Phishing: What it is and how to avoid getting hooked
In my younger days, changing an “F” to “PH” (“That’s Phat!”) made something cooler. Today, when you see a PH, be warned and pay attention, especially if it’s attached to “-ishing.”
Phishing attempts are becoming more and more prevalent and more sophisticated with each passing day. In this blog post, we’ll discuss what Phishing is and some key things to look for to keep you from becoming prey to it.
What is Phishing?
You receive an email that looks a lot like something you’d see from Google, or even your bank. In it is some sort of emergency – your password needs changed, your account’s been locked – or another relevant reason to click through – and it asks you to please login to the site. Without hesitation, you click through to a site that looks no different than any other time. You enter your credentials, and nothing of any consequence happens.
What you don’t know is, you’ve just fallen victim to a phishing campaign and provided a malicious person (or persons) with your personal (or work) credentials. There’s no “gotcha” page that tells you that they nabbed your credentials. Everything still seems on the up-and-up, but now you’re exposed to potential identity theft or financial loss.
Phishing sounds a lot like that other type of using bait to catch something. What’s the word for it? That’s right, it’s Fishing. Except Fishing is a sport where humans try to catch water-dwelling creatures with a pole, some string, a hook, and bait while Phishers (stress the Ph here) try to catch other humans using an email and some bait.
Phishing is really an umbrella term that encompasses electronic-communication based attacks meant to steal some sort of information from users or deliver malicious software that infects a user’s device or network.
There are a number of tactics that are employed to try and dupe people into providing secure information but for the purposes of this article, we’ll highlight three types of Phishing tactics:
- Spear Phishing – a attack in which a specific individual or organization are targeted in the attack.
- SPAM – this is the most common type of phishing attack. An email is created and sent to a large list or lists of email addresses and asks users to enter credentials into a false website.
- Link Manipulation – attacks where the attacker includes a false link that directs to their own website.
With any of these techniques, it’s important for you and your organization to know how to identify Phishing attempts in order to avoid the negative affects of falling victim to a phishing scam.
How do I identify a phishing attempt?
It’s simple: rely on your eyes and see what you see.
Right now, most of us are opening an email and giving the content a quick glance. This is what the attackers are hoping for – our complacency.
All we need to do is retrain our eyes to look for certain identifiers and ask ourselves some simple questions about what we’re seeing, and we’ll be able to avoid falling victim to phishing.
It may seem tedious but taking a few extra seconds to verify a few things within the email can help you to avoid falling victim to a phishing attempt.
What to look for:
Check who’s sending you the email and from what address.
A common tactic used in phishing emails is to spoof who the email is from. It may have a bank’s name or any organization’s name as the sender. But what email address are they using? Is the email coming from a domain owned by the bank or is it coming from a different domain? Are you receiving an email, from your bank, that has gmail as the sending domain (hint, hint: major red flag)? Be sure to verify that the sender’s domain matches the organization that’s emailing you. The below shows an example of a malicious header (and yes, “support” is intentionally misspelled).
Verify any links in the email are directing to where they say they are.
Simply hover over the link to see the link preview. Better yet, make it a habit to not click links within your emails.
Ask yourself, does this email have anything to do with anything I have going on?
An out of place email – like a shipping notice when you’re not expecting anything – should be treated as suspicious. Ask yourself what the email has to do with anything you currently have going on. If a “client” emails you with a link or an attachment you weren’t expecting, don’t just click on it with no thought. It’s possible they’ve fallen victim to a phishing email and their email has been hijacked.
What is the sender asking of you?
Are they telling you an account is hacked? Have they asked for credentials, or to send sensitive information via email? If so, it’s best to treat the email as suspicious. Avoid clicking any links in the email, navigate to the website by opening your browser and typing in the web address of the site and then login. If you’re account is truly locked, or your password needs changed, the site will notify you.
Where would the sender place in a spelling bee with 100 contestants?
If the email content includes broken English, misspellings, or outright bad grammar, treat it as suspicious.
These are a few things, that take very little time out of your day to confirm and could save you from potential loss.
If all of that seems like too much trouble, perhaps you need to ask yourself: Would you rather part with 30 seconds of your time or $3,000 of your hard-earned money?
I’m still unsure…what should I do?
It’s possible you approached an email as suspicious, everything seems to check out, but you’re still concerned about the validity of the email or you’re like me and are super cautious.
As was said in the previous section, avoid clicking links. If it’s a financial institution or really anything asking you to go to their site and login, it’s best to avoid clicking any of the links they provide in their email. Instead, open your web browser, navigate directly to the website, and then login. If you must click on a link in an email, at least hover over it (before clicking) to ensure it’s showing you the domain you’re expecting to go to.
For added security, consider implementing link protection on your email system. With link protection in place, once clicked, a link is passed through a server that verifies the site is legitimate and does not contain malicious code that could infect your network.
Don’t be afraid to pick up the phone. If everything seems to check-out for the email but you’re still worried about the legitimacy of an email from someone you know, pick up the phone and give them a call. It will take less than 10 seconds to confirm they sent the email to you. Example conversation:
You: Did you just send me this email that asks for this information?
You: Ok, Thanks.
In the end, use your common sense and intuition. If something feels off, it probably is. Consider the purpose of the email and what’s it’s asking of you. If it’s asking for sensitive information, let that be the first and largest red flag and take the steps outlined above to minimize your risk.
Have you been phished? Comment below and tell us!
Looking for more information on how you can protect your organization from phishing attempts? Contact us
Have a topic you want us to cover? Send it our way! Contact Us