Every day, millions of cyber attacks take place around the world and it is a growing problem for both individuals and businesses. The most common form of cybercrime is called phishing and it can take place over email, text messages, phone calls and social media.
Phishing is a malicious attempt to trick you into giving out personal information or gaining access to your computer system. The information can be an address, passwords, social security number or credit details. The aim of gaining access to your personal information or your computer is almost always to steal your money.
What is the difference between spam and phishing?
Many people think that spam and phishing are the same thing. But there are actually some key differences that are important to know about.
Spam, which can also be called junk mail, is unsolicited email from individuals or companies that is sent out in bulk to millions of people. The content of spam is typically commercial, usually advertising (illegal) goods, pornography and online casinos. It can also contain "scams," about how to get rich quick.
Cyber criminals make money from people who choose to pay for what is advertised. Spam is an unwanted form of commercial advertising designed to flood recipients' inboxes with emails. The aim of the sender is to sell as many products or services as possible.
Phishing is a strategic attempt to trick people out of their confidential information. In phishing, the cybercriminals claim to be a legitimate company or public authority and use various strategies to convince the recipients.
Phishing is a type of cyber attack called social engineering attack. Social engineering is a process whereby cybercriminals purposefully manipulate their victims into making certain actions or choices, most often giving up personal information or access to their computer system.
Hackers typically use one or more strategies to influence their victims, namely the use of authority, intimidation, social acceptance, scarcity, time pressure and positive evaluation. Through these strategies, they can arouse certain emotions in their victims that can impair their judgement - making them more likely to take the actions described in the phishing emails.
What do phishing emails look like?
Phishing emails are designed to look legitimate, and the sender typically poses as a trustworthy company or government agency, such as a bank, SKAT or Nets. In a phishing email or SMS, for example, the sender will ask the recipient to update a password, transfer money, validate an account, receive a gift or check the status of a delivery. To perform these actions, the recipient must click on a link.
The strategies used by cyber criminals may include giving the recipient 24 hours to perform the action or writing that there is a limited quantity of a gift or item to get the recipient to respond quickly. They may also threaten negative consequences if the recipient does not perform the requested action. Hackers can also imitate logos of real companies in phishing emails to make them look trustworthy.
Years ago, fake emails were almost always characterised by bad language, full of spelling mistakes and incorrect grammatical constructions. You still see spelling mistakes in fake emails, but machine translation has improved a lot in recent years and hackers have also become more professional. Nowadays, fake emails often contain good, formal and trustworthy language and not bad English, as many might expect.
Can you be hacked by opening a phishing email?
No, it is not possible to be hacked simply by opening a phishing email on your computer or mobile phone. A phishing attack only happens if you click on a link or download an attachment in that email or SMS.
What happens if you click on a link in a fake email?
If you are sent a fake email and click on the link in it, you will be directed to a phishing website that looks like the real company's website. Here you will be asked to enter login details or credit card information. It is also possible that the link may contain malicious software, such as ransomware or spyware, which will be installed on your computer if you click on the link or download an attachment in the email.
Prudent rule of thumb
It's important to remember that real companies would never ask for sensitive information over email, mobile or a social media like Facebook. You should therefore never send such information. If you have been sent a suspicious email or SMS, contact the sender or contact the company and ask them if they have sent it.
How do I report a phishing email?
There are several ways you can report phishing. First of all, you can report it to the police if you have been hacked and have been robbed of private information or money. Inside their website they have a reporting portal.
You can report phishing in several email providers, such as Gmail. If you receive a phishing email, you can report it directly in your inbox. The phishing email is then registered and then deleted. When you report a fake email, your email provider's spam filters become better at catching and filtering out unwanted emails.
There are several digital services against phishing, such as My Digital Self-Defence. It's a free app where you can keep up to date on digital threats. You can both see what's out there and report digital threats yourself from within the app. That way, you help others too.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.