Phishing – The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
A Classic and Evolving Threat
I remember my first encounter with a phishing scam. It was almost 15 years ago and centered around an email designed to look like a PayPal payment for goods sold through eBay. I nearly got taken by shipping an item to someone who hadn’t actually paid. Fortunately, I saw some suspicious things in the email and called PayPal to verify and report the incident.
Phishing schemes continue to evolve. Some of them even involve the spoofing of a legitimate domain in order to gain trust. Believe it or not, this is shockingly easy to do. This happened to one of our clients a few weeks ago. Our client received an email from firstname.lastname@example.org. The first red flag was that there is no Ronald who works for our client. Someone in India had spoofed their email. The email system was not compromised, it was simply crafted to look legitimate. Had this client been a larger company, it’s possible someone may have clicked on the attachment.
Look for Signs
Most phishing schemes involve four common factors:
- An emotional trigger – phishing emails almost always have some king of intimidating, threatening or even simply inviting language in an attempt to compel you to take some kind of immediate action.
- Appearance of a legitimate authority – phishing emails frequently appear to be from a bank, store, lottery commission or other reputable institution (sometimes even the IRS)
- Links or (less frequently) an attachment – there will almost always be a link or attachment the email asks you to click on
- Formatting errors – many phishing scams originate in countries whose native language is not English, so there will often be grammatical or typographical errors; there may also be errors of formatting, such as a company logo that looks a little fuzzy, or too many line breaks in a paragraph.
Spot the Thief
If you receive an email with any of these initial indicators, red flags should go up. Start looking a little more closely by doing the following:
- Hover your mouse (DO NOT CLICK) over the links in the email – virtually all web-based emails (i.e. Gmail, Hotmail – please don’t tell me you’re still using Yahoo) and email clients (i.e. Outlook) will give you a small popup containing the address of the link before you click. If the email looks like it’s from Bank of America but the link is something like: boa.iamanevilgenius.com or even better: jKUoauWusO.com DO NOT CLICK THE LINK.
- How to distinguish links – websites will often use subdomains to take you to the correct place. These will have the format of http://subdomain.legitimatebusinessname.com. Ninety-percent of the time, fraudulent links will have a hint of legitimacy, but look at the address closely because it will be something like: http://legitimatebusinessname.unknownevildomain.com. If you have already clicked on the link (doh!), check the site address in the address bar of your browser. If it looks like anything other than the legitimate business, close your browser and do a virus scan. These tactics can often be super crafty Gmail scam as in the case of the earlier this year.
- Check the From and Reply-To addresses – In Gmail, there is a tiny arrow you can click in an email message that appears just below the sender’s address. Clicking the arrow will give detailed “behind-the-scenes” info. Compare the “From” address with the “Reply-To” address. If they are different (and certainly if they are completely different domains), just delete the email and move on. Other email systems and clients offer a similar feature.
To protect yourself even more thoroughly, we recommend taking some additional steps:
- Enable two-factor authentication (2FA) everywhere you can – This is an extra layer of security provided through either a separate app on your smartphone or a code sent via SMS to verify your identity before you log in. If the link you click doesn’t prompt you with the second authentication method, be wary.
- Don’t log into sites from an email – If you get an email from your bank asking you to login, instead of clicking the link, go to your bank’s web page and log in there directly. If they are requiring you to take some kind of action, they’ll have a notification or message in your account portal with the details.
- Don’t blindly rely on the SSL indicator on your browser – Hackers back in 2015 set up a fake Google Drive login to harvest user’s credentials. They even used a legitimate SSL certificate to provide secure communication between victims and the fake site. This means every browser would conveniently display the nifty padlock telling you your information is secure.
- Make sure your antivirus software and operating system is up-to-date – If you’re not doing this already, well, let me just say, you should be doing this already!
Other Forms of Phishing
Unfortunately, email is not the only delivery method for phishing scams. Phone calls, SMS and social media can also be used as vehicles for phishing. Check out the great infographic from Digital Guardian.