In the last two weeks, I’ve received three suspicious emails, one most assuredly a phishing attempt. After entertaining myself with some renewed research on the subject, I decided that if I needed some reminders, maybe our readers could use a few too. So, quickly — here’s a short refresher on what to be wary of and how phishing attempts can be ID’d.
Phishing email scams usually fall into three categories
Traditional phishing in which the scammer casts a wide net to trick a large volume of people either to share information or to collect money that isn’t owed. Links in the message or attachments may install malware on your device or direct you to a website set up to elicit your personal information. This is the most common form of phishing because getting someone to click on a malicious link is simply easier than hacking into networks. These emails used to be very easy to spot, often filled with spelling and other errors, but today such emails are often put together more adeptly, to look as legitimate as possible. It is common that the scammer will attempt to represent a a well-known company, and include logos and other identifying information copied from that company’s materials.
Spear phishing attacks are designed to target a specific individual or small group of individuals, by appearing to legitimately know them. The email message may include a personal salutation, make reference to a recent purchase you have made, appear to come from a friend or mention information about your business. Sometimes, if it’s apparently from a company you know or a co-worker urgently asking for response, you may be tempted to act before thinking, providing requested information or making a quick download of an attachment. Don’t even think about it.
Whalingattacks are emails that appear to have come from high-profile senders like C-level executives, political leaders or celebrities. These emails and the websites to which you are lured are sophisticated and highly customized to look like the real thing, and personalized. A whaling email may look like it was sent from the CEO of your company or from a local political candidate. The goal as with other phishing is to get either private information or your precious dollars. Often, these emails ask for a donation to a worthy cause. According to the American Red Cross, it has seen numerous scams in which the victim is addressed personally and sent to fraudulent websites to donate to victims of disasters.
Be wary of these five signs of phishing expeditions (thanks to Microsoft for this graphic):
Fake email addresses and URLS. The “from” email address and any hyperlink in the email should contain a legitimate name or an organization as the LAST name in the chain. As an example, firstname.lastname@example.org is likely to be genuine but email@example.com is very questionable. Stop and think — is it likely that John comes from the domain name of report.com? Remember that every domain name has one unique owner, no more. Always look at the domain names provided in emails sent from people you don’t know, and determine if they appear strange or unlikely. Also, if you see a link in a suspicious email message, don’t click on it. Instead, rest your mouse on the link to see if the address matches the link that was typed in the message. If there is no match, there may be a scam afoot.
Vague salutations. If the email addresses you as “Dear Customer” or “Hello,” yet shows evidence of being from a legitimate organization or business, be careful if it asks you for personal information, including membership or credit card updates through a hyperlink. The businesses you deal with online. e.g. your bank, Amazon, the gas company, typically use a personal salutation and do not tell you to click on a link to, say, update your credit card information. Instead, they will tell you to go to their (real) websites and log in.
Urgent requests. If an email requests you to act immediately, such as claiming that your account has been closed or fraudulent activity has been discovered, don’t immediately panic. The email should not include a link to fix the situation, or an attachment. Regardless, if it purports to come from a company you have a relationship with, always go directly to the site instead of clicking on a link.
Poor spelling or grammar. Surprisingly, there are still many phisher criminals who have clumsy approaches, using poor English. They make it easy to be identified, if you read the email carefully. Legitimate companies are unlikely to send you emails that look and/or read unprofessionally. They have professional, well-trained writers who want to keep their jobs!
Poor details about the sender. If the signature of the sender lacks details or information on how you can contact a company, you should be suspicious. Legitimate businesses always provide contact details. If you receive a sponsored email newsletter or announcement, it should include complete company information in the footer, along with a means to opt out of such emails in the future.
There are so many great security-focused sources that I hesitate to recommend any single one to get more information. I have linked above to a couple of the best. If you and/or your organization have implemented security software to protect your computer against all manner of cybercrime, including phishing, you should visit the software provider’s website for additional details — probably more than you wish to learn!