious, look at:

• The time of day you received it
• The amount of people copied on it
• If you know anyone copied on it

"You may also get phishing emails from people you know," said Dionne. "If you get an unusual email from a family member or friend, check the message's validity through another channel."

You can call or text the original sender to see if they sent it. Dionne said don't trust a message is secure if it's unexpected or out of character for the sender.

“But no matter how many controls are put in place to protect our environment, the best defense will continue to be user awareness and vigilance,” Sullivan said. “As technology changes, scams become more sophisticated and complex, and we will always have these threats to some degree.”

How to Protect Yourself from Employment Phishing Scams

Employment scam emails are one type of phishing that can affect people looking for work, especially college students.

"These emails are usually looking for one thing: Information," Dionne said. They trick you into giving personal information to cybercriminals posing as potential employers.

One way to protect yourself is to know what you've applied for and pay attention to who's sending the email. "Never respond to an unsolicited request for employment through email," Dionne said.

How to Report Scam Emails

If you feel you’ve received a phishing attempt, report the scam to help prevent it from happening to others.

If you come across suspicious forms of communication there are a variety of ways you can report them, for example:

• Report emails as phishing or spam. The way you report emails can vary from platform to platform but most have a button that you can click to mark a message as phishing or spam. For instance, Microsoft Outlook has a "report message" ribbon that you can click and then select "phishing." According to Microsoft Support, this is the fastest way to report and remove a suspicious message from your inbox.
• Report suspicious websites to sources like Google Safe Browsing or the security solution software firm ESET.
• Report scams and fraud to places like the Federal Trade Commission (FTC) Online Complaint Assistant or the Internet Crime Complaint Center (IC3).

What's the Difference Between Spam and Phishing Emails?

Spam is when someone sends an email to several users at once or tries to sell something by pushing their product on users as a usually unsuccessful attempt at marketing. Think of it as annoying junk mail where the sender isn’t purposely trying to steal your information compared to a phishing attempt.

See how savvy you are by taking Google’s Phishing Quiz to learn to identify phishing emails better and protect yourself from potential cyber threats.

Nicholas Patterson ’22 is a writer and alumnus of Southern New Hampshire University (SNHU), where he earned his bachelor’s degree in English and creative writing. He is currently honing his craft further as he pursues an MFA in Creative Writing from SNHU. Connect with him on LinkedIn.