Most of us grew up with the basics of internet etiquette — stay out of the comments section, keep your personal information to yourself, and send any emails from Nigerian princes fallen on hard times straight to the spam folder. But what is phishing, exactly? According to the Federal Trade Commission, phishing is a scam in which someone impersonates a business to trick you into giving out your personal information. It sounds easy to avoid, but according to a recent German study, many people are more gullible than they realize. In fact, some people click on suspicious links even when they claim to understand the risks.
So what gives? To find out why phishing scams work so well, researchers at Friedrich-Alexander University conducted a phishing scam of their own, sending out 1700 emails or Facebook messages to FAU students. Each message claimed to contain a link to a page with images of a party the recipient attended and was signed with a false name chosen from the top 10 most common names for the target group's generation. In the first round of messages, the recipients were addressed by name; in the second, the messages were more specific about the details of the (fake) party.
The messages were designed to mimic many phishing scams, so you'd think they would set off all kinds of red flags. However, researchers found that in the first study, 56 percent of email recipients and 38 percent of Facebook message recipients clicked on the link. When recipients weren't named, 20 percent of email recipients and 42 percent of Facebook message recipients fell prey to the scam. In a follow-up email, 78 percent of respondents claimed they were aware of online security risks, so presumably they didn't realize the links were suspicious or just clicked on them anyway. The latter reason isn't as far-fetched as it seems; according to the study, curiosity was the primary reason people followed the links.
But it's also reasonable to assume that people thought they understood phishing better than they actually did. Fund transfer frauds like the "Nigerian letter" scam are some of the longest-running, but the people behind phishing are smart and totally capable of adapting to the times. Let's look at some phishing basics below.
What Is It?
As discussed above, phishing is simple: It's the attempt to trick you into giving out personal information like your bank account password or Social Security number. Usually, the sender poses as a trusted source and emphasizes the need for quick action — verifying your account, confirming your identity, and so on.
What Does It Look Like?
Phishing emails are designed to look like they come from legitimate organizations like your university or bank, with the intention of getting you to follow a link to a malicious website. Sometimes, they're easy to spot; the emails might come from organization you're unaffiliated with or contain poor grammar. Other times, it's a little less clear. Earlier this year, for example, the Washington Post reported on a surge in phishing emails mimicking the Internal Revenue Service (IRS) and Turbo Tax during tax season.
How Do You Avoid It?
So how are you supposed to avoid being taken in by a scam? Here's what the Federal Trade Commission has to say on the subject:
Don't reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through insecure channels.
Basically, no legitimate organization is going to ask you to follow a link to a site where you enter personal information. If you're in doubt, call the organization (not the number provided in the possible phish) and ask. Before you follow any links from senders you don't recognize, remember the results of the German study: Curiosity killed the computer.