18 Jul 2018
How to spot a phishing email
Fishing is awesome!
Phishing emails: not so much.
Somewhere out there, lurking behind their computer screens, gangs of cybercriminals want your most sensitive data. They want your personally identifiable information, they want your banking and credit card details, and they want your passwords. Once they have them, your online accounts, your money, and even your very identity are at serious risk.
But you’d never give up that kind of sensitive information to a stranger, right?
Of course you wouldn’t!
That’s why these digital fraudsters have had to get creative in the ways they approach their potential targets, developing new digital scams to deceive and confuse you into handing over all the data they need to make your life a complete misery.
One of the most effective of those digital scams is the “phishing” email.
What is a phishing email?
Here’s how it works…
You receive an email from a legitimate institution or company. Maybe it’s a company you’ve done business with before, or a bank you are saving your money with right now. Maybe it’s an important government agency or a travel company you’ve booked your next vacation with. It could even be from your own coworker or the human resources department of the company you work for!
You see this email in your inbox, and it appears to be from one of these trusted senders. You let your guard down a bit – after all, this isn’t an email from some “stranger” – and take a look.
The email subject line may indicate that there’s some kind of problem with your existing account, booking, or even your tax/legal status. Or, it may indicate that you’ve won some kind of fabulous prize, or that you are being offered a massive discount for some reason. Whatever it takes to get you to open the email and read more, really.
You may be thinking that no phishing email could ever get you beyond this point, and you may be right. However, according to Verizon’s 2018 data breach investigations report, open rates for these types of phishing emails can be as high as 30% (which is impressive), so think again.
Once you open the email the scam gets deeper. You are told that in order to fix the problem with your account, claim your prize/discount, save your booking from being cancelled, avoid an exorbitant fee/tax, or save yourself a court appearance you need only answer a few simple questions, fill out a simple form, click a link, or download something.
Everything looks perfectly legitimate on the surface. The email contains official logos, legitimate company information, and anything else the phishers can think of that will put your mind at ease and get you to hand over your info. The sender’s name sounds like it was created by the person/institution the email is ostensibly from, and there may even be a phone number you can call for more information.
If you call the number provided, an official sounding person will assure you that everything is on the up and up, but they do need you to provide your online password so they can verify that you are indeed who you say you are and proceed with resolving your issue.
You are now in the midst of a phishing attack.
This could get really, really bad.
How can I tell if I’m being phished?
Modern phishing attacks and phishing emails can be incredibly sophisticated and well thought-out. Even though only a tiny percentage of such emails actually result in these scammers getting their grubby fingers on someone’s sensitive personal info, the big investment of time and effort it takes to create an effective phishing campaign can still pay off big time. That’s why there are some pretty smart people out there who are willing to put in the extensive work to develop a state of the art phishing attack.
Phishing emails play on peoples’ deepest desires and fears and can be quite convincing.
There are however a few telltale signs to watch for:
Any email that indicates you must take action immediately, leaving you no time to investigate at all, should be an instant red flag.
2) Requesting personal information/passwords
Any email that asks for your personal information or passwords, or which contains a link to a webpage which asks for your info or passwords, MUST be investigated further.
Whether by threat or reward, any email that incentivises you to provide the requested information or to click on a link is suspect.
4) Weird attachments
if an otherwise legitimate email includes attachments you weren’t expecting (or that don’t make sense in some way) stop what you are doing and don’t open them.
Hover your mouse icon over any links included in the email. This will show you where the link will actually redirect you to if you click it. Is that URL a legitimate website? Is it the URL of the company/institution you should expect? If not, stop and investigate.
6) Bad grammar/spelling
Are there grammar/spelling mistakes in the email copy you’re reading? If there are, this is a bad sign.
7) Unusual sender
Have you ever received correspondence from this sender before? Are you sure? If the sender name differs from previous emails from the person/company/institution in any way, something very well could be amiss.
What do I do now?
If you’ve become suspicious that an email you’ve received may be a phishing attack, STOP! Don’t interact with the email in any way. If your gut is telling you something is off, there’s a very good chance you are right.
It’s time to do some research.
- Call the person/company/institution the email is ostensibly from (remember not to use any contact info in the email itself) Explain the situation to them and ask if the email is really from them.
- Get on google and check if anyone else has received a similar email and become suspicious. Often there will be several people who have already investigated and determined if the email is legitimate.
- If you are unable to verify the legitimacy of the email in question, ignore it. No legitimate person, company, or institution will just send one email about a serious issue and then make no further attempt to contact you. If there’s really a problem, you’ll hear from them again.