Phishing is a term to describe thieves who try to masquerade as a reputable company (or person) to get you to reveal personal info, such as a credit card number or password. They may place an order on terms with the hope that the product will be shipped to them and they'll skip off payment.
The bad guys are pretty creative, and they do a good job scamming people to make millions every year. So how do you spot one of these phishing emails? It helps to know what makes them work so you can better understand how to spot them.
The best phishing emails leverage social engineering, which is a fancy way of saying they are customized to incorporate some of your personal or corporate info to make them more believable. This info is readily available just by reading someone's social media posts.
When you receive an email that mentions meeting you at your daughter Kelly's softball game last week, you overcome the problem of not remembering meeting this person because there really was a softball game for Kelly. The bit of fact makes the entire message more believable.
Now that you understand the basics, let's explore some specific ways to spot a phishing email.
- Bad grammar and spelling mistakes. Let me get this one out of the way as it's so easy to spot. Remember the Nigerian prince spam emails from years ago? Those emails had so many grammar and spelling issues that you knew the writer wasn't a native English speaker, and you could spot the scam. While most phishing emails today are well written, if you come across an email with bad grammar, toss it in the trash and move on.
- Impersonal greetings. Have you ever received an email from Apple, Microsoft, or Amazon? Guess what... they know your name! So, there's no way they'd open an email with "Dear Apple User." This is a giveaway that the message is bogus and should go to the trash can without further review.
- Funky domain names. A good rule with everything on the web is "look before you click." Hover your mouse over a URL and the popup will show you where the URL points to. If you are using a phone or tablet, press and hold on the link, and you'll get a popup showing you the link details. Take a close look and see if the link points to a legit address. For example, if the message is from Microsoft, you'd expect to see a link in an email asking you to confirm your credentials that would be pointing to microsoft.com, not hackrsinrussia.com.
- Attachments or links. If you receive an email attachment from someone outside your organization or a link to a document you need to click to review, check before opening it. For links, follow the instructions in #3 above. If the link points to OneDrive, Dropbox, Google Drive, etc., NEVER OPEN IT until you check with the sender and confirm it's legit. Same thing with standard file attachments: If you aren't expecting it, contact the sender and confirm it's legit before you open it.
- Gotta do it now! Any email that requires you to do something now to avoid terrible consequences (or miss out on some enormous fortune)... yeah, it's bogus. All the above still applies and can usually help you find the specific markers proving it's bogus, but in general, any email that tries to move you now to take action is either a phishing email or a marketing email – and they both belong in the trash. :-)
If you want to get really good at spotting phishing emails, go to your junk folder and look at the emails there. Your email program has already done a good job at weeding out bad emails, so start looking at bad ones and see what signs you can spot. Once you've trained yourself, keep an eye on your regular inbox to see if you can spot the ones that try to get through your defenses.
If you'd like to have a deeper discussion on cyber security and how you can keep your firm safe, click here and let us know.