Phishing is the act of placing a piece of bait in front of an unsuspecting computer user and hoping that they will bite - it's been the bane of antivirus companies for a long time now.
Just like someone fishing uses bait on a hook to try to land a salmon, a malicious actor will use virtual bait in the form of an email (usually) with a link, to try to entice the user to click on that link – whereupon they will be ‘hooked’ and most likely infected with some kind of malware - and a whole world of pain and expense.
- Our definitive list of today's best antivirus software
- Looking for even more protection? Grab the best VPN
- See why we rate Bitdefender so highly in our testing
You’ve got unwanted mail
As mentioned, the most common delivery method for a phishing attempt is an email, but this kind of attack can be aimed at the unwary via text messages on a phone, on social media sites or, indeed, other avenues online.
The common theme is that whatever the chosen channel for delivery, the message will look like it’s coming from a legitimate entity, and if the attacker is really well-armed with some knowledge about you – such as the services you subscribe to – it may seem all the more believable because it appears to be from a company you use.
Because the communication is seemingly from a legitimate entity, this might make you less likely to think about the actual message content, particularly when the phishing email combines this with the suggestion that something needs to be done urgently, which is another common tactic.
So how does phishing work exactly?
Often the phishing scammer will make it seem like you must take immediate action, hoping that this may prompt you to act swiftly out of fear, rather than considering the content of the email at any length.
So let’s take an example: you might receive a message about an unpaid bill, marked as urgent, and warning that your account is about to be cancelled if payment isn’t made immediately. The invoice will be attached, and if you open it, curious as to what you owe and why, the dummy file (it’s not a real invoice of course) will infect your PC with malware.
A second example is an email which says something like: ‘Follow this link to log in and reset your password NOW, because your account has been compromised, and your payment details are at risk.’
The irony being that if you do indeed click on that link, and fall for the phishing attempt, you’ll be presented with a false (probably quite convincing) login portal, and when you do enter your password and/or bank details, it’ll be stolen and your account really will be compromised.
How bad is it if you get phished?
Sticking with our above examples, if phishing tricks you into opening a malware-laden attachment, your system will be infected and all manner of bad things could happen. For instance, you might fall victim to ransomware, which locks all your files away and demands a large payment to get them back (with no guarantee that will happen, even if you do pay out).
With our second example, the malicious party will have your username and password - possibly even your bank details - and will then be able to log in to your account, perhaps changing the password to lock you out when you next try to login.
Depending on exactly what the service or subscription which has been compromised is, the fraudster may be able to take any number of actions – if it’s an online shopping site, for example, they could be able to order goods from it under your account.
A further danger is present for folks who engage in the poor security practice of using the same password for different accounts, because the attacker may try the pilfered password with other common services speculatively – using your email as the username – and be able to log into those as well.
This is why you should never reuse the same password across multiple accounts (and if you’re stuck in terms of thinking up and remembering different passwords, try using one of the best password managers).
Two factors are better than one
Clearly, phishing is highly dangerous, then – so what can you do to protect yourself? The most important thing is to exercise common sense and a good deal of caution about any message you receive which looks faintly suspicious (and has tell-tale signs like spelling mistakes or odd phrasing, errors that malware authors often make), urges you to do something ‘right now’, or has a link or attachment which seems even remotely dodgy.
Even if a message apparently comes from your boss, or a close friend, don’t trust the content more because of this – their email address or details could easily have been spoofed. Indeed, one of the best steps you can take if you’re not sure about a message is to contact the sender of the email directly and check if it’s genuine. Similarly, if you get a message purporting to be from, say, Amazon, you can log in to your account and contact the company directly to similarly check the validity of any communication.
Not only is double checking your friend when it comes to defeating phishing, but so is doubling up on authentication. This means using two-factor authentication or 2FA, which many major services and companies use these days. With 2FA, you set up not just a password, but also a second form of verification, so when a login attempt comes from a new device or location, you also have to enter, say, a code which is texted to your mobile phone.
In this case, an attacker may have phished your password, but when they try to log in with it, they don’t have your phone (hopefully!) – and so won’t be able to successfully get into your account. 2FA is most definitely a big ally in the battle against phishing.
Finally, it obviously doesn’t hurt to have one of the best antivirus software installed on your PC (or indeed phone) to help catch any threats and offer protection to block known phishing sites.
What is phishing and how dangerous is it?
Phishing is one of the most dangerous threats to your online accounts and data, because these kind of exploits hide behind the guise of being from a reputable company or person, and use elements of social engineering to make victims far more likely to fall for the scam.
Because of this, you should be extra cautious of anything remotely suspicious in a message you receive, and make good use of the security practices we discussed above, including two-factor authentication.
- Read more: How to choose the best antivirus for you