Phishing, according to Wikipedia, is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Put more simply, it is an email sent by someone with the intentions of tricking you into opening it and following its directions. Most of the time a phisher is phishing for usernames and passwords and credit card information. An example might be an email that looks as though it is from your bank.
In the email it may say that they need you to login to your account to verify some information, otherwise your account will be closed. For convenience they include a link or button for you to click that will open a webpage–this is where they actually steal your information.
These are dangerous emails, but what they can lead to is even worse. In order to gain usernames and passwords the attacker has to make you login to a webpage that they own. The link you click in the email does not actually take you to your bank’s website. It is actually a website that looks like your bank’s, but it is not. It may even have a very similar-looking website address. When you login the attackers receive your credentials, then pass them to the real banking website, and then return the actual bank’s website. This way, when you actually see your account details you are unaware you were just tricked into logging into the wrong website. This is also referred to as a “man-in-the-middle” attack. The email you received is known as a phishing email.
Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” The ultimate goal to stop a phishing attack is to prevent it from even happening.
How to Prevent Phishing
Never reply to an email requesting confidential information. Legitimate businesses are aware of phishing scams and will never request this information directly. If you receive an email requesting this type of information (usernames and passwords, credit card information, social security numbers…) delete it or forward it to firstname.lastname@example.org and we can help determine if it is a phishing email. Also, if the email requests a direct call to an unfamiliar number, do not call it! This type of request can lead to another attack called “social engineering,” where an attacker may attempt to talk you out of private information.
Check emails for bad spelling or grammar. Companies go to great pains to proofread their emails before sending them out. An overwhelming number of phishing scams come from nations where English is not a dominantly spoken language and are often riddled with bad grammar and misspelled words.
If you see a link in a suspicious email, don’t click on it. Instead, rest your mouse (but do not click) on the link to see if the address matches the link that was typed in the message.
As we mentioned earlier, a lot of attackers like to use spoofed websites to trick you into logging-in. The best way to prevent visiting one of these websites is to not click links in emails you think might be unsafe. If you want to verify a request from a company, open a web browser and go directly to the website by either typing in the URL or performing a Google search and logging-in from there.