While maybe not the plot of any horror film, phishing emails can be pretty scary. The thought of having your money or identity stolen is chilling, not to mention the lasting consequences it can have on your life. And while it's common knowledge not to go around sharing your social security number, people still fall victim to theft simply by opening an email.
The FBI’s Internet Crime Complaint Center recently reported that people lost $30 million to phishing schemes in one year alone. If you haven’t yet been a victim of a phishing attempt, consider yourself lucky. However, heed this warning: beware of insecure emails- because you could be next. Consider some of these statistics:
- 66% of malware is installed via malicious email attachments (source)
- 64% of organizations have experienced a phishing attack in the past year (source)
- 70% of cyber attacks use a combination of phishing and hacking (source)
- 50% of recipients open emails and click on phishing links within the first hour of being sent (source)
We’re not trying to scare you, at least not too much. Yet phishing emails have become one of the most common threats online, so being able to both identify and react accordingly is paramount to the safety of your online information.
What is a phishing email?
Like actual fishing, the term “phishing” is all about getting you, the recipient, to take the bait.
A phishing email is a scam where cyber criminals send out emails that appear to be from a legitimate company or sender - people you know and trust. These emails typically ask you to provide sensitive information or login credentials, and can contain links or unsolicited downloads that entice you to click. The goal? To gain access to your personal information or install malware on your device in order to gain access to your computer.
The scary thing about phishing emails, aside from the fact that they are attempting to access your personal information, is that they can present themselves in varying forms. Many will try to disguise themselves as companies that are widely known and reputable, but can contain anything from a fake invoice to a downloadable coupon for a free item.
How to Spot a Phishing Email
Though phishing emails can be astonishingly convincing, there are some tell-tale signs of insecure emails of which you should be aware. For example, phishing emails will ask you to
Claim there is a problem with your account or your payment information
Ask you to confirm personal information
Include a fake invoice
Ask you to click on a link to make a payment
Claim that you are eligible to register for some kind of government refund
Offer you coupons for free stuff
Below are some of the key ways to tell if an email is insecure:
1. The email asks you to provide personal information
Many phishing attacks take on the look of your company, bank, and other trusted organizations. While these may look incredibly legitimate, a clear sign that it’s a phishing email is when they include abnormal requests. A rule of thumb? Your bank will never ask you to submit personal information via email, and your company would never ask for your passwords to any portals or accounts they use. If a request in an email seems suspicious, it probably is.
2. The email was sent at a strange time of day
While this may not be a foolproof way of spotting a phishing email, looking at the time an email was sent can be an indicator of something fishy. Any emails from your company should be sent within business hours, or at least close to them. If you receive something in the middle of the night, you might want to double check before clicking on it.
3. The domain name and email address don’t look genuine
At first glance, a phishing email may look completely legitimate. Yet upon closer inspection, you’ll see that the domain name or email address are slightly off. For example, an email from Netflix should come from @netflix.com. Yet a phishing email that wants you to think it came from Netflix may have a domain name such as @netflix.mail.invoices.
4. It’s poorly written
Legitimate emails from legitimate companies have been carefully constructed by paid professional writers. They were meticulously checked and edited, so anything riddled with typos and grammatical errors should immediately be suspicious to you.
5. It has suspicious attachments
We’ve all sent emails with attachments - school assignments to professors, funny pictures to friends, etc. Yet when you receive an attachment from a domain name or email address you don’t recognize, certainly look for other indicators of phishing before even thinking about opening it.
The best course of action is always to play it safe. If you don’t recognize the email, don’t open the attachment. If it really is important, they’ll find another way to reach you.
6. They have alarming subject lines
Some phishing emails are meant to make you panic so that you will complete whatever action the hacker wants you to take - whether it be clicking on a link to “recover your account” or sending them your login credentials. Whenever you receive an email with an incredibly alarmist subject line, tread carefully. Contact the company through their actual website to confirm whether or not the email was legitimate.
Steps to take to protect yourself from phishing emails
While spotting phishing emails may be an easier feat, there is still the question of preventing them from being sent to you altogether. There may not be any way to actually prevent someone from sending you an insecure email, but there are preventative measures you can take to ensure that your information is secure and accessible only to you.
Install security software on your devices and update it regularly
Protect accounts using multi-step authentication
Create longer, more complex passwords
Vary passwords on different accounts/websites
Stay informed about new phishing techniques
Install an anti-phishing toolbar
Regularly check on your online accounts
Never give out personal information
Use anti-virus software
How to Report Phishing
Congratulations! You’ve successfully identified a phishing attempt, and have not clicked on any suspicious links or downloaded harmful software onto your device (hopefully). You could simply delete the email and chuckle to yourself about any hackers’ failed attempts to scam you. However, if you’d like to go a step further you can also report the attempt to the host of anti-phishing organizations out there. Some of these include:
- Anti-phishing working group at firstname.lastname@example.org
- The U.S Government at http://www.us-cert.gov/nav/report_phishing.html
- Google at https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
Yes, phishing attacks can be scary and dangerous, but they don’t have to be if you know what to look for. Hackers and cyber criminals target the gullible, so the less gullible you are, the less likely you are to fall for their scams.
An important thing to remember is that the things we do online (ie personal finance, social media posts, etc) can be accessed by others if they aren’t protected. As data security becomes increasingly more important, make sure you don’t fall for something as simple as an email link.