Warnings about phishing are so ubiquitous that it’s hard to believe there’s anyone left for fraudsters to fool. But far from fading, the number of phishing attacks has skyrocketed in recent years, thanks largely to the pandemic-driven rise of remote working and Bring-Your-Own-Device (BYOD) practices. Instances of phishing surged by 15% in the first quarter of 2022 alone, exceeding one million attacks worldwide for the first time, according to the Anti-Phishing Working Group (APWG). And perpetrators are getting more sophisticated, going to great lengths to make their correspondence seem legitimate, a tactic called “spoofing.”
What can be done? Check out these simple tips and tactics businesses and their employees can use to spot phony phone calls, text messages and emails and avoid getting caught on the phisher’s hook.
First things first: What are phishing and spoofing?
Phishing is a tool criminals use to trick people into divulging sensitive information like credit card numbers and login credentials. For example, a fraudster might email you claiming to represent a bank and ask you to confirm your username and password.
Spoofing is the difference between that caller claiming to be with A bank and claiming to be with YOUR bank. If someone calls saying they are from a specific financial institution and you tell them they must be mistaken because you bank with KeyBank, you’ve given them enough information to upgrade their next attempt from phishing to spoofing. In their mind, adding a KeyBank logo to a follow-up email may be all it takes to trick you into giving them what they want.
Spoofing always involves the use of a false front or ill-gotten personal information to make the illegal activity appear legitimate. Attacks can come in many forms, including via phone, text message or email.
Perpetrators of call spoofing falsify Caller ID information so that calls appear to be coming from a phone number, person or organization the call recipient is unlikely to ignore. For example, they might use the number of a local business, a charity or a government agency like the Internal Revenue Service.
It’s impossible to tell if the information displayed on your Caller ID is real or fake, so the best course of action is to avoid answering calls from unknown numbers. If you must pick up the call, be wary and hang up the phone immediately if the caller:
- Requests personal information for any purpose or event that’s unfamiliar to you
- Asks questions, especially of the “Yes” or “No” variety
- Asks you to press any buttons on your phone during the call
- Gets rude or demanding
- Makes you feel uneasy or uncomfortable in any way
Even if they know there’s no hope of you giving them the information they want, scammers will try to keep you talking in the hope that you’ll divulge details they can use against you later. Your best bet is to hang up at the first hint that something’s not right.
Like call spoofing, SMS or text spoofers manipulate information about the origin of a text message to make you think it’s from a trusted contact. For example, the scammer might change the second-to-last letter in “Google” to a capital I instead of a lower-case L. If the target believes the message is actually from Google, they’re more likely to click on the link embedded in the text message, which will lead them to a fake login page, spoofed website or other malware.
Here's how to avoid falling victim to SMS spoofing:
- Take a close look at sender details, as they will often contain errors
- Ignore demanding or urgent messages from unknown contacts
- Never click on links in text messages
Most importantly, never share sensitive information via text message, either by replying to an incoming message or through an email address or link embedded in a text.
As in call and SMS spoofing, email spoofing attacks falsify sender details to make it appear an email is coming from a trusted contact. One example involves a fraudster emailing the payroll department of a company posing as an employee who wants to change the bank account into which his or her paycheck is deposited. The new account is, of course, controlled by the spoofer, and the crime doesn’t come to light until payday, when the employee notices they haven’t been paid and contacts payroll to find out why.
Fortunately, compared with calls and text messages, emails provide the recipient with more information they can check to confirm whether the correspondence is legitimate. When you receive an email that seems a little phishy, take these steps:
- In the “From:” field in the email, check the URL (the part after the “@”) of the sender’s actual email address to make sure it matches the apparent sender. For example, if the sender claims to be from KeyBank but the URL in the email address is “@hotmail,” delete the email immediately and permanently (i.e., empty your trash folder).
- If the URL appears to match the sender, check it again to be safe. As is sometimes the case in SMS spoofing, the perpetrator may change one or two letters to try to trick the recipient. An email URL that looks like “@amazon” at first glance might actually be “@arnazon.”
You can also spot illegitimate emails with these clues: they may be poorly written, include attachments or suspicious links, or create a sense of urgency that the recipient needs to “act now” or else it will be “too late.”
Ask yourself “Does this communication make sense?”
The steps above are all quick and easy ways to “spot the fake.” But the most important thing you can do when receiving a call, text message, email or any other kind of correspondence is to approach it with skepticism:
- Would a legitimate email from a vendor or business partner be riddled with spelling and grammatical errors?
- Is this correspondence consistent with previous interactions you’ve had with the organization?
- Would it be reasonable for a colleague to call you demanding that you send them a list of Social Security numbers for all employees?
- Would a financial institution send you a text asking you to verify your identity by clicking on a link that doesn’t match the bank’s URL?
Remember that you always have the option of setting the correspondence aside while you reach out to the purported sender to confirm its validity. Apologizing to a legitimate contact for hanging up is a lot less painful than apologizing to customers who fall victim to a data breach initiated by a spoofing attack.
Businesses that continue to educate their employees on nefarious communications have a stronger chance to avoid phishing and spoofing campaigns. We may never rid the world of cybercriminals, but if more businesses and their employees follow the steps above and view incoming communications with a wary eye, we can leave more scammers with nothing to show for their efforts. And that’s a great goal to work towards.