How to Recognize and Avoid Phishing Scams

Fraudsters employ emails or text messages to deceive individuals into divulging their personal and financial details, yet there exist multiple methods to safeguard yourself. 

In the age of surveillance capitalism, your email address has a cash value. Service providers track you when you sign up for a service, use an app, or surf the internet. Data brokers use advanced technology to gather all those tiny, wide-ranging traces of your digital activity, even purchasing it from dubious sources. They weave it into a coherent, shockingly encyclopedic profile of individuals. Then, they sell this information to governments and ad tech companies, who resell the data for targeted advertising.

There are over 5,000 data broker companies worldwide, and the global data broker service market is expected to make over $545 billion in 2028.

Even cybercriminals can buy the data. 

How can an ordinary human beat this gigantic machine to stay ahead of spamming and phishing emails, especially if your address is exposed publicly? 

How exposed are we to threats that arrive via our inboxes, and what steps can we take to stay safer?

What is Phishing?

​Phishing is a cybercrime technique that involves the deceptive practice of luring individuals into divulging sensitive and confidential information, such as passwords, credit card numbers, and personal identification details. 

It typically takes the form of fraudulent emails, websites, or messages that impersonate trustworthy entities, like banks, government agencies, or well-known companies. 

The ultimate goal of phishing is to exploit the victim's trust and manipulate them into providing valuable data, which can be subsequently used for malicious purposes.

Common types of Phishing?

• Email Phishing: In this classic form of phishing, attackers send fraudulent emails that appear to be from reputable sources, asking recipients to click on links or provide sensitive information.
• Spear Phishing: This is a more targeted form of phishing where cybercriminals tailor their messages to specific individuals or organizations, often using personalized information to make the emails seem legitimate.
• Vishing (Voice Phishing): In vishing attacks, scammers use phone calls to impersonate legitimate organizations or authorities, seeking sensitive information from victims over the phone.
• Smishing (SMS Phishing): Smishing involves phishing attacks via text messages. Victims receive SMS messages that contain links to malicious websites or ask for personal information.
• Pharming: In pharming attacks, cybercriminals redirect victims to fraudulent websites even if they type the correct web address in their browser. This is often done by manipulating DNS settings.
• Clone Phishing: Attackers create duplicates of legitimate emails or websites to deceive recipients. They then send these cloned messages or links, tricking victims into divulging information.
• Whaling or CEO Fraud: This targets high-ranking executives within organizations. Cybercriminals impersonate CEOs or other top officials to request money transfers or sensitive information from employees.
• Business Email Compromise (BEC): In BEC attacks, scammers compromise or impersonate a legitimate email account within an organization, often a high-level executive, to trick employees into making unauthorized payments or sharing confidential data.
• Attachment-Based Phishing: Attackers send emails with malicious attachments that, when opened, can infect a victim's device with malware, allowing for data theft or control over the device.
• Link-Based Phishing: This involves sending emails with links to fake websites that mimic legitimate ones. Victims are then tricked into entering their sensitive information.
• Man-in-the-Middle (MITM) Phishing: In MITM attacks, cybercriminals intercept communication between a victim and a legitimate website, capturing sensitive information in the process.
• Search Engine Phishing: Cybercriminals manipulate search engine results to direct victims to fraudulent websites, often designed to resemble legitimate ones.

These are some of the common types of phishing attacks that cybercriminals employ to deceive individuals and organizations, highlighting the importance of vigilance and cybersecurity measures to protect against these threats.

What is Spam? 

 Spam encompasses any unsolicited mass communication, primarily transmitted through email, although it can also be disseminated via text messages (SMS), social media, or phone calls. These unsolicited messages can range from innocuous yet irritating promotional emails to potentially fraudulent or malicious schemes.

Common types of spam 

• Email Spam: This is perhaps the most well-known form of spam, where unsolicited and often irrelevant or promotional emails flood your inbox.
• Social Media Spam: Spam on social media platforms includes unwanted friend requests, comments, or messages containing links to malicious websites or irrelevant content.
• Text Message (SMS) Spam: Unwanted and often fraudulent text messages sent to your mobile phone, typically promoting products or services.
• Phone Call Spam: Also known as robocalls, these are unsolicited automated phone calls that can be be marketing messages, scams, or phishing attempts.
• Comment Spam: This type of spam occurs on blogs and websites, with spammers posting irrelevant or promotional comments, often with links to external websites.
• Forum and Message Board Spam: Similar to comment spam, spammers post irrelevant or promotional content on online forums and message boards.
• Instant Messaging (IM) Spam: Unsolicited messages sent through instant messaging platforms, often containing links to phishing sites or malware.
• Social Network Spam: Spam content or fake profiles on social networking sites, seeking to spread scams or malicious links.
• Search Engine Spam: Manipulating search engine results with irrelevant or malicious links in an attempt to boost a website's ranking.
• Image Spam: Embedding text within images to bypass text-based spam filters, often used in email and online forms.
• Malware Spam: Emails or messages that carry malicious attachments or links to infect your device with malware.
• Affiliate Spam: Spam that promotes affiliate marketing programs and earns spammers commissions for driving traffic or sales.
• Phishing: A form of spam that attempts to trick recipients into revealing personal or sensitive information, such as login credentials or financial data.
• Lottery and Prize Scams: Unsolicited messages claiming that you've won a prize or lottery and asking for personal information or payment to claim the reward.
• Dating and Romance Scams: Messages from fake online profiles, often attempting to develop a romantic relationship and eventually seeking financial assistance.
• Advance Fee Fraud: Spam messages promising substantial financial gains in exchange for an upfront payment, which is never delivered.

These are some of the many types of spam that individuals and organizations encounter across various communication channels. It's important to be vigilant and employ spam filters and security measures to protect against these unsolicited and potentially harmful messages.

Spamming vs Phishing

The distinction between spamming and phishing hinges on the intentions of the sender, whether they are a spammer or a phisher. Spammers, while undeniably bothersome, typically do not have malicious intentions. They engage in spamming as a means to promote their products or services, although these offerings can sometimes be of low quality or even fraudulent. 

On the other hand, phishing attacks are orchestrated by cybercriminals with the primary objective of gaining access to your personal information or introducing malware to your device.

Spammers operate with something to market, and they have determined that sending out unsolicited messages is an effective way to achieve their goal. 

While some of the products or services they promote may be dubious, their primary motivation is sales. Phishing attacks, which can fall under the broader category of spam, tend to harbor more sinister intentions, encompassing activities like fraud, identity theft, and in some cases, corporate espionage.

The email displayed below serves as an example of the well-known advance-fee "Nigerian prince" phishing scam. Utilizing a web browser equipped with anti-phishing technology, such as Avast Secure Browser, can shield you from falling victim to this type of scam.

How Do Spammers Get Your Email Address? 

Not all spammers are evil. Electronic newsletters and ads are a cheap, effective way for businesses to get their message out there.

But there's the rapidly swelling data brokerage industry. Businesses, even some who say they don't sell your data, routinely sell their customer's details for cash. Or they share the data in return for other services via hazy data-sharing agreements with service providers like Google. Emails from 'good' businesses that arrive in your inbox via this spaghetti-like network are usually benign (but creepy!) and easy to deal with.

However, criminals can buy the same databases legally from data brokers like Experian and use them for nefarious purposes. It can be much harder to remove your details from these spammer databases.

Additionally, cybercriminals can buy data stolen in security breaches from dark web data brokers. Ironically, you may get on a spammer database if you subscribe to the wrong newsletter or respond to a phishing message.

• Harvesting emails from public sources: Spammers can employ automated tools to search the internet for email addresses, which may be found on websites, social media profiles, and email discussion lists.
• Purchasing email lists: Spammers have the option to buy email lists from third-party vendors. These lists may be compiled from various sources, such as public records, website registrations, and online surveys.
• Stealing email lists: Spammers may also pilfer email lists by hacking into computer systems or social media accounts.
• Exploiting data breaches: In the event of a data breach within a company or organization, spammers may access email addresses and other personal information from the stolen data.

• Exercise caution when sharing your email address, providing it only to websites and organizations you trust.
• Prior to signing up for any website or service, thoroughly review their privacy policy to ensure you comprehend how your email address will be utilized.
• Strengthen the security of your email account by using a robust password and enabling two-factor authentication.
• Stay alert to phishing emails. If you receive an email from an unfamiliar company or if the content appears suspicious, avoid clicking on links or divulging personal information.
• Employ an anti-spam filter to prevent spam emails from infiltrating your inbox.
• In the event of receiving spam emails, refrain from clicking on any links or opening attachments. Instead, mark the email as spam and delete it.​

What Can Hackers Do Once They Have Your Email Address? 

Email addresses serve as the foundational point of entry for various online platforms and portals, whether it's for something as routine as ordering groceries via a mobile app or registering on a new website (sometimes even serving as your username). 

Unfortunately, this convenience can also be exploited by hackers and malicious actors who can employ a range of fraudulent tactics with your personal or professional email address. In light of this vulnerability, hackers can carry out the following actions:

• Target You with "Phishing Emails": Phishing emails are designed to deceive and often contain malware attachments or links to counterfeit websites. Once you interact with these links or download attachments, malware gains access to your system, potentially leading to the theft of your personal data. These fraudulent emails often masquerade as reputable companies or trusted entities, occasionally even adopting the guise of government officials. Hackers employ sophisticated social engineering techniques to extract personal information such as your bank account number, social security number, address, phone number, or passwords.
• "Spoof" Your Email Address: Email address spoofing involves creating a counterfeit email address that closely resembles yours, with subtle and hard-to-detect alterations (like substituting a number for a letter or adding a hyphen). Hackers can use these spoofed addresses to extract information from your friends and family while pretending to be you. This tactic often bypasses spam filters on email clients.
• Hack Your Other Online Accounts: Although gaining access to your passwords for both your email and online accounts is necessary for this endeavor, hacking your email is a pivotal starting point. Employing the sophisticated phishing techniques mentioned earlier, cybercriminals can swiftly acquire additional information about you through various online accounts, usually commencing with gaining control of your email account.
• Impersonate You Online: With full access to your email account, a hacker can typically discover a wealth of your sensitive information or avenues to access it. Today, email accounts contain a multitude of correspondence, spanning from interactions with friends and family to work-related, personal, and even financial communications. This trove of information can be leveraged to impersonate you, with the intention of further extorting you or those closest to you.
• Steal Your Identity or Commit Financial Fraud: Although this subject will be explored in more detail later, it's evident from the aforementioned points that your email address is a digital gateway to your physical identity. Many of the tactics employed by cybercriminals aim to extort money from their victims, whether through illicit purchases, unauthorized money transfers, or the use of ransomware to hold your data hostage. This issue is not limited to individuals alone; businesses are also at risk. Cyberattacks have been steadily on the rise over the past decade, with data breaches costing businesses substantial sums annually. Consequently, it is essential for employees to exercise caution with their professional contact information.

How to Start Fighting Back Against Phishing and Spam 

• The "Divide and Rule" Strategy: Using different email addresses or email aliases will help you to spot spam offenders. If you start receiving extra spam after signing up for a new account or service, you'll know who the culprit is who sold your email address. It goes without saying that you should never use your work email address for private activities.
• Filter, Report, and Block Spam: Before you hit the delete button on spam, "notify" your email client (e.g., Outlook, Thunderbird). They use machine learning to sniff out spam. If you mark emails as spam, you'll help your email provider get better at identifying spam.
• Use a VPN to Protect Against Tracking
• Your first line of defense against invasive email tracking is a VPN. Bulk email tracking software can reveal your IP address and location to senders. A VPN will change your location on Chrome and trick email trackers into logging in with a different IP address and geographical location. An advanced VPN can also help you to identify poisoned links in messages to prevent you from visiting dangerous websites.
• The Pros and Cons of Using the Unsubscribe Button: Legitimate organizations usually adhere to the email marketing practices required by the CAN-SPAM Act in the US. If you click "unsubscribe" they should remove your email address from their mailing list.
• Spammers aren't concerned about a legal backlash since they can simply switch their activities between a multitude of new domains. Report the email as spam to block that particular domain. However, the torrent of spam may continue from different domains that have not been blocked yet. It's a never-ending game of whack-a-mole.

But it gets more serious. The unsubscribe button could be a trick to divert you to a phishing website that will install malware on your device. Secondly, it's a way to confirm that your email address is active. 

A third possibility is that they could request and steal some personal information before they (fail to) unsubscribe you. 

Why am I getting spammed?

​Receiving spam messages is a consequence of many companies selling their customers' email addresses and contact information to advertisers and other third parties. Spammers favor sending bulk emails because it's a cost-effective approach. Even if just a small fraction of recipients responds to their spam campaigns, spammers can often achieve a positive return on their investment.

Change a Few Habits to Stem the Flood ​

There's no easy fix for the deluge of spam and phishing emails. As we've seen, the unsubscribe button only works if the sender is law-abiding and worries about their digital reputation.

• Digital footprint: Use your email address as a search keyword and get ready for a big shock when you see how exposed you are.
• Disinformation campaign: Change your email address on any sites that pop up to your new 'burner' details.
• Change privacy settings: Exclude your phone number and email address from internal search results on social media platforms and external search engines.
• Don't feed the data brokers: Restrict online sharing to a minimum.
• Use a VPN: Practice basic cyber hygiene to restrict surveillance and defend against cyberattacks like phishing. 

Ways To Protect Yourself From Phishing

•  Safeguard your computer by utilizing security software and configuring it to update automatically, ensuring it can promptly address emerging security threats.
• Enhance the security of your smartphone by enabling automatic software updates. These updates provide essential protection against potential security risks.
• Fortify your accounts by implementing multi-factor authentication (MFA). MFA enhances security by necessitating two or more authentication factors for account access, which can be classified into three categories:
• - Something you know, such as a passcode, PIN, or the answer to a security question.
• - Something you have, like a one-time verification code received via text, email, or an authenticator app, or a security key.
• - Something you are, including fingerprint scans, retinal scans, or facial recognition.
• Multi-factor authentication significantly bolsters your account's defenses, making it challenging for unauthorized individuals to gain access even if they acquire your username and password.
• Preserve your data by creating backups. Ensure your computer's data is regularly backed up to an external hard drive or stored in the cloud. Don't forget to back up the data on your phone as well.