Types of Phishing: Tips to Prevent, Spot, Report Scam Emails

October is National Cybersecurity Awareness Month and it's an excellent reminder that protecting your personal information online is important. One way to do that is to recognize and avoid phishing scams.

What is Phishing, and How Does It Work?

Phishing is a tactic scammers use to impersonate legitimate companies or individuals using email, text messages or phone calls to trick people into revealing sensitive information such as usernames, passwords, credit card details, other banking and payment information and more. 

Think of how fishermen use bait to catch fish — your personal information is the fish in this scenario, the scammer is the fisherman and the bait is the fraudulent email they send you. For example, the email might ask you to click on a link and update your information.

"Phishing is the most common type of cyberthreat," said Judith Dionne, information security awareness and training manager at Southern New Hampshire University (SNHU), "because the messages appear so innocent and authentic." 

What Are the 3 Most Common Types of Phishing Attacks? 

There are many types of phishing emails to be on the lookout for. 

Josh Gomez, director of Information Security Operations at SNHU, said three main categories of phishing are:

1. Clone Phishing - Replica emails of legitimate messages to trick its target into sharing personal information. For example, this message type could look like an Amazon delivery.
2. Business Email Compromise (BEC) - Targeted to specific employees in finance or accounts payable departments who are authorized to initiate money transfers.
3. Whaling - Phishing that targets an organization’s C-suite executives.

According to Dionne, "The information a cybercriminal is after will determine the kind of phishing email sent."

What is a Common Example of a Phishing Attempt? 

One example Dionne provided was when a cybercriminal seeks usernames and passwords. In this case, an alarming email is sent telling you that one of your accounts was compromised and you must reset your password.  

"The email would include a link to a site to help the person reset their password, but the site is spoofed," said Dionne. "Following the link would take them to the fake site that is branded to look like it belongs to the business, and they would be prompted to enter their existing username and password to create a new one. For example, if you have a bank account with Bank of America (BOA), the phishing message would have the BOA logo, and the link the site brings you to would look like a BOA log-in page."

Typing in your credentials would send them directly to the cybercriminal. After you type them into the fake site, nothing happens on it, and most users think it's a faulty link and won't question it. In reality, the cybercriminal just learned the username and password for your bank account. 

How to Spot a Phishing Email

At first glance, it can be easy to miss a phishing attempt. 

Robin Sullivan, director of portfolio for Technology Services at SNHU, shared some red flags to be aware of to help identify potential phishing emails; these include:

• Poorly written emails with misspellings or spoof display names
• Language trying to instill a sense of urgency
• The web and email addresses don’t look genuine
• They ask you to confirm personal information

Dionne noted some additional signs to look out for, include:

• Links and attachments in the email
• Unusual requests (such as transferring overdue funds)
• Unsolicited offers for part-time employment or work-from-home jobs

So, What Happens If You Open a Phishing Email? 

Most phishing emails are relatively safe to open as long as you don't interact with them, said Dionne. Just be sure you don't click on links or open/preview any attachments. If that happens, she said you could be opening yourself up to potential risks, such as:

• Computer worms
• Keyloggers
• Malware
• Ransomware
• Spyware

If you open a phishing email and click on a link or attachment, there are a few things you can do to try and protect your information. 

To start, you should immediately close all your tabs and browsers, according to Identity Guard. Next, check for any automatic downloads that may have started and delete those too. 

Identity Guard also recommends potentially changing your usernames and passwords. Remember the Bank of America scenario? In that case, change your username and password immediately to prevent unwanted access to your account.

If you use the same password for multiple accounts, change your passwords, too. Identity Guard recommends considering a password manager, which can help you create and organize your usernames and passwords. Added bonus, a password manager can create strong and secure passwords for you. 

For some additional peace of mind, you could consider installing anti-virus or anti-malware software that can scan and remove potential threats from your devices.

If you interact with phishing on a work device, be sure to notify the appropriate contact at your organization to follow company protocol and next steps. 

How to Protect Yourself from Phishing

Phishing scams can be costly to businesses and individuals. 

“Compromised information as a result of phishing can cause significant damage to a person or an organization," said Sullivan. "It can lead to identity theft, financial loss, loss of access to email and loss of personally identifiable information.”

So, it’s important to know how to try and prevent falling prey to phishing attempts.

Sullivan offers these tips to protect yourself:

• Use strong, unique passwords for each of your online identities. Never re-use the same password for multiple online identities. Choose different letters, numbers and symbols and avoid using anything familiar that others can publicly research about you, such as your date of birth or a pet's name.
• Never click links in an email. For example, if you receive a notification from your bank, log in directly to the bank’s website instead of using the link in your email.
• Never share personal or financial information in an email.
• Always be suspicious of unsolicited emails and phone calls.
• If it sounds “too good to be true,” it probably is, for example, a work-from-home job.
• Use anti-virus, email filtering and firewalls to reduce phishing traffic.

Dionne said another tip is to slow down when reading emails. She advised taking your time and considering these questions:

• Do you know the sender?
• Are you expecting an email from the sender?

With regard to the tone of the email:

• Is it urgent?
• Does it tell you that you missed a payment or that someone jeopardized your account?

"Cybercriminals may send one message to many people at once and at odd times of day," Dionne said. If the message looks unusual or suspicious, look at:

• The time of day you received it
• The amount of people copied on it
• If you know anyone copied on it

"You may also get phishing emails from people you know," said Dionne. "If you get an unusual email from a family member or friend, check the message's validity through another channel."

You can call or text the original sender to see if they sent it. Dionne said don't trust a message is secure if it's unexpected or out of character for the sender. 

“But no matter how many controls are put in place to protect our environment, the best defense will continue to be user awareness and vigilance,” Sullivan said. “As technology changes, scams become more sophisticated and complex, and we will always have these threats to some degree.”

How to Protect Yourself from Employment Phishing Scams?

Employment scam emails are one type of phishing that can affect people looking for work, especially college students. 

"These emails are usually looking for one thing: Information," Dionne said. They trick you into giving personal information to cybercriminals posing as potential employers.

One way to protect yourself is to know what you've applied for and pay attention to who's sending the email. "Never respond to an unsolicited request for employment through email," Dionne said. 

How to Report Scam Emails

If you feel you’ve received a phishing attempt, report the scam to help prevent it from happening to others. 

Gomez suggests these tips to help you report suspicious emails:

• Report email as phishing or spam. Many email providers have buttons within their platforms to report the individual email as phishing or spam. Be sure to check yours.
• Report suspicious websites to Google Safe Browsing or security solution software firm ESET.
• Report scams and fraud to the Federal Trade Commission (FTC) Online Complaint Assistant and to the Internet Crime Complaint Center (IC3).

What's the Difference Between Spam and Phishing Emails?

Spam is when someone sends an email to several users at once or tries to sell something by pushing their product on users as a usually unsuccessful attempt at marketing. Think of it as annoying junk mail where the sender isn’t purposely trying to steal your information compared to a phishing attempt.

See how savvy you are by taking Google’s Phishing Quiz to learn to identify phishing emails better and protect yourself from potential cyberthreats.

Online. On campus. Choose your program from 200+ SNHU degrees that can take you where you want to go. 

Michelle Shreeve ’15, ’16, is a freelance writer and the author of “Parental Death: The Ultimate Teen Guide.” Connect with her on LinkedIn.