Phishing is when you receive an email that tricks you into clicking on a link to a fraudulent website and then sharing private information, or opening a malicious attachment on your phone, tablet or computer.
If you trust the link you could be giving away your user names, passwords, Social Security numbers, bank details or installing malware, like viruses, spyware or ransomware on your device and at work you could be handing over access to your company and all their sensitive data.
Phishing is the top cybercrime in the US. In 2019, the FBI reported that it had claimed nearly 115,000 victims with victim losses at $57.8 million, an average of $507 per victim.
Spotting the phishing attack
Don’t get complacent, the top branded security software (e.g. Norton, Bitdefender etc) are very good at taking out phishing emails before they hit your inbox. But, it’s a false sense of security as some still get through. In fact, in your personal life and as an employee, the next 100 emails you receive, possibly three or four will be phishing scam emails.
The most important golden rule. Change your mindset. Don’t trust emails and don’t click on a link in an email. I’m purposefully, stressing this as the golden rule, even though you think it to be too onerous and impractical. Nonetheless, for the next seven days examine every email (see tips below) and learn to change your mindset and start spotting phishing attempts. The extra time you spend on examining your inbox will build your confidence and you will feel much more confident about email management.
The only time you can trust an email is if it comes from an email address you recognise and the email doesn’t seem out of the ordinary. Even here, if it contains an attachment don’t click on it yet.
Make sure you double check the email address and not just the name. Give the sender a call if you are unsure. Malware is commonly passed between compromised emails accounts so even if the email address is correct that doesn’t mean someone else isn’t sending fraudulent emails from their account.
How to check for the signs of phishing. There are five signs:
- Poor grammar. As far as the US is concerned, most cyber criminals are based in overseas countries such as Russia, North Korea, Eastern Europe, China and Iran. For the majority, US English is a foreign language. They make spelling errors (although they have improved significantly in recent years) and make grammatical errors (much harder to improve upon). In fact, as you read the email you will make an on-the-spot judgement – this is well written, this is poorly written. If it is poorly written be wary.
- Suspicious logo. If the email is topped with the logo of a known trusted business or government department, then check it against the official website with a quick Google. False logos can have washed out colours, faded edges or imprecise proportions. In effect, it could be a poor copy and paste job.
- Check the URL. Imagine you receive an email from NETFLIX containing a link. If you hover over the link (DON’T CLICK!) a small display will appear containing www.netflix.com plus suffices. You’ve validated the email that it is from NETFLIX. Job done. Imagine it reported www.netfilx.com or www.netflics.com then DO NOT click on the link. It’s false and belongs to a cybercriminal. In fact, any errors, whether spelling or design is a warning. Be super-cautious.
- Check the greeting. On my domestic accounts very rarely do I receive the greetings, ‘Dear customer’, ‘Dear subscriber’, ‘Dear friend’ or the more informal,’ Hi customer’, ‘Hi subscriber’. They say, ‘Dear Neil’ or ‘Hi Neil’. This is how customer-orientated domestic businesses tend to interact with their customers. Foreign cybercriminals make mistake ‘out-of-culture’ errors on greetings and/or sign offs.
- Attachments. Legitimate companies don’t send attachments that you didn’t ask for and also would not request sensitive information via email.
If all are followed with the instruction to click on the link to learn more and/or correct the problem. Be super-cautious.