Phishing is a type of attack on personal data that comes in the form of a fake email or wesbsite, which is made to look like it comes from a reputable site – but does not.
A user might, for instance, get an email that has all of the themes and imagery of a typical message from Facebook, except this email will tell the user they need to reset their password and will offer that user a login prompt to do so.
The user clicks on the prompt, is directed to a fake webpage that looks like Facebook, and then the user enters their login and password. Just like that, the phishing attack has succeeded. Phishing works because it plays on people’s trust. Facebook is a good example of this. In recent years, the ubiquitous social media platform has become a very popular tool for phishers, who have exploited both Facebook’s popularity and people’s fears of losing their personal data – ironically enough – to steal people’s data by sending them bogus password reset requests that purport to come from Facebook, but do not.
Of course, phishing attacks in the form of Facebook emails are not the only form of phishing – attackers send similar messages that imitate the format of messages from major banks and credit card companies as an attempt to get access to people’s financial data and online accounts. Whatever web service is in question, the goal of phishing attacks is always the same – to exploit users’ trust in well-known institutions to get their usernames, emails, passwords, or PINs.
There are several ways to avoid phishing attacks. The common theme in each is to be highly suspicious of any online request for your personal information.
- Never complete a request for personal information that comes in an email.
- Only enter personal information on a secure website. You will know a website is secure if the URL begins with ‘https://‘ and if a lock icon appears in the lower right corner of your Internet browser. Click on that lock icon to view the site’s security certificate.
- Look for telltale signs of forgery in emails that request personal information – spelling errors are immediate red flags. If the prompt to a webpage to enter your data has an URL that is different than the site you expected to be going to, that is a sure sign of a phishing attack.
- Don’t click on links asking for personal information. Instead, go directly to the site in question by typing the URL into your browser manually.
- Make sure your computer’s antivirus suite has phishing protection.
- Make sure your web browser, antivirus, and all software programs on your computer are always updated to the latest versions that have the latest security patches.
- Report any suspicious messages to your bank or social media platform immediately.
