Businesses and individuals need to be aware of phishing scams
Email is arguably the world’s best and worst advance in human communications. The ability to send and receive information with ease and speed results in a love-hate relationship with our inbox.
But the annoyance of an overflowing inbox pales in comparison to the dark side of email: phishing scams.
What is phishing?
Phishing emails look authentic but are sent by crooks seeking personal information. When successful, they use it to steal your identity and empty your bank account. Both individuals and businesses are vulnerable targets of such scams. The messages appear to be from reputable sources, such as a bank, a law enforcement agency or even the IT department where you work.
Below we summarize the three basic types of phishing. Each type targets a different group of users. But the goal of each is to steal personal and business information.
- Spear Phishing targets a particular individual or company and attempts to gather information about the intended victim. This style accounts for the majority of phishing attempts.
- Clone Phishing uses a legitimate, previously delivered email message and creates a nearly identical one. However, the clone includes malicious links or attachments. The victim will likely trust the bogus sender based on previous legitimate email correspondence.
- Whaling specifically targets senior officers or high-profile employees in an organization. The phony email communication is created to fit the target’s role in the company. It could include a subpoena, a customer complaint or an issue needing the attention of an executive.
Identifying Phishing Emails
As convincing as phishing emails can be, there are ways to help recognize them. Below are seven things to look for that will help detect phishing emails.
- Look at the sender’s email address. Using a falsified email address is one of the most common tactics used by cybercriminals. The address may appear to be coming from a reputable domain. For example, an email may seem to be from Citibank or PayPal. However, upon close inspection, it’s from firstname.lastname@example.org.” Rest assured that Citibank won’t use the “lake.ocn.ne.jp” domain for their email communications.
- Beware of errors in spelling and grammar. We all make them, of course. But employees of major organizations must adhere to proper rules of the English language. Watch for emails from major banks, corporations or government agencies that contain awkward use of language. English is the second language of many con artists.
- Look closely at the greeting and signature. How does the sender of the email address you in the salutation? Is it “Dearest Customer,” “My Dear,” “Dear Anne Jones” or another other oddly-phrased greeting? You bank would not address you that way, especially if you’ve had prior communication with someone there.
Likewise, a lack of information included in the sender’s email signature is cause for concern. A legitimate representative of a company will always provide contact information in their signature. But again, look at the email address. No bank officer, insurance agent or medical facility will use a Gmail or Yahoo email for official communication.
- Don’t click on embedded links. The full text of a link typically displays if you hover the pointer over a link embedded in an email. Alternatively, right-click on the link, copy it and paste it into a text file to assess its legitimacy. Shortened and malformed links may appear to be sending victims to a legitimate website. But victims actually land at a rogue website that attempts to trick them into providing login credentials or other personal information. Another risk in clicking such links is ransomware, which we discuss here.
Some of these illegitimate websites claim a security breach or other emergency occurred. Victims are asked to give Open Authentication (OAuth) access to their email, bank account or other online account(s). Phishers then use that information to access an account as if it were their own.
OAuth is actually a legitimate and convenient method of authorizing third-party apps to use an account for social media, gaming, etc. Once granted, you don’t have to enter your login information each time you access the app. However, criminals use OAuth to create havoc.
- Don’t open attachments. Cybercriminals really enjoy including attachments in phishing emails. They typically appear as PDFs, JPEGs or MS Word documents. Unfortunately, they might contain malware or viruses. These bugs can damage files on your computer, seize administrator status to make changes, steal passwords or spy on your movements across the Internet.
- Guard your personal information. Banks, credit card companies, schools and other institutions never ask for personal information by email. Period. Report such requests to a customer service agent by phone if you receive such a request. They need to know they’re being used to cover a scam.
- Beware of urgent or threatening deadlines. Be skeptical of any email with a subject line claiming your immediate attention is needed. The same goes for anyone claiming your account is frozen or that an unauthorized login was detected on your account. These emails almost always include an embedded link for you to follow. Rather than landing on a helpful page, you took the first step toward a security breach and stolen identity.
The bottom line
Following these simple tips protects you from time consuming and expensive mistakes. And notice how many different types of scams that you’ll now recognize in your inbox on a regular basis.