WHAT IS PHISHING?

Phishing is an attempt to trick people into sharing important personal information — banking information, logins, passwords, credit card numbers.

Phishing is an Internet derivation of the word fishing. Fishing is the ideal metaphor for the techniques scammers use. The goal of phishing is to lure people into providing information which the perpetrators sell or use to defraud victims.

“Smishing” is similar to phishing but is perpetrated SMS (text messaging) or messaging apps like WhatApp where phishing uses email.

CASTING THE NET

Phishing is a numbers game. A phishing attempt will typically start with an email sent in bulk to a massive email list (i.e. spam). Scammers are always finding new and inventive ways to get past the spam filters email service providers have in place. Of the messages that are delivered, most will be ignored or reported. The possibility of landing even one victim makes the effort worthwhile for scammers.

THE LURE

Perpetrators of phishing scams will often go to great lengths to make their phishing email appear as a legitimate communication from a trusted and recognized brand or institution. Banks, payment sites (PayPal, Venmo etc.), big retailers (Amazon, WalMart, eBay) and even government bodies (IRA, CRA) are common targets.

Scammers will spoof email addresses to appear legitimate (e.g. fraud@recognizablebrand.com) and in more sophisticated attempts, will use brand elements and language to great effect in an attempt to get the recipient’s guard down.

THE BAIT

The bait in a phishing scam can be anything that gets people to click. Some common tactics used in phishing scams are asking users to login to their account to reset a password, deny a transaction or to claim a refund or reward. The bait can be positive — as with a reward or refund — or negative — to avoid monetary loss, to reclaim a compromised account or even to avoid criminal charges.

THE HOOK

Clicking on a link in a phishing email will typically take victims to a page that can be a very convincing spoof of a trusted brand or organization. Phishing sites, like the message that brought them there, can be convincing fakes in more sophisticated attempts. The page may appear legitimate. It may even trick browsers into believing it’s “secure” with an https:// prefix and a lock icon. Scammers will also use lookalike characters e.g. I, |, or 1 for l or use non-English alphabets (e.g. Cryrllic) to create a convincing web address.

If the user completes the action and attempts to login with their username and password, enter credit card information etc. this information is now in the hands of scammers and a whole bunch of bad things can start to happen including theft, fraud and identity theft. If the victim used the same username and password for multiple sites, the problem can quickly snowball.

WHAT TO DO IF YOU’RE A VICTIM OF PHISHING

It is important to take action immediately:

If you input a credit card number, cancel the card before scammers can use or sell it.
If you’ve input a login / password, change that login and password by going directly to the source before scammers can use or sell it.
Change your username and password on any site or service where you’ve used the phished username and password.
It’s too late to say “don’t use the same username and password on more than one site” but, well, don’t.
Reach out to the organization or service that the scammers spoofed in their phishing attempt to tell them your information has been compromised.
Create a NetBeacon report to provide the information a registrar, host or other industry partner needs to take action against the phishing site.

Take Action

HOW TO REPORT ONLINE ABUSE

If you suspect or have witnessed online abuse, sharing a NetBeacon report is the single most impactful action you can take. A NetBeacon report ensures that the information gets into the right hands.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_MQJE9B6CZP	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_990977_22	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.