While some types of spam are relatively harmless (if irritating) bulk advertising, there are other, more malicious ones that people will use in attempts to steal personal information or otherwise wreck computers. These types of spam are commonly known as phishing scams. We'll explain what these are, and how to protect yourself against them.
The term "phishing" comes from a hacker-influenced corruption of the word "fishing". And, just as the goal in real-life fishing is to use bait to lure fish into being caught on your hook so that you can eat them, mount them as trophies, or just brag about them and then throw them back in the water, a phishing scam works in much the same way. It uses some type of enticement or urgent request, usually conveyed through email, as bait. It then lures people into giving up personal information, or downloading viruses or spyware that steal their personal information and/or damage their computer.
The type of "bait" that phishing scams use can come in various forms. Some, like more general forms of spam, advertise debt relief services, weight-loss solutions, get-rich-quick jobs, and other products which are often "too good to be true". Others warn you about a problem with a bank account, website account, or some other type of account that you use, and that requires giving up personal information in order to fix. Still others claim that you have been selected to enter or win some kind of contest.
Often, part of the bait is that the phishing scam will tell you that you need to act immediately, because (for example) the product or offer is only available for a limited time, or something much worse will happen if you don't fix the supposed problem with your account (such as it being shut down or possibly broken into).
The "hook" in phishing scams can take different forms, too. Sometimes, a phishing scam will directly ask you to reply to the email with one that includes your personal information (which may even just be your email address; remember, most spam comes over automated mailing lists, not to you directly).
Others will require you to click a link to a website and then enter your personal information there. Sometimes, this website won't even give you a chance to enter your personal information, and will instead download a virus or spyware program to steal your personal information or otherwise wreck your computer. And still other phishing scams will require you to download a form or other computer file attached to them, which -- again -- likely contains a computer virus or spyware program that steals your personal information or damages your computer.
Advance-fee fraud is a popular type of phishing scam in which the perpetrator asks a victim to send them money to facilitate some sort of financial transaction. This could include the purchase of an item that the victim is selling, or the transferring of money into a secure bank account. The victim is promised payment for their goods or services, but instead the perpetrator makes off with their money, and perhaps also their banking information. We'll cover this type of phishing scam in more detail in our Advance-Fee Fraud article.
Spear phishing is a special type of phishing scam, in that it doesn't go after random people in an attempt to steal their personal information or damage their computer. Instead, it is usually performed by someone with a specific goal or motive, and targets people within a specific company or organization. It works by sending employees fake emails allegedly from another employee or company partner. The goal is to steal an employee's identity information or clearance permissions, which the scammer then uses to impersonate them and/or hijack their computer. Then, the scammer attempts to gain access to restricted company information, which could include trade secrets, military intelligence, or payroll data.
As spear phishing is a targeted attack, you probably won't run into it as an individual Internet user. However, if you work for a company that deals with a lot of sensitive information, you may want to be aware of this type of scam so that you can avoid it while in the workplace.
As scary as phishing scams can be, many can be avoided by following many of the same common-sense precautions that are used to deal with spam.
Often, phishing scams follow similar patterns to other types of spam emails. Look carefully at the contents of an email, including who it's from, to see if you can spot any of these giveaways for phishing scams:
"Too good to be true" offers or contest prizes
Numerous obvious spelling or grammar mistakes
Misspelled or otherwise odd-looking sender addresses or hyperlink addresses, or ones that you've never heard of before
Requests -- either directly or indirectly -- for personal information or money
One or more of these things in the same email should give you a clue that it's a phishing scam, and that you should ignore it. Be sure to look for these things in all emails that you get, even if they look like they're from someone familiar.
It's generally never a good idea to send any type of confidential identity-related or financial information over email, for at least two reasons. The first is that email isn't necessarily the most secure method of communication out there, which means that someone other than the person directly scamming you could intercept your email and get a hold of your info. The second is that many legitimate businesses and organizations actually have it written in their policies that they will NEVER ask for personal information or money over email, so you can safely pass off emails that do this as scams.
Even if you follow tip #2 and don't directly reply to a phishing scam, there are some that don't need you to in order to catch you. Like other forms of spam, once you identify a phishing scam, just ignore it or otherwise get rid of it. Don't click on any hyperlinks within the email, and don't open or download any files attached to the email. Doing so could infect your computer with a virus or spyware program, which could mean that you end up getting your personal information stolen anyway, and possibly sustaining other damage to your computer.
There are some email clients, such as Microsoft Outlook, that allow you to mark emails as spam (or even more specifically as phishing scams), like so:
If you are able to do this, it is probably a good idea to do so. In addition to deleting the email and blocking further emails from whoever sent it to you, it may also help your email client develop better spam-detection rules that can keep the scam from even reaching other people who use the same email service. So, in that sense, you're not only keeping yourself safe, but you're keeping your email community safe as well!
Notice that this one has an attachment which may be used to hide a virus, and the only content besides the subject line is an instruction that tells you to open the attachment. Who is the donation from? Why are they donating it to you? How are they going to get the money to you? There are too many unanswered questions for it to be a legitimate email.
Notice that this one has a rather vague-looking hyperlink to a website, which may be one that gives you a virus or spyware program. It also even tells you how to get around your email client's system for classifying it as a phishing scam. Also notice that it has no subject line and a strange-looking sender name, which are both signs of a phishing scam or other suspicious email.
Well, that wraps up our general explanation of what phishing scams are, and how to keep yourself from getting "hooked" by them. We'll finish off this section by discussing a specific and very common type of phishing scam called advance-fee fraud.
Learn how to use
Was something in this tutorial missing, confusing, or out of date? Or did it give you all the information you needed, and you just want to say "thanks"? We'd love to hear what you thought!