What is Phishing?
We all know how quickly misinformation can be spread online, where the line between fact and fiction is blurred, and trustworthiness is hard to determine. The prevalence of online confidence scams like phishing, for example, is a symptom of our increasingly digitized social climate.
It’s easier to convince an unsuspecting victim to click a questionable link than it is to walk into a store and steal from the cash register. As a result, phishing has become a huge problem for both consumers and merchants.
A phishing scam is an attempt to obtain sensitive information such as usernames, passwords, and credit card details. This information is then leveraged, with the ultimate goal of getting money from the victim.
Phishing usually involves a scammer sending an email that looks legitimate, but is actually designed to trick users into divulging personal information. These emails often appear to come from a legitimate source, such as a bank or retailer. The scammer may then use the information they obtain to commit fraud or identity theft.
How Does Phishing Work?
Phishing is a form of social engineering. This means it’s a technique that relies on conning people into performing actions or divulging confidential information.
It often involves sending official-looking emails that trick users into clicking on malicious links or opening attachments that install malware on their computers. The phisher then uses this malware to spy on the user, or steal logins, passwords, and other sensitive information from the user’s computer.
Here’s an example: A professional gets an email from their bank asking them to confirm some personal details like their name or address. The email looks real because it comes from the bank’s official website address. However, it was actually sent by someone pretending to be from the bank.
If that person does click on the link in the email, it will redirect them to a fake website asking for more personal details. When the target enters their information, the thief captures it.
Why Do Consumers Fall for Phishing Attacks?
Phishing is successful because people are often busy and distracted. Many people don’t have the time or inclination to check every single email they receive for accuracy. Even if they do take the time to check all of their emails carefully, it’s sometimes easy to be fooled by a link that looks legitimate but isn’t.
Here are some reasons why people fall for phishing attacks:
- They trust the person who sent the email: if the scammer sends them an urgent message, impersonating someone the individual knows and trusts, it’s natural to respond without thinking much about what could go wrong with this situation.
- They don’t check the link: if someone sends a message asking for information from another site like Facebook or Google Docs, many people just click on whatever link appears, without first checking the destination of that link.
Many phishing emails look very authentic. Even if someone does take the time to check all of their emails carefully, there’s no guarantee they’ll notice a scam until it’s too late.
Common Phishing Tactics
Phishers use a variety of tactics to target and defraud consumers and merchants. Some of the most common phishing scams out there today include:
Email Phishing
These pertain to sending mass generic messages with phony links to unsuspecting consumers. You can consider this a “wide-net” tactic. Most consumers will catch the scam, but one or two might not, and that is still a win for the phisher.
Account Suspension
This fake notice scam involves sending a message to a user warning them that their account has been closed or is suspended, then provides the user with a link to resolve the issue. Once the link is clicked, the phisher gains access to the account.
Spear Phishing
Spear phishers target specific individuals using personal details to trick them into revealing more personal information. For example, messages with scam links that address the recipient by their first name.
Whaling
This tactic is basically the same as spear phishing, but the phisher instead targets select senior executives within a company or organization. Business email compromise (BEC) tactics are often employed as part of a whaling scam.
Angler Phishing
This is also a form of triangulation fraud. In an angler scam, the phisher leverages all types of personal details divulged through social media to target an individual, effectively triangulating between the victim and their existing online presence.
Smishing
SMS phishing, or “smishing,” happens when a scammer lures in victims through text messaging or another SMS platform, and convinces them to click a link or provide information compromising their identity.
Impacts of Phishing on Merchants
Phishing scams are a serious problem for merchants. Not only can they cost the business money, they also put valuable customer data at risk.
If customer data falls into the wrong hands, it can result in costly security breaches, brand damage, and the potential loss of future customers. These aren’t the only risks merchants face, though.
Here is a brief list of some of the challenges phishing poses for merchants:
Damaged Data Integrity
Remember: both merchants and consumers are targeted for phishing scams, and one can have a serious impact on the other when targeted. For instance, merchants store a lot of data about their customers. If that data is compromised, phishers and other scammers could gain access to that sensitive information, further perpetuating the fraud cycle.
Lost Sales
Aside from straight-up losses due to casual fraud, phishers can also imitate a legitimate merchant’s website down to the minute details. When website spoofing occurs, merchants lose that revenue, and also take a hit to their reputation.
Reputational Damage
A merchant’s reputation will take a hit if victims blame them for non-delivery or for being scammed. That can leave a black mark on the perceived trustworthiness of any brand.
Chargebacks
If a phisher has successfully targeted a business, they could end up profiting from that scam twice. Some fraudsters will defraud a merchant for an expensive item, then file a chargeback for that item later on, effectively “double-dipping” on the business.
Ultimately, all fraudulent activity increases the cost of operating a successful business. High numbers of fraudulent attacks mean lower margins for that business, as well as increased investments in security, fraud mitigation, and identity protection. It can also undermine a business’s ability to stay competitive.
What to Do if You’ve Been Targeted
Consumers can prevent phishing attacks just by being careful. Never click a link in any email unless the email is expected or the contents have been confirmed with the sender. This means if a consumer receives an email or text message that comes from a person or organization they trust, they should contact that person directly before opening that file.
As for merchants, the most effective strategy is to simply remain vigilant. Create and adhere to comprehensive employee awareness programs and instruct employees to spot red flags for suspicious emails. Also, merchants should provide detailed instructions for employees about what to do with potentially malicious requests.
Employees, especially, should be extremely cautious of any information posted on social media that references company information. This includes potentially confidential company data posted on personal social media accounts.
Lastly, merchants should invest in innovation and training designed to educate employees about the newest scams and teach them how they can be avoided. Rather than foster “clickers” in the office, it’s best to keep them informed, present, and prepared.