Most people use the internet for anything and everything, from interacting with work colleagues to exploring the world of AI chatbots. And while the internet is a beautiful tool for these reasons and many others, it can also hurt people's security and privacy. For one, large corporations like Amazon and Google find novel ways to squeeze every drop of data out of our online presence in the name of the bottom line. On that note, you can follow these simple steps to improve your digital privacy on Android.

On the flip side of the privacy and security coin is a group that takes that data collection more seriously. Instead of letting you voluntarily sign away your privacy in exchange for services, these cybercriminals do their best to steal your information and use it to benefit themselves at your expense. Before you fall victim, we explain what phishing is and the best ways to tackle it on your top-budget Android phone and wherever you have footprints online.

What is phishing, and how does it work?

Phishing is a type of cyberattack that uses a mix of social engineering techniques to commit identity theft or another form of crime aimed at stealing money from victims. Hackers usually try to make victims hand over sensitive information such as credit card information, online banking login credentials, or social media credentials via social engineering. Hackers use this data to access a victim's accounts and steal their money or as a further step in the attack chain.

Phishing attacks target devices by getting a victim to download software containing malware to scrape that information from the victim's system or take control of it using ransomware.

Phishing attacks usually happen via email. There's also vishing and smishing, which occur via voice calls and text messages.

What are the types of phishing attacks, and how do you prevent them?

While phishing attacks can involve sophisticated software, they usually require human interaction. To fall victim to a phishing attack, you often need to open an email, download a file, pick up the phone, or all of the above. The social engineering behind phishing scams makes them successful, but it also allows us to identify and stop them without much technical know-how.

Let's look at some of the most common phishing techniques and how you can prevent them.

Spear phishing and email phishing

Email phishing and spear phishing operate according to the same principle. In both situations, hackers pretend to be someone else, like a large company or service provider. They send emails to an individual insisting that they take some action, usually logging in to a site or sending information to the hackers, to prevent some negative consequence or take advantage of some reward.

A screenshot of the Google Chrome browser blocking a notification, potentially a phishing atttempt.
Source: Google

There is almost always a sense of urgency involved in these emails, and you're likely to see something like, "If you don't act on this email within two hours, your bank account will be frozen, and it will take 60 days to recover." The alleged urgency compels victims to fall for the scams. Since they're scared of the consequences, they're more likely to act and less likely to spend time researching the information.

Spear phishing differs from regular email phishing in how the scam is implemented. Regular email phishing is a broad, general email with little context or information about the victim. Spear phishing targets a specific individual using information scrubbed from social media or a data breach to personalize the email.

Spear phishing hackers usually send an email impersonating a trustworthy company the victim uses or has contacted earlier. More often than not, spear phishing emails contain malicious links that lead to convincing fake websites where users must log in to resolve whatever issue is happening with their bank account or service. When the recipient tries to log in, the malicious website saves the victim's credentials, and the perpetrator can use the login credentials and sensitive data as they please.

Spear phishing attacks can be more convincing — and thus successful — than regular email phishing methods that blast hundreds of emails simultaneously. A sub-category of spear phishing attacks is whale phishing, a technique used to target high-profile individuals (usually executives or celebrities) with access to sensitive information or who can authorize substantial financial transactions.

Another slight variation of email and spear phishing is clone phishing, when attackers send the victim a copy of an email they have received with altered links or attachments. The victim already trusts the original sender, so they are less suspicious of this new email.

How to prevent email phishing and spear phishing

Cybercriminals using these spoofing techniques to imitate legitimate entities often claim to be big, known company names such as Amazon, Microsoft, PayPal, and credit card companies. The email you receive is usually a convincing imitation of a legitimate email you might receive from one of these companies. Proficient attackers copy and edit the markup code of original emails to make remarkably believable copies.

However, even in those cases, there are usually clues that the email is fake. The first thing to look for in a suspicious email is poor spelling and grammar, but there are other ways to identify a fraudulent email. It's also helpful to know that Google Gmail does a good job of warning you about fraudulent links if you click one.

The core principle of phishing prevention is to trust nobody. Suppose you get an unexpected or unsolicited email about a refund, banking issue, or similar online service that has your sensitive data. In that case, the best thing to do is ignore any links in the email.

If you are concerned, contact the company via a familiar communication channel. For example, if you receive an email from your bank letting you know there is an issue with your account, go to your bank's login page by typing the URL manually or accessing it from the bank site, or give the bank's offices a call at a number you know. Under no circumstances should you open a link from an email and log in to your bank account from there unless you verify the authenticity of the web page.

Another easy way to spot an email phishing scam is by looking at the email address. Usually, hackers cannot get access to actual bank domains, so they'll use something that looks close enough to the bank's real domain at first glance. If you look closely at the email address, you'll notice that words are added where there shouldn't be, or letters are swapped around or substituted with numbers (this technique is known as typosquatting). You can also avoid email-based phishing attacks by using automatic spam filters.

Phishing hurts the trust a company has earned with its users. If you get phishing messages, it's a good idea to report it to the company being impersonated. And if you end up clicking a phishing link, follow our tips to minimize the risk of stealing your data.

Vishing and smashing are similar to email phishing campaigns but occur via calls and text messages. If you get a call or SMS from someone claiming to be from a company you work with and that there's an issue they need you to solve immediately on the line, it's best to ignore it and call the customer service line you used before to validate that there is an issue and proceed from there. You can check the phone number, but be careful since bad actors will likely use a fake caller ID to trick you.

Content injection and malvertising attacks

Content injection, malvertising, and man-in-the-middle (MITM) attacks are tough to combat since they rely heavily on the hackers compromising a third party — an advertisement host, ISP, or local network — meaning knowing about social engineering can only get you so far. Content injection involves a hacker gaining access to a website you're visiting and changing the site to add a link that downloads malware onto your device or takes you to a site that tries to convince you to enter personal information that they will use to commit identity theft.

Malvertising uses vulnerabilities in browser components like JavaScript, PDF viewers, and web fonts to download malware onto your device. Often, these phishing attacks rely on the user installing malware on their system. Malware includes keyloggers that steal input data or ransomware that holds your data hostage in exchange for a fee. These links may appear in emails or ads, but phishers sometimes hide their malware in ordinary-seeming software.

How to prevent content injection and malvertising attacks

There are tools you can use and habits you can learn to make it less likely for scammers to succeed if they plant malicious software in an ad or web page. First, turn off automatic downloads on your computer and phone to eliminate that as a vulnerability. Second, install an ad blocker to prevent compromised ads from appearing in your browser. Finally, check links before you open them. Usually, you can hover over them with your mouse on a desktop to view the link. If the URL doesn't seem right or redirects you to a different site you don't know, it's best to avoid opening the URL and delete the email. You can also report it as phishing to your email provider so that they can act against that email address and protect other users.

Another thing you can do to improve your cybersecurity is to install and activate antivirus software. The built-in security on Android, iOS, Windows, and macOS is serviceable. Third-party options are available if you feel the built-in options are insufficient. Ad blockers like uBlock Origin are great tools to prevent malvertising attacks. If the ad doesn't load, there is no chance for it to put malware on your system.

If you do things like online banking or work with sensitive private or corporate information, there are a few steps you should take, especially if you're on a network you don't trust.

Using a VPN is crucial to protect sensitive information on public networks since it hides your traffic from sniffers on the network. Still, it's best to avoid using public Wi-Fi networks altogether to do things involving sensitive information.

You can foil some keyloggers by using the on-screen keyboard instead of the hardware keyboard on your computer. Some banking applications and websites allow you to use an on-screen keyboard built into the website since the default one on your PC might be easier for some keyloggers to read.

A word about bots and AI

Most cyberattacks mentioned in this article have historically been a prerogative of human hackers only. However, rapid developments in artificial intelligence (AI) and machine learning (ML) are changing this trend. The advent of natural language processing (NLP) bots such as ChatGPT means that AI programs can craft emails that are virtually indistinguishable from those written by humans. Some of these chatbots (Bing AI and Google Bard are the most famous ones as of this writing) can access the internet, meaning they can research companies and individuals before writing emails that sound like one from a CFO, a large bank, or your best friend. AI programs can also write code, meaning that they can create payloads for content injection and malvertising attacks.

The techniques mentioned above to defend against these types of attacks also apply to those malicious campaigns created with the support of AI tools.

Cooler heads prevail

Staying safe on the internet isn't too difficult if you know what you're looking at and interacting with. Following the tips in this article and sticking to trusted sites will keep you safe from most security issues. Keeping your devices updated is also a great way to stay safe on the web.

If you want to upgrade your security posture online even more, learn more about password managers. We also have a guide on how to keep your home security cameras from being hacked.