In this article you will find the following:
When was the last time you received a suspicious, unwarranted email that asked for your personal information? Probably not too long ago. In fact, you’ve likely experienced this multiple times over the years. Techopedia reports that the FBI received 300,497 reports about phishing attacks in 2022. Additionally, a Vade Secure report notes a significant increase in phishing and malware attacks—by 173% in Q3 2023, compared to 493.2 million in Q2 2023.
Before we begin
Phishing comes in many forms, from fraudsters claiming to be lawyers handling a deceased relative’s estate overseas to scammers posing as bank representatives. One of the most common methods of phishing is adware.
When you click on malicious ads, you run the risk of either infecting your Mac right away or landing on a malicious website. From there, the worst can happen, like your personal information getting stolen. MacKeeper’s StopAd is a preventative measure in the form of extensions that block ads to prevent phishing.
Here’s how to prevent ad phishing with MacKeeper’s StopAd:
- Download MacKeeper and click StopAd in the sidebar.
- Click the Install button next to each browser on the screen and follow the on-screen prompts to set it up.
It’s easy to fall for phishing scams if you’re unfamiliar with how they work. Read this guide carefully to learn more about phishing and how to prevent it.
What is phishing?
What is phishing, you may ask? It’s the deceptive act of posing as a representative to solicit people’s personal information. Phishing attacks are typically carried out by scammers and cybercriminals. The goal is to obtain information they can use to steal your identity, steal your funds, or defraud you in some way.
Below are a few examples of recent phishing attacks:
- Eventbrite malware attack. In December 2023, cybercriminals sent a series of fake emails purporting to be from Eventbrite using the fake email address “support[@]ev3ntbr1te[.]com”. In the emails, recipients were asked to click on the link included to sign an updated user agreement if they wished to continue receiving payouts. However, clicking on the link infected recipients’ devices with malware.
- Booking.com scam. In October 2023, The Guardian reported that some people who booked trips through Booking.com received realistic-looking emails from cybercriminals. The emails asked them to verify their payment method by clicking on a link. If they did, money was taken from their accounts. It’s likely that Booking.com was breached, although both the platform and hotel partners have denied the compromise was on their end.
- Israel-Palestine humanitarian crisis donation scam. As we saw with the COVID-19 pandemic, cybercriminals take crises as opportunities to scam people. In this instance, cybercriminals took advantage of the Israel-Palestinian war to launch charity donation scams. Particularly, cybercriminals posed as international aid organizations that sought funds to offer humanitarian aid to those affected. They started by highlighting the implications of the crisis to evoke victims’ emotions and then asked for Bitcoin donations.
By the way, the fake iforgot.apple.com scam is another example of a phishing scam—read our comprehensive guide on it.
How does phishing work?
Phishing is a form of social engineering. During a phishing attack, the cybercriminal or scammer poses as someone else to solicit the sensitive information of their targets. This is typically done via electronic communication like texts, emails, and social media.
Below is the typical DNA of a phishing attack:
- The scammer obtains your contact information. They can retrieve it from a data dump by hacking the phone or accounts of someone you know, or they can receive it as part of a data broker list.
- The scammer contacts you via text message, email, or social media. Though they can also contact you via phone, the wrongdoers prefer sending out mass communications, which is why phishing emails are often generic. You can also be targeted directly, like on social media.
- The communication almost always contains clues that let the discerning individual know they’re dealing with a phishing attempt. For example, an announcement that you’ve won a fake prize, a request to update your banking information, a fake invoice, and even horrible spelling errors.
- The email or text contains a link you must click on or an attachment you must download. Scammers don’t send phishing texts and emails for fun. They’re on a mission to obtain your sensitive information, so they always include an action you must take so they can compromise your device and steal your information. If not, their efforts would have been in vain.
- The language used scares you into taking action. Not leaving anything to chance, scammers typically use scare tactics or threatening language to get you to take action. For instance, they can threaten to close your online account if you don’t update your personal or financial information. Because of the sense of urgency, some victims will immediately respond with the information requested instead of taking the time to verify the legitimacy of the email first.
Here are the goals of phishing scams:
- Infect your phone or computer with malware.
- Steal your banking information to access your funds.
- Convince you to send them money or digital assets of your own accord.
- Gain control over your online accounts.
If a scammer can access your email or hack your social media accounts, they can take their attack even further. The scammer can reach out to your contacts and social media connections to scam them too, sometimes by pretending to be you.
Who is a potential victim?
Anyone can become a victim of phishing. Scammers can target you using the information that is available online. This includes your email address, social media profile, and mobile phone number. Cybercriminals can also target you using any personal information that is included in a data dump.
Cybercriminals don’t only target high-profile people, like the management or leadership of a company. Neither do they target people they know. In many cases, they target complete strangers by sending out mass emails. It’s like casting a wide net in the ocean and hoping to catch something, hence the term is “phishing.”
Signs of phishing attacks
Signs of a phishing attack:
- Spelling and grammatical errors
- Creating a false sense of urgency
- Use of threatening language
- Suspicious links, attachments, and URLs included
- Sent from a fake email address
- Username and password request
- Update payment request
- Spam email from your email address
- Generic greeting or salutation used
- Spoofing website included
- Unfamiliar tone used
- Unwarranted email
- Email seems too good to be true
- Generic messaging used
- Unprofessional tone used
How to avoid phishing
While anyone can become a victim of phishing, you can avoid it. Learn all the ways to prevent the likelihood of falling victim to phishing attacks below:
- Learn what phishing looks like
- Practice cyber hygiene
- Don’t click on random links
- Use spam filters
- Install a strong antivirus
- Block spam phone numbers
- Change your passwords regularly
- Keep your apps up to date
- Use mobile call filters
- Update your privacy settings on social media
- Stay away from public Wi-Fi networks
- Don't respond to strange messages and calls
- Check websites before you go
- Don't reply to suspicious emails and calls
- Don't share your personal information everywhere
- Don't click on pop-ups
- Request that data brokers delete your information
Read the guide below for more information about avoiding phishing attacks.
1. Learn what phishing looks like
Phishing scams are known to contain typos, spelling errors, and incorrect grammar. They typically come from a fake email address made to look legitimate with spelling variations. Those email addresses almost always come from non-official emails, like a fake Gmail address with a company name.
While scammers change their phishing schemes often, phishing attacks typically have the following identifiers:
- Don’t address you by your name, but use common language, like dear, sir or madam, and customer. This is a sign they don’t know you and are taking chances. An official company representative would know who they were contacting and refer to them by name.
- Ask you to perform an action, like downloading an attachment or clicking on a link.
- Ask for your sensitive information, like your banking details, Social Security Number, or other online account details.
- Create a sense of urgency, and sometimes instill fear. For example, a phishing email can ask you to click on a link to update your banking information to avoid having your account closed.
- Don’t include the company’s official contact details or a link to the official website in the text or email.
- Include bills and invoices you don’t recognize. These are usually fake, so check your bank statements and verify bills and invoices directly with the relevant service provider.
In the email above, someone who booked accommodation for a trip through the booking site Booking.com was targeted in a phishing attack. In this case, the victim was identified by her name. Her name could’ve been obtained through a breach of the Booking.com platform or the accommodation’s platform. It’s believed the breach was on Booking.com’s part, although both parties have denied they were breached.
The scammers wanted to steal from the victim, so they set up a fake scenario to get her money. The cybercriminals claimed an error affected her payment and asked her to click on the link in the email to update her payment information to avoid having her stay canceled.
Context: The victim had either checked in or was due to check in soon when she received the email, so the timing was perfect. An email of this nature can easily be treated as a matter of urgency by unsuspecting victims, as there’s a deadline of 12 hours.
2. Practice cyber hygiene
When it comes to personal hygiene, there are rituals you do daily to ensure your body is clean. Similarly, cyber hygiene refers to various practices taken on by security-conscious users to improve their online security and maintain the health of their computer systems. The idea is to have a proactive approach to preventing and minimizing security risks on your electronic devices.
Here’s how to practice cyber hygiene:
- Be intentional about the passwords you create
- Enable multi-factor authentication to protect your online accounts
- Use different passwords for different online accounts
- Don’t open suspicious emails
- Avoid downloading attachments from unknown senders
- Never click on links from strangers or unwanted text messages and emails
- Never provide your personal information to anyone you don’t know
Be intentional about the passwords you create
According to a Google poll, 59% of US adults incorporated a name or a birthday into their password for an online account. When it comes to securing your accounts, using your birthday or a mashup of your name and birthday won’t cut it. Cybercriminals are smarter than you think. They know that some people are too lazy to create strong passwords, so those are the variations they try when attempting to access their online accounts. Don’t make it easy for them.
Enable multi-factor authentication to protect your online accounts
Two-factor authentication (2FA) is a popular security measure you can implement to secure your online accounts. It requires an additional factor to verify that you are who you say you are, over and above your username and email address. With 2FA, a text message is sent before you can access your account.
However, text messages can be easily intercepted. For stronger security, consider using multi-factor authentication (MFA) instead. MFA offers multiple layers of security by asking for two or more methods to verify your identity. Microsoft’s Director of Identity Security, Alex Weinert, stated in a Microsoft blog post that the company’s studies showed that your account is more than 99.9% less likely to be compromised if you use MFA.
Use different passwords for different online accounts
When you use the same password across all your online accounts, you’re essentially handing your accounts to cybercriminals on a silver platter. However, some people do this, so scammers will attempt to access your accounts using the credentials they have on hand.
Let’s say you use the same login credentials for your banking and other financial apps (like PayPal) as you do for your streaming apps (like Netflix). Imagine the damage that can be done if a scammer obtains your Netflix credentials and tries them against your banking apps. That’s the risk you take when you reuse the same passwords for different accounts. If that’s currently the case, change your passwords immediately and ensure they aren’t remotely similar across your accounts.
Don’t open suspicious emails
We know this sounds easier said than done. After all, according to Earthweb, the average person receives between 100 and 120 emails per day, although the exact figure depends on the user. Typically, only a fraction of these are phishing emails. It can be hard to stop and scrutinize all emails when you receive so many of them daily.
However, it’s necessary if you care about protecting your privacy. If you train yourself, you can quickly and easily identify and block phishing emails without thinking twice. Avoid opening emails from unknown senders or suspicious senders. Always check the recipient to see if they’re legitimate. Sometimes, the subject line is a dead giveaway, which can help you identify and delete phishing emails before reading them.
Avoid downloading attachments from unknown senders
Phishing emails always solicit an action from you, like downloading an attachment. These include images, videos, forms, and other media. However, attachments in phishing emails often contain viruses, malware, or other threats that can be dangerous to your device. Moreover, the threats can steal your information and compromise your privacy.
Malicious code can remain on your device undetected for a long time, which increases the risk it poses to your privacy. By the time you identify it (if you do), the damage could be extensive and sometimes costly.
Never click on links from strangers or unwanted text messages and emails
Likewise, phishing attempts usually include suspicious links you’re required to click on. If you don’t recognize the sender, don’t click on the link. If you’re suspicious or something seems off, but you aren’t sure what or why, don’t click on the link to find out. Rather, verify the email or sender by other means, like performing a Google search.
If the sender claims to be a company representative, like a PayPal representative, close the email, find the official contact details or customer support number, and verify the email with the company directly. In many cases, the companies know about these scams and will quickly caution you against taking action.
Never provide your personal information to anyone you don’t know
No matter how you receive the information and regardless of the platform, never provide your personal information. Your sensitive information is a goldmine for cybercriminals, providing valuable opportunities for them. They can use it to steal your identity and scam other unsuspecting victims, which can open you up to legal battles that can be hard and sometimes expensive to fight.
They can also sell your information on the dark web, where other scammers can buy it to target you for scams. In addition to this, never share your personal information online or on social media, as you’ll never know who could use it to target you for phishing. Scammers hang out on social media like you do. They know how reckless some users can be, so they use social media platforms to find and target victims.
3. Don't click on random links
Phishing scams often contain links to malicious websites. Clicking on them can open up your computer to malware infections. Follow the steps below before clicking on random links:
- View the link before clicking on it. Hover over the link and check the full link in the bottom-left corner of the screen. If it looks legitimate or familiar, you can click on it. If not, don’t engage with the sender. In fact, it’s best to block them and delete the email.
- Copy and paste the link elsewhere first. Do this if your email client doesn’t allow you to preview a link by hovering over it, or if the link is a shortened link. Simply right-click on the link, copy it, and paste it into your Notes app, then check if it’s legitimate. If you don’t recognize it, do some research before opening it in the email.
- Don’t click on unknown links altogether. This applies to the links you receive via social media and random texts and emails. Many of us are guilty of opening links shared with us by friends and family without thinking twice. However, this isn’t ideal, as it exposes you to malware threats.
- Search the link against a domain list. There are several domain blacklists available online that you can use to check the legitimacy of the links you receive. Search for the link you received in one of these domain lists. If the domain is listed as malicious, don’t click on it in the email.
4. Use spam filters
Spam filters are algorithms that stop phishing emails from reaching your inbox, so you don’t interact with them. Email clients like Gmail, Yahoo!, Outlook, iCloud, and AOL have built-in spam filters that detect and redirect spam to a spam folder, where you can check and delete it forever if it was correctly identified.
5. Install a strong antivirus
Antivirus software is the best solution you can implement to fend off viruses and malware. It scans your computer for threats and eliminates them to protect your system and personal data. While antivirus software doesn’t prevent phishing attacks, it can identify and get rid of threats brought about by phishing attempts.
Note from our experts:
If you’re in the market for the best antivirus for Mac devices, look no further than MacKeeper’s Antivirus tool. This software protects your MacBook device in real time by looking for threats in the background and helping you tackle them immediately to secure your computer.
6. Block spam phone numbers
You can limit the amount of phishing communication you receive by using your mobile carrier’s anti-spam tools. You can also use third-party tools like TrueCaller. Additionally, your smartphone has blocking features you can utilize.
Follow the steps below to block spam numbers on your Android or iPhone device:
- On iOS, tap the name or phone number you received a text from at the top of the screen and tap Info > Block this Caller.
- On Android, tap the number or name at the top of the screen, followed by the three-dot menu > Block Number > Report as Spam.
7. Change your passwords regularly
Get into the habit of changing your passwords often, ideally every few weeks. We know that doing this can be tedious. However, sometimes your credentials and online accounts can get compromised without you knowing. Changing your passwords on a schedule prevents hackers from having unlimited access to your accounts if your passwords are ever compromised.
8. Keep your apps up to date
Updating your apps allows you to implement the security changes added by app developers. These include security patches that protect you from phishing and other threats.
Here’s how to update your apps on a Mac:
- Open the App Store in the Dock and select Updates in the sidebar.
- Check for available updates and implement them if available.
Tip from our team:
Keeping up with app updates can be time-consuming, and it’s easy to forget to do it. Why not use software that takes care of that instead? MacKeeper’s Update Tracker constantly checks for app updates on your Mac, so you can implement them when they become available and thereby reduce the likelihood of phishing.
Here’s how to use MacKeeper’s Update Tracker:
- Download MacKeeper and select Update Tracker in the sidebar.
- Click on Scan For Updates, wait for the tool to find available updates, and hit Update when the scan is completed.
9. Use mobile call filters
To manage caller ID and spam protection on Android, open the Phone app and tap More. Select Settings, choose Spam and Call Screen, and turn on Turn See caller & spam ID. You can also turn on Filter spam calls to block spam calls. Note, however, that you can still find filtered calls in your call history.
If you have call identification and blocking apps installed on your iPhone, you can enable their settings by following these steps:
- Go to the Settings app and tap the Phone app > Call Blocking & Identification.
- Here’ you’ll find the settings for your relevant call identification app. Enable the applicable settings to implement phishing protection.
10. Update your privacy settings on social media
As a social media user, you likely share more about your personal life than you realize. This can give cybercriminals the clues they need to target you for phishing. Additionally, having your social media profiles set to the public allows scammers to access you for phishing by sending you private messages.
Update your privacy settings to prevent this from happening. The process differs depending on the social media apps you use, but you can typically do it in the relevant app’s Privacy settings.
11. Stay away from public Wi-Fi networks
It’s a known fact that public Wi-Fi networks offer little to no protection against malware threats. When you connect to the internet using a public Wi-Fi network, hackers breaching it can identify your device and attack it with malware. As a result, your sensitive information can be compromised and your identity stolen. This is why it’s advisable to avoid using public Wi-Fi networks altogether.
Having said that, we know that there are instances where you might be forced to connect to a public Wi-Fi network. When that happens, ensure you have the backing of a VPN service to protect your identity. MacKeeper’s VPN Private Connect hides your IP address by connecting you to a server elsewhere in the world. This helps you stay under the radar on the internet and keeps cybercriminals off your trail.
Here’s how to use MacKeeper’s VPN Private Connect:
- Download MacKeeper and choose VPN Private Connect in the sidebar.
- Choose a location that is far from where you’re located and click Turn on to connect. We advise selecting the Connect automatically when I start my Mac option to ensure you’re always connected to the VPN when your Mac is open.
12. Don't respond to strange messages and calls
This is a no-brainer. One of the simplest ways to prevent phishing is to ignore suspicious calls and messages altogether. Because cybercriminals rarely only focus on one victim at a time, they probably won’t notice that you didn’t respond and hone in on the targets who did.
13. Check websites before you go
Never blindly trust links; verify the websites before opening them. Use Google’s Safe Browsing to check the status of a website before visiting it. Copy and paste the URL you received into Google’s Safe Browsing tool’s search bar. If it’s safe, you can visit it.
14. Don't reply to suspicious emails and calls
When in doubt, drop the call and block the number. Report the email as spam, block the sender, and delete the email. Avoid engaging with suspicious callers and emails at all costs. Scammers can be crafty, so the more you interact with them, the higher your chances of falling victim to the phishing attack.
15. Don't share your personal information everywhere
Be careful about sharing your personal information online. This includes checking into locations on social media. While you may do it innocently, bad actors could be watching you and taking notes. They can use the information you share to target you with phishing campaigns. Only share sensitive information with close friends and family members privately as needed.
16. Don't click on pop-ups
Pop-ups can be so annoying that you end up clicking on them to make them stop. However, that’s the goal. Pop-ups are a threat to your privacy. When you click on them, you can be led to malicious sites that can steal your information or infect your device. To be safe, ignore pop-ups completely.
There’s a better way to deal with pop-up ads. MacKeeper’s StopAd is a browser extension that blocks annoying ads so you don’t encounter them. This reduces the likelihood that you’ll click on them and invite malware infections into your Mac.
Follow these steps to use MacKeeper’s StopAd:
- Open MacKeeper and select StopAd in the sidebar.
- Click Install next to each browser and follow the on-screen prompts to add the extension.
17. Request that data brokers delete your information
Scammers can obtain your contact information from various sources, including data brokers. Data brokers sell your information to scammers, telemarketers, and advertisers. You can prevent cybercriminals from targeting you for phishing by requesting that data brokers remove you from their lists. Visit their websites and find the option to opt out of their lists.
Types of phishing attacks
Phishing comes in many forms and through various platforms. However, the attacks have similar goals: to infect your device with malware and/or steal your personal information. Below are 10 types of phishing attacks to look out for:
- Spear phishing
- Email phishing
- Whaling attack
- Business email compromise
- Social media phishing
- Watering hole
Read more about the various types of phishing attacks below to stay informed.
1. Spear phishing
Unlike normal phishing that targets anyone, spear phishing targets specific individuals in organizations with malicious emails. The goal is to steal login credentials to access company resources.
Did you know? A Symantec report revealed that 65% of groups used spear phishing as the primary infection vector.
2. Email phishing
Email phishing occurs when cybercriminals send phishing emails to their targets. Typically, the emails contain a request to click on a link or download an attachment. Clicking on the link can infect your device with malware.
According to ZDNET, more than three billion phishing emails are sent daily. On some days, you’re one of those victims. As a Mac user, Apple ID scams are an example of a popular email phishing scam you may have encountered in the past.
3. Whaling attack
Also known as CEO fraud, whaling attacks are phishing attacks that target or impersonate high-ranking company representatives. These attacks are very specific. They can include official-looking links, like fake Zoom links, which the target must click on to compromise the company.
4. Business email compromise
Business email compromises (BECs) occur when cybercriminals breach a business’ communications circle to obtain sensitive company information. Anyone linked to the company can be targeted, including a vendor and the company’s leadership. Another goal of business email compromises is tricking victims into sending money.
Also known as DNS cache poisoning, pharming uses malicious code to redirect victims to fake or malicious websites to steal their personal information. Unfortunately, it can be hard to tell if this is the case. When a legitimate website is compromised through pharming, you can unknowingly be rerouted to a malicious one, even if you typed the correct URL.
Vishing is the kind of phishing that occurs over the phone. A scammer calls you, pretending to be a representative of a legitimate company, and asks you to take some sort of action, like providing your personal information.
SMS phishing or SMiShing refers to phishing attacks sent via text message. Scammers send you a fake text message that calls for you to take action, like clicking on a link or calling the phone number provided. For example, the text could notify you that you’ve won a prize and include a link you must click in order to claim it. If you click on the link, your device will be infected with malware, or you’ll be sent to a phishing website.
8. Social media phishing
Similar to SMiShing, social media phishing scams involve scammers targeting you on social media platforms like Instagram, Facebook, and Twitter. They contact you privately with a fake scenario and include a malicious link you must click on.
Sometimes, they convince you that your account has been compromised and offer a solution that involves giving up your login information. From there, they can access your account and scam your friends and social media connections.
Cybercriminals can install malware on your device through phishing attacks. When you click on a link in a phishing email or text, you open up your device to malware infections. After the malware enters your device, it can remain there indefinitely and silently collect your personal information for a long period of time. The data is sent to remote servers manned by scammers. By recording your keystrokes, scammers can obtain your financial information and use it to steal your money.
10. Watering hole
Watering hole attacks target victims by infecting the websites they visit frequently and luring them to malicious websites. To that end, cybercriminals can exploit any vulnerabilities present on those websites to target their victims. They can also plan malicious links in the hopes that you’ll click on them.
How to report phishing
To report phishing, you need to:
- Forward phishing emails to the Anti-Phishing Working Group at email@example.com.
- Forward phishing text messages to 7726.
- Report phishing attempts to the Federal Trade Commission at ReportFraud.ftc.gov.
- Report ID theft with the FTC.
Don’t become a victim of phishing
With more than three billion phishing emails sent daily, it’s hard to completely avoid phishing attempts. However, you can be proactive by educating yourself and using the tips in this article to reduce your chances of becoming a victim.
Use MacKeeper’s StopAd tool as a phishing prevention tool to block annoying ads in your browser. This can help you steer clear of malicious ads that can be used to target you for phishing, and, in turn, make your browsing sessions safer and more pleasant.
*You can download the app for free and try its functionality yourself before making a purchase.