What is Phishing?
While phishing may seem to have a funny name – the term phishing actually means as it sounds. Similar to a fisherman putting bait on a hook – a cybercriminal uses different tactics such as emails, texts, phone calls or other as bait to trick you to share sensitive information with them such as:
- Credit card numbers
- Social Insurance Numbers
- And other types of personal identifiable information.
Similar tactics can be used to trick you into downloading a virus or malware which could put you and your company at risk.
While it’s true that most phishing attacks are in the form of an email – they can also come from other sources, such as SMS messages, phone calls, social posts and direct messages.
Often times, these phishing attempts will direct you to a fake website that looks identical to a legitimate one. In an age where most of our software is on the Cloud – it is easy for cybercriminals to imitate corporate websites such as QuickBooks online, Facebook, Office 365 among others. This can cause you to be “tricked” at entering your username and password thus sharing this information with the cybercriminal.
Unfortunately, no cybersecurity preventative measures can fully protect you against phishing – however the good news is that you can prevent many of these attempts by being diligent, attentive to detail, and a little paranoid when reviewing the communications sent your way.
How to spot a phishing email
A small percentage of malicious emails can make it past your antispam software and into your inbox. When they do, you need to be sure to take the following steps to spot the culprit:
Carefully inspect the message
Phishing emails will often have the following tell-tale signs:
- Will make use of a trusted company logo
- The sender’s email will not match the domain of the website they are promoting.
- The email may be littered with typos or mismatched email domain names.
- They use generic greetings, such as “Cardholder” or “Dear customer”.
- The use of threatening statements to scare you into acting quickly or a statement urging immediate actions such as “If you FAIL to update your credit card, it will be temporarily disabled”. Similar threats could include:
- Your account has been compromised - or –
- Your account will be terminated if you do not act now.
Be very careful before clicking an embedded link in your email message.
Simply clicking on a malicious link is enough to download a virus on your computer. Links on phishing emails could also lead you to a fake website – where you may be tricked into providing your account credentials or some sensitive Personal Identification Information or business secrets. If you’re unsure if a link legitimate, hover your mouse over the link to see where the address leads to. If it’s not the same domain as the company that sent you the email, DO NOT CLICK IT. If you hover over it, and it looks legitimate, but you still have doubts – always trend on the side of caution and DO NOT CLICK IT.
Be cautious with email attachments
Phishing emails may try to trick you to download attachments such as word, pdf or zip files. Common attempts could include fake voicemails, e-faxes and resumes. Always be extremely cautious if you receive any security warnings from your email program or applications. As always, if in doubt – never open or download any file attachments. As best practice, we would even recommend to never open attachments from an email unless you’ve confirmed by other means with the sender that they have sent you such attachments.
Watch out for reply requests and NEVER unsubscribe from an unknown mailing list
Phishing emails may include a reply request or an unsubscribe link – which could be the cybercriminals way of validating your email address. Replying to a phishing email or clicking on an unsubscribe link informs the sender that they have reached a real person with an active email.
If requested to reply to an email that you’re suspicious – DO NOT REPLY.
Similarly, if you receive spammy emails with unsubscribe links, DO NOT CLICK THEM. Instead, use your email solution to block the sender as SPAM.
The biggest takeaway here is to always beware, be cautious if not borderline paranoid when it comes to emails you’re unsure of.
A more direct and potentially more dangerous form of phishing is called Spear Phishing.
Spear phishing is an email targeted directly at you. Instead of a general greeting as discussed earlier, this email may have personal information, such as your name, address, phone number, job title, password or other details that only you or someone you trust should have. Spear phishing attacks can also be sent from a friend or colleague’s email account, making it that much more dangerous and harder to catch.
Similar to a common phishing attack, they might be asking for:
- User accounts
- Financial accounts
- Or threatening you with some personal or private information.
Keep in mind that cybercriminals and scammers rely heavily on social media and the dark web to learn more about their targets so that they can further customize a spear phishing attempt to look legitimate. Click here to learn more about the Dark Web.
So, what have we learned?
Phishing uses different tactics such as emails, texts, phone calls or other as bait to trick you to share sensitive information with cybercriminals.
Sometimes they can originate from a compromised trusted source, such as a friend’s or co-worker’s email or social media account.
You can protect yourself from phishing attempts by following the tactics in this video to spot a phishing email and being extremely cautious when screening your emails.
If you are unsure about the legitimacy of an email – call the sender directly to confirm!
Never click a link. Instead, you may want to manually enter a trusted URL instead of clicking on an email link (IE: microsoft.com)
Use caution when sharing personal information on social media. Remember that this information is often public, and may be used against you by cyber criminals.
Cybercriminals will continue to advance their tactics and find new ways to make their attempts look even more legitimate. Stay cautious, and if it looks phishy, it probably is. Don’t click, Don’t open, Don’t reply.
Finally, if you think you’ve been a victim of a scam or phishing attack – contact your supervisor and your IT service provider immediately.