An email from your bank telling you to change your password. An email from an online store asking you to update your billing information. A text, supposedly from the Canada Revenue Agency, to verify your SIN.
You’ve probably seen messages like these before – online communications that come out of the blue, and seem a little bit off. That’s phishing.
What is phishing?
Phishing is when a cyber criminal tries to extract information, login credentials or money from you by impersonating real people or companies through text messages, phone calls, email or social media.
What can happen if I fall for a phishing scam?
Phishing emails sometimes try to take you to fake websites used to trick you into giving login information or downloading viruses. This is called website spoofing, where a malicious website looks like a legitimate one.
In an attack associated with online shopping, for example, the cyber criminal can gain access to your username and password and lock you out of your account while they fill up the shopping cart.
If you re-use passwords across multiple accounts, you could lose access to those too. If any of your accounts contain your SIN, banking information, or personal data, the hacker could use those details to commit identity theft.
A scammer could also trick you into opening malware, which could damage your computer with a virus or introduce ransomware, locking all your files and demanding a large payment to get them back.
Social engineering: Why phishing works
You may think you would never fall for a phishing scam, but the fact is, they work. One-third of Canadians experienced a phishing attack between March and September 2020, according to a Statistics Canada survey. Another survey found that one in 10 Canadians have unknowingly replied to phishing messages.
Phishing uses social engineering, which relies on people’s natural tendency to trust others. The cyber criminal uses something you are familiar with, such as your Netflix account or even your uncle Fred's hacked email account, and then exploits your trust. While all phishing scams follow this same principle, scammers work in various ways.
Types of phishing scams
- Phishing: Phishing scams are often generic mass messages that appear to be legitimate, such as from your bank or credit card company.
- Spear phishing: A spear pishing attack targets you specifically. The message may include personal details, such as recent online activities or purchases.
- Whaling: A personalized attack that targets a CEO or executive is called whaling. This is because they go after a bigger phish. Get it? A cyber criminal chooses them to possibly gain access to more profitable or sensitive information.
- SMiShing: SMiShing is when a scammer uses SMS (text messages) to pose as someone you know or a service that you use to request information or a payment or get you to click on a link.
- Vishing: In a phishing attack that uses a voice over internet protocol (VoIP) system, a cyber criminal uses an organization’s phone number to make themselves appear legitimate.
Signs of a phishing email or website
Watch out for these phishing red flags:
- Suspicious domain name. The domain name has typos or extra characters that make it look close to a real name (like Facebok.com). The sender name may appear legitimate, but if you click on it, you will see the address does not match the name or is just a bunch of random characters.
- Spelling mistakes and typos. This is common in phishing emails.
- Urgency. A cyber criminal may try to scare you with threats of a lost account or being arrested if you don’t act quickly.
- Unfamiliarity. A message from someone whose name, email address or phone number you don’t recognize is suspicious, especially if they request personal information.
- It’s too good to be true. Winning a lottery you never entered or receiving money from a relative you’ve never heard of are signs of a scam. Remember, if you won a prize, you shouldn’t have to pay to claim it.
Resource: Get Cyber Safe has a fancy infographic showing the 7 red flags of phishing.
Tips for avoiding phishing scams: Build these habits!
- Don’t download unknown or unexpected files.
- Don’t click on links in emails, especially if the email is asking you to sign in to an account. Do a Google search for the website, visit a bookmark, or type in the domain directly into your browser instead.
- Stay calm if an email says you need to act fast. Verify whether the email is real first.
- Use a spam filter in your email account and apply software updates and patches.
- Use anti-phishing software. Canadian Shield from CIRA provides free, enterprise-grade privacy and cybersecurity protection to Canadians.
- If someone you know asks for money by email, check with them by phone or in person. If a company or service asks for personal or financial information, call their head office to verify.
- Use strong, unique passwords for all of your accounts, store them with a password manager and use the added security of multiple-factor authentication. This will protect your other accounts if one is compromised.
What to do if you click a phishing link
Even when you take precautions, scammers are sneaky and you may fall for a phishing scam. Don’t panic and take these steps:
- Disconnect your device from the internet to reduce the risk of malware spreading to other devices on the network
- Back up your files in case they get erased
- Change your username and password for the account associated with the attack
- Scan your system for malware
- Report the scam to the company associated with the attack, the police or the Canadian Centre for Cyber Security.
Interesting in running phishing tests in your workplace?
CIRA's Cybersecurity Awareness Training integrates phishing simulations and courses on key cybersecurity topics in one platform.