How to recognize phishing attacks and avoid getting hooked

The more you know about the ways cyber thieves use technology for evil, the better prepared you’ll be to identify phishing scams before falling hook, line and sinker. Nobody wants to be that employee who made a rookie mistake and caused a data breach—or worse.

Here’s a glossary of cyber-security terms, including many phishing variants, some examples to show how they work and tips to avoid cyberattacks. Ready to dive in?

Baiting

This phishing tactic happens when a fraudster plays on human emotions to get victims to let their guard down and do something to infect their computers. The bait can be anything from a simple link in an email for a 50 percent off coupon for your favorite clothing store, to a social media post urging you to download a 1947 alien video file from Area 51, to an infected USB drive labeled “Q4 salaries and bonuses” that’s left on a table in a corporate café.

Business email compromise (CEO fraud)

This is when spammers impersonate company executives by sending emails asking employees to take action, like share confidential tax information or make a wire transfer of funds. A cruel form of baiting is an email that looks like it’s from human resources to let you know your position has been eliminated and you must download a file (which is actually malware) to see your severance package. Don’t be fooled by an email address from an executive that replace the i’s, l’s and o’s in their name with ones and zeros.

Clone phishing (website or domain spoofing)

Talented fraudsters, or those with the help of AI-technology, can mimic the look of websites their victims visit often. These fake websites can trick you into sharing your account sign-in credentials and payment information. Be especially wary of sites with generic domain extensions, other than the traditional .com. Cyber criminals are attracted to non-traditional domain URLs because they can often be purchased at bargain prices with easy registration and few, if any, identity verification measures.

Diversion theft

Diversion theft occurs when a thief convinces a business to deliver a shipment to a location different from its legitimate address. For example, a fraudster calls a business supply store in a panic saying a mistake was made in a recently placed order. Instead of going to the company’s headquarters, the shipment must be sent to an offsite location to set up a conference business center. Except there is no conference, just a con artist eager to snatch the rerouted goods.

Dumpster diving

This isn’t just something your frugal friends do to give new life to cast-off items. Business dumpsters are prime phishing holes for fraudsters looking for business documents and old computers that contain confidential data. Thwart dumpster divers by shredding sensitive documents. Another tip is to scrub all information from old devices before dropping them off at an electronic waste recycling center, which is a better alternative for the environment than a dumpster.

Clone phishing (website or domain spoofing)

Talented fraudsters, or those with the help of AI-technology, can mimic the look of websites their victims visit often. These fake websites can trick you into sharing your account sign-in credentials and payment information. Be especially wary of sites with generic domain extensions, other than the traditional .com. Cyber criminals are attracted to non-traditional domain URLs because they can often be purchased at bargain prices with easy registration and few, if any, identity verification measures.

Email phishing

This is any attempt to scam victims through fraudulent emails. Some common phishing email examples include:

• A plea from a fleeing resident of a war-torn country who needs your bank account number to transfer some money
• An invoice for a past-due bill that will be turned over to a collection agency
• Notice of suspicious activity on your email account that requires you to change your sign-in credentials
• An alert from your digital payment platform saying your account has been compromised and you need to fix it from a “secure” site
• A request from someone appearing to be a friend who thinks you’d like to see a file on a shared document site

Honey trapping (romantic scams)

An attacker who uses social media to create a fake online profile, complete with an attractive photo and bio, is hoping to spark a romantic relationship with anyone who falls for their lies—a honey trap. The relationship may start with a flattering comment on something the victim posted online and turn into a request to become a contact. Once the relationship blooms and trust is built, the fraudster manipulates the emotions of their love interest into shedding more than just a few tears.

Payroll hijacking hijinks

Cyber criminals are busy setting up fake online payroll sites, which look surprisingly similar to actual payroll apps. Search advertising campaign ads lure victims to the spoofed sites where they enter their sign-in credentials. The crooks use the credentials, along with other private information they’ve gathered, to access the employee’s portal account and replace their victim’s banking info to divert online deposits.

Personally Identifiable Information (PII)

Personally Identifiable Information, or PII for short, could be your name, address and email address, but also includes Social Security, phone, bank account, credit and debit card, driver’s license and passport numbers. Take the extra time to shred any old documents with PII.

Pig butchering

This hustle, which was started in China by organized crime groups, gets its name because the victim is groomed over time before being exploited, similar to how a farmer fattens a pig before it’s taken to the slaughterhouse. It all begins with friendly texts that look like they were sent to the victim’s phone number by mistake. When the victim explains the mix-up, the perpetrator starts up a relationship and eventually gets the victim to make investments on a fake cryptocurrency website. The victim may even be allowed to withdraw funds to build their trust. As they see their investment grow, they’re encouraged to increase deposits until the thief withdraws everything. Groomers are often victims of human trafficking who are forced to work in large scam compounds and risk torture if they don’t continue the scam, according to Vice Magazine.

Pretexting

Pretexting refers to any fake story that is used by social engineers to gain their victims’ trust.

Quid pro quo

You may be familiar with this Latin term that means “something for something.” In the social engineering world, it refers to an attack where someone pretends to be a helper to get you out of a jam. An example is when an alert pops up on your computer saying your computer has been infected and to call an IT virus expert who can fix the problem. In exchange for this service, the helper wants something—a fee, your sign-in credentials or temporary control of your computer.

Scareware

This form of social engineering tricks victims into thinking their computer is infected with a virus. They are scared into doing something, like purchasing and downloading software to remove the virus, copying and installing malicious code, or allowing the fraudster to take control of their computer to supposedly diagnose the issue when the real aim is stealing information.

Shoulder surfing

This attack is when someone looks over your shoulder to gather sensitive information from your computer screen. If you work on documents containing private data in a not-so-private area, like a reception desk or coffee shop, shield or turn your screen away from prying eyes and always log off if you step away from your computer.

Smishing

A mash-up of SMS and phishing, smishing is when fraudsters send text messages to trick recipients into sharing sensitive information or downloading malware.

Social engineering

In the field of cyber security, social engineering is the fraudulent method of manipulating a victim into doing something online that is not in their best interest, like share private data or click on a malicious link. Social engineers employ psychological tricks that play on a victim’s emotions, like fear, sympathy, greed and loneliness.

Social media phishing

This is the attempt to scam members of social media platforms, like Facebook, Instagram, X (formerly known as Twitter), TikTok and LinkedIn. Be especially wary of:

• Job offers from recruiters who need some personal information
• Comments on popular posts with attachments or links to similar content
• Prizes or free items from name brand companies
• Fun games that collect answers to common security questions
• Friend requests from people who are already friends (they may have been hacked)
• Suspicious activity alerts prompting you to change your account credentials

Spear phishing

Fraudsters don’t use a generic one-size-fits-all email in spear-fishing attacks. They use their research and creativity skills to craft malicious emails that target a specific person. For example, your company’s new accounting clerk might receive an email from someone pretending to be your CEO demanding the attached invoice be paid ASAP and that they shouldn’t wait for a purchase order number.

Tactics, Techniques and Procedures (TTP)

If you’ve ever been in the military, you may recognize Tactics, Techniques and Procedures or its acronym TTP. In cybersecurity, it’s the same. Think of it as the fraudster’s manual for carrying out their plan of attack.

Tailgating

Tailgating means more than partying before a football game or concert. The not-so-fun tailgating is when a con artist slips in behind you at a gate or door to enter a secured area with the intent to steal data or do some baiting. They may pretend to be a new employee who misplaced their corporate badge, a delivery person whose hands are too full to enter a code, or even an applicant running late for a job interview. Stand firm and don’t let them in. Security will thank you later.

Vishing (voice phishing)

Vishing is when a fraud attempt is made using a phone. A good rule to follow is never give credit card or other private information to anyone who initiates a call to you. The caller ID can be faked to look like it belongs to an organization you trust. And with AI-technology, even a caller’s voice can be disguised to sound like a family member who needs money for an emergency.

Water-holing

This is a technique where fraudsters collect information about a group of people, for example employees at a hospital, to learn which websites they visit frequently. The bad guys then look for weaknesses in those websites so they can sneak in and add malware. Next they wait patiently for a member of the group to visit an infected page and download malware that in turn infects the member’s website, often without their knowledge. In case you’re wondering, the infected pages on the group’s frequented websites are like nature’s watering holes and the fraudsters are the predators who lay in wait for unsuspecting prey to visit.

Whaling

Whaling is similar to the spear-phishing attack because it personally targets specific individuals. But in this case, cyber criminals aren’t content with just any employee—they cast their nets for the biggest of fish—senior executives. This is another attack that takes time and research as the perpetrator impersonates someone that the executive would know and trust, like another company executive or a board member. The attack starts with personal conversations with a spoofed email or chat platform. Once trust is built, the fraudster will come up with an urgent work emergency that needs the executive’s help, like reviewing an attachment, signing into a fake accounting platform with their credentials, or clicking on a malicious link.

Tips to thwart cyberattacks

There are plenty of great programs and tools to help you avoid cybercrime, but don’t fall into the trap of thinking your business is immune because you have the best anti-virus software or the latest multi-factor authentication. The vast majority of successful attacks involve human errors, so here are some personal tips to bump up your virtual vigilance:

• Develop a healthy sense of skepticism to evade the sparkling lure of cyber thieves.
• Take a few minutes to think clearly if faced with any threat to act immediately or else.
• Keep learning about security and new cyberattacks. Here are a few Ooma posts to get you started:
• Beware of fraudsters: Social engineering attacks are on the rise
• How cybercrime impacts businesses and how to fight back
• How do scammers get my number?
• How secure is VoIP?