Phishing is one of the oldest types of cybercrime. It’s a simple and effective tool hackers use to deceive people into handing over sensitive information or downloading harmful software. Safe to say, you’ll want to avoid phishing at all costs. So, to help you remain vigilant and secure online, we’ll explain what phishing is, and how to avoid biting the bait.
1. What is phishing?
Phishing stretches back to the days of dial-up internet in the mid-1990s. It’s pronounced the same way as fishing (the “ph” is hacker slang) due to its comparison with an angler who attempts to catch fish by leaving a baited hook. Unlike insects or worms, the bait is fraudulent communication in the form of emails, mobile messages, or phone calls.
Phishing is deliberately misleading and disguised as communication sent from legitimate sources. The message will pressurize the person reading the email to take immediate action. For example, you may receive an email that looks as if it comes from your bank, telling you there’s a problem with your account. For the sake of your security, you’re asked to update your details by following a link.
If you “bite” and follow the link, you’ll be taken to a page which is a like-for-like copy of a genuine website (including official banners and branding) to trick you into entering your details. Hackers can then steal sensitive information, including passwords, account numbers, or passport details. With this information, criminals can make purchases online, steal money, or commit identity theft.
The good news is, if you don’t bite, the tactic isn’t successful.
2. What is a phishing email?
Because phishing targets huge volumes of potential victims (even millions at a time), it remains a popular tool for hackers. So popular that, an 2017 FBI report revealed people living in the U.S. had a total of $30 million stolen due to phishing. There are no signs of phishing slowing down, either—in 2018 the number of attacks almost doubled.
Although security on many email accounts is effective at detecting such attacks, hackers are becoming more sophisticated in their approach. Gone are the days of poorly written emails with over-the-top promises of wiring millions of dollars simply by handing over your bank details. Modern phishing emails may contain tailored information, company branding, or URLs that look close to the real thing.
Other forms of phishing techniques
Email remains the most popular form of phishing, however, hackers are using modern technology to target victims. Smartphones are particularly vulnerable, with “smishing” (phishing attacks in the form of SMS messages) predicted to be a growing trend, particularly as fake, fraudulent websites are even harder to detect on mobile screens.
Thanks to encryption, modern online banking is secure. However, phishing is a route for criminals to access information without having to break through security barriers. For example, in 2020 an SMS phishing campaign targeted mobile banking apps in North America. Messages were sent to a large number of people. When following the included link, victims were directed to a false login page for their online banking account. In a reminder to be vigilant with SMS, too, this particular campaign hooked 4,000 victims.
What are the most popular phishing disguises?
The more genuine a phishing email appears, the more likely the victim will take the bait. This is why hackers imitate well-known brands used by large volumes of people. A 2019 report by Vade Secure revealed the most popular brands for hackers include PayPal, Facebook, Microsoft, Netflix, and WhatsApp.
Interestingly, the report also identifies the most common approaches phishing emails use to “bait” victims. Often correspondence refers to “unusual activity” with the person’s account, with the need for immediate verification. But there are more creative approaches, including the offer of bogus deals, free pornographic content, or invoices that require payment (e.g. from Amazon).
Trending events can be used in campaigns too. In 2020, the World Health Organization (WHO) was used in a phishing attack. Emails looked like helpful reminders from WHO, with instructions on how to prevent spreading the coronavirus. Exploiting global fears around the virus, users followed a link to access a document and landed on a fake Microsoft Outlook login page. Any details entered on this page were sent directly to hackers.
3. What are the different types of phishing attack?
A phishing attack is any fraudulent attempt at finding victims. Some are known as “campaigns” as one style of attack, usually using the same email template, and are sent to masses of people—such as the mobile banking campaign surrounding a coronavirus outbreak. However, there are more sophisticated forms of phishing attacks that can be harder to detect. Each of these phishing definitions continue the fishing theme:
- Spear phishing targets specific individuals—like aiming for one particular fish. Hackers research their targets and send customized correspondence. It’s common for these attacks to target employees at organizations, with messages appearing to be from co-workers. A 2019 Europol report highlighted spear phishing as an emerging threat.
- Whaling is targeted phishing aimed at big targets, such as CEOs or politicians. More effort is put into this kind of phishing attack, yet the rewards are potentially huge.
- Clone phishing is a sophisticated attack which intercepts genuine correspondence. The hacker clones a legitimate email from a trusted source. For the victim, the email seems to be a continuation of the conversation, but it may contain a malicious link.
- Vishing is phishing via telephone call. The approach is the same; to appear legitimate in order to get sensitive information from the victim. Always remain cautious if receiving an unsolicited phone call requesting sensitive information.
4. How to recognize a phishing site or phishing email
So how do you remain vigilant toward phishing attacks? Sometimes you can spot a phishing email thanks to its generic introduction (dear “sir” or “madam”) rather than your name. More obviously, if the email is from a company you don’t have an account with, it’s likely from a mass campaign. Ignore it and report it if necessary.
Whenever you receive correspondence asking you to take action, ask yourself: does this person usually contact me for such requests via email? Be vigilant of the tone and language of the correspondence, including any subtle mistakes. Does anything seem unusual? Pay close attention to the “from” section and if suspicious, reply in a new email rather than directly.
Most phishing emails include a link that directs you to a counterfeit website. Such phishing sites are the “portal” for you to enter your information, unknowingly, to hackers. Make sure to carefully check the address of the website in question, e.g. "wwwn26.com" vs. "www.n26.com". Keep an eye out for the lock symbol (in Chrome) indicating a secure connection.
Always be sceptical of redirected websites (where the URL changes and you’re taken to another page). If any link appears questionable and you’d like to play it safe, open a new window and visit the website directly. For example, if you receive an email from PayPal with a link to log into your account, there’s no harm in heading to PayPal directly in your browser and logging in from there. If the correspondence is genuine, you can access your account in this way for more information.
5. Other tips on how to prevent phishing
Be cautious anytime you are asked to submit sensitive information. For example, N26 Customer Service never asks you for your password or credit card number. And always keep the 10-digit token on your card a secret (don't take pictures of that side of the card). Other tips on how to prevent phishing include:
- Ensure your computer has up-to-date security software.
- Install an anti-phishing extension on your web browser.
- Create a strong and safe password, and never use the same password with different accounts.
- Make sure your mobile phone has the latest updates installed.
- Activate multi-factor authentication (or 2-Factor Authentication “2FA”)—an additional step to log in, such as a code sent to your mobile phone.
- Don’t publish personal information publicly online as this information can be used by hackers.
How to report a phishing attack
With the ever-increasing sophistication of phishing, you may still fall victim to an attack despite doing all that you can to avoid it. If this happens, there are a few ways to report the incident:
- Contact your email provider directly. For example, contact Google Support.
- Contact the company whose information has been imitated directly to make them aware of what’s happened.
- If your personal information has been stolen, contact the cybercrime department of your local police authority.
N26 customers can notify us through the app’s chat function or on the N26 website. However, armed with all you need to know about phishing and the security of an N26 account, we hope it won’t come to this. Phishing is a popular technique but it does rely on you being as aware as possible. So, remain vigilant, be sceptical, and keep this article in mind to avoid being hooked.
Security at N26
As N26’s popularity continues to rise, we have seen several waves of phishing attacks targeting our customers. We’re attacking these campaigns on multiple fronts to make sure they do as little harm as possible: we have a team of IT security experts dedicated to monitoring phishings sites, and having them taken down as soon as they appear.