The Banyan Theory Blog

How Phishing Scams Work

Nick
posted by Nick
on

In its most basic form, here’s how a phishing scam works:

  1. A scammer emails you a link
  2. You click on the link
  3. You give the scammer your username and password

Sound like something you’d never fall for? Read on to be sure.

Anytime you click on a link from an email and you’re asked to log in, even if the email is from a person or company you know and trust, you should check for two things in the browser after clicking the link: https:// at the beginning of the URL, followed a domain you trust (like google.com).

Scammers depend on the fact that most people do not check these things.

The simple scenario above may not sound all that plausible, but it catches people all the time. How? It’s in the details. Let’s go through those three simple steps again, this time in a bit more detail:

  1. First, the scammer sends you a link in an email that’s made to look like it’s from someone you know. In fact, this can be done in a way that a “spoofed” email is indistinguishable from a real email, which is one reason it can be so easy to fall for a phishing scam.

  2. Since the email appears to be from someone you know, you click on the link that’s in it, which might include enticing wording, such as: Watch this guy fall into the fountain at the mall while texting. LOL!

  3. After clicking on the link, you arrive at a Facebook login page. You get plenty of videos that are on Facebook, so this isn’t surprising, and you enter your email and password.

And right there, you gave away your Facebook password to the scammer, who set up a login page that looks like the one at facebook.com but was actually hosted at facebook.funniest-world-video.com (or some other site you’ve never heard of).

This is why it’s so important to look at the URL of any page where you’re about to log in or enter any personal information. If the domain doesn’t look right, leave the site immediately. Do not think “this is probably OK, so I’ll give it a try.” The mess you’ll have to clean up after giving away your password is far worse than wondering how funny that video might have been.

Domains

You should also be aware of how domains work. If someone owns the domainxyz.com, they can put anything they want in front of it, as long as they only use letters, numbers, hyphens, and periods.

This can be as simple and harmless as www. (as in www.xyz.com) but unfortunately can also be longer and designed to trick you, such as www.facebook.com.xyz.com.

Because of this, you need to look at the entire domain to make sure it’s something you trust.1

Links

Another thing to be aware of is how easy it is to make a link in an email say one thing and do another. Specifically, a link has two parts – the link text (which you see) and the link URL (where you’re taken when you click on the link). Often, these are one and the same. For example, in the following link, https://twitter.com is both the link text and the URL:

https://twitter.com

And here is the HTML that creates the link above:

<a href="https://twitter.com">https://twitter.com</a>

However, the link text can be something entirely different, and that’s very useful in many legitimate cases. For example, in the following link and HTML, Twitter is the link text and https://twitter.com is the URL:

Twitter

<a href="https://twitter.com">Twitter</a>

As you might have guessed, it’s this ability that allows a scammer to trick people. Since the link text can be anything, scammers will often use a different URL as the text. Here’s an example:

https://twitter.com

<a href="https://www.google.com">https://twitter.com</a>

If you click this last link, you’ll see that it actually points to https://www.google.com and not to https://twitter.com as the text would lead you to believe. Now, substitute Google’s URL for a hacker’s URL, and you can see how clicking the harmless-looking twitter.com link would actually lead you to a hacker’s website.

Another Red Flag

It’s common to leave yourself logged in to a site, say Facebook, especially on a home computer. If you click on a Facebook link in an email and you’re asked to log in, this should raise a red flag in your head. Why are you being asked to log in if you’re already logged in? Often, it’s because you’re not really at facebook.com.

Now, it’s possible that it’s been too long since you last logged in, and you’re seeing the real login screen for legitimate reasons. Even so, you should open a new browser tab, go to facebook.com, log in, and then try the link from your email again. This ensures you’re definitely logging in to the right place. And if the email link is legit, it’ll work the second time you click on it.

Spear Phishing

Spear phishing is a highly targeted version of phishing. Typical phishing scams are not tailored to you individually – they often don’t include your name or anything else specific to you. Spear phishing, on the other hand, targets only you (or a select few individuals).

How might this affect you as an insurance agent? Let’s say you insure a family, and the husband and wife go through a nasty divorce. If one of them gets the house in the divorce, the other might be motivated to cause some problems. Let’s say one is skilled with computers and decides to send you a “Check out our new agent portal!” email that appears to be from one of your insurance carriers. If you follow the link and don’t notice the full www.foragentsonly.com.some-other-site.com and you attempt to log in, you’ve just handed your account over to the hacker, who can now go and cancel or downgrade the policies of the other spouse (or anyone else you insure).

Sound far-fetched? Stranger things have happened. Since it takes almost zero effort to look at the domain before logging in, there’s really no excuse not to, knowing what kind of damage can be done if you don’t.

Bottom Line

The one takeaway you should have is that you should never type your username and password on a website unless you’re absolutely certain that you are where you think you are. If in doubt, ask the person who sent you the email if they really sent it. Even then, it’s a good idea to type the website’s domain into your browser yourself.


  1. Technically, something.xyz.com is called a host, not a domain, but this is a minor distinction for the task at hand. 
Share this —