PHISHING attacks are fraudulent emails, text messages, phone calls or websites designed to trick users into downloading malware, sharing sensitive information or personal data (e.g., Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their organizations to cybercrime.
Phishing is a form of misinformation in the sense that the hackers/scammers put out false information, but the people disseminating it believe it to be true.Â
Phishing scams play out on multiple platforms, both offline and online and in different ways to get information and play attacks on unsuspecting audiences.
The FactCheckHub has published several fact-checks on phishing scams and tutorials on identifying phishing scams, websites and viral WhatsApp messages.
A common phishing scam technique is sharing phishing websites to closed WhatsApp group chats, as the message on the websites prompts individuals to share with their WhatsApp contacts.
These attackers always devise new methods to present to people, most times luring them with freebies or offers of partnerships or contracts for individual personal brands or businesses.
There are various types of phishing scams. There are over 10 types of phishing scams and attacks, but we would be focusing on the most common ones in our setting, how they work and how to prevent yourself from being a victim.
E-mail Phishing
This type of phishing takes place where attackers pose like an actual organization or entity. Most times, they operate by creating a fake domain name that mimics a real organisation or an organisation that does not even exist.Â
In the case whereby the attacker is mimicking an actual organisation, the fake domain usually involves alphabets substitution. E.g. writing two letters ‘u’ to write ‘uu’ instead of ‘w’.
An example of e-mail phishing can be seen above.
Spear Phishing
Spear phishing is a more advanced form of email phishing. Unlike regular phishing, attackers conduct research on their victims, or they already have personal information about their victims, such as their name, place of employment, job title and specific information about their job role and craft messages specific to these details they have acquired.
Smishing
The word smishing comes from the combination of SMS and phishing. Attackers send deceptive messages to individuals using the short service messages (sms) feature. This kind of phishing attack takes place offline. A typical example is telling people that they have been considered for an opportunity and they should call a certain number for further details, just as seen in the image below. (Reference a possible research work)
Another example is sending fake bank alerts to vendors as payments for items bought or services rendered. A fast way to verify this is by checking your total balance after they claim the payment has been made, as it won’t reflect in your account. Another way is to log in to your bank app to check transaction details. Only genuine transaction details would appear.
Vishing
Vishing also stems from the combination of voice and phishing. Unlike smishing, this takes place via voice calls and conversations. These scammers use the Interactive Voice Response (IVR) technology that is commonly used by financial institutions to trick victims into divulging sensitive information.
A typical example is calling individuals and telling them there’s an upgrade on their account and tricking them into divulging their Bank Verification Number (BVN) to enable the hackers to have access to individuals’ money. Another example is calling individuals and telling them they need their services and they’re being contracted to supply an item but they have to make a deposit to get a sample.
Angler Phishing
This is the latest type of phishing, and it takes place in the comments section on social media. Dictionary.com defines an angler as someone who schemes to get things.
It manifests in the sense that the attacker comes to the comments section of a particular individual’s page and then tags an organization or entity, accusing them of incompetence on their part. Then they pose as the organisation asking the individual to check their Direct messages box (DMs) in order to resolve the issue.Â
Individuals get deceived by this and tend to send messages to the fake organization when they have issues. Organizations have come out to debunk some of these mentions, but people still fall victim.Â
In order to avoid being prey to these attackers, it is advisable for individuals to always pay attention and read messages carefully. There are always mistakes in most of these messages either in constructions or grammar. There could also be typographical error, and in some cases, the framing of the sentences might be unofficial. If it looks too good to be true, it is most likely false.Â
If you didn’t apply for any grant, discard the messages that say you have won a gift or freebie. Lastly, when you receive phishing messages, mark them as spam so that in future, if you receive any message of the sort, it would automatically move it to spam and block.
Seasoned fact-checker and researcher Fatimah Quadri has written numerous fact-checks, explainers, and media literacy pieces for The FactCheckHub in an effort to combat information disorder. She can be reached at sunmibola_q on X or [email protected].