2019 Cybersecurity Awareness Month: Phishing Awareness
Stay Safe from Phishing and Scams
Phishing is a form of social engineering where people try to fool other people into sending them money or revealing personal information online. The name comes from the idea of fishing: scammers send a message that acts as bait, hoping to “hook” someone. Let’s take a minute to talk about what you can do to avoid phishing.
- Be cautious. Remember the old warning about not talking to strangers? It goes double on the Internet. Anyone can pretend to be anyone else, and an email from an exciting new friend could actually be a trick. Ask your potential phisher to provide proof or explain their amazing offer in detail, and you’ll trip up an attacker really fast.
- Remember not to share sensitive information through emails. Details like your passwords, credit card numbers, and Social Security Number are things that no legitimate company would be asking you for in an email. If scammers get that information, they could gain access to your email, bank, or other accounts.
How to Recognize Phishing
Scammers often update their tactics, but there are some signs that will help you recognize a phishing email or text message. Phishing emails and text messages may look like they’re from a company you know or trust. They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store. Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may
- say they’ve noticed some suspicious activity or log-in attempts
- claim there’s a problem with your account or your payment information
- say you must confirm some personal information
- include a fake invoice
- want you to click on a link to make a payment
- say you’re eligible to register for a government refund
- offer a coupon for free stuff
Once you know how to spot a phishing attack, your best defense is your intuition. If it sounds fishy or too good to be true, it probably is.
Here’s a real world example of a phishing email:
Imagine you saw this in your inbox. Do you see any signs that it’s a scam? Let’s take a look.
- The email looks like it’s from a company you may know and trust: Netflix. It even uses a Netflix logo and header.
- The email says your account is on hold because of a billing problem.
- The email has a generic greeting, “Hi Dear.” If you have an account with the business, it probably wouldn’t use a generic greeting like this.
- The email invites you to click on a link to update your payment details.
While, at a glance, this email might look real, it’s not. The scammers who send emails like this one do not have anything to do with the companies they pretend to be. Phishing emails can have real consequences for people who give scammers their information. And they can harm the reputation of the companies they’re spoofing.
Phishing emails have come a long way since the days when Nigerian princes needed our help getting millions of dollars into the United States. Phishing has become a lot more sophisticated, and sometimes they even can be hard for IT professionals to spot. Many malicious emails include convincing brand logos, language, and a seemingly valid email address. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, do not open it.
There are a few other red flags to watch out for:
- Don’t trust the display name: A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Once delivered, the email appears legitimate because most user inboxes and mobile phones will only present the display name.
- Look but don’t click: Cybercriminals love to embed malicious links in legitimate-sounding copy. Hover your mouse over any links you find embedded in the body of your email. If the link address looks weird, don’t click on it. If you have any reservations about the link, send the email directly to your security team.
- Check for spelling mistakes: Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
- Analyze the salutation: Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.
- Don’t give up personal or company confidential information: Most companies will never ask for personal credentials via email--especially banks. Likewise most companies will have policies in place preventing external communications of business IP. Stop yourself before revealing any confidential information over email.
- Beware of urgent or threatening language in the subject line: Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or ask you to action an “urgent payment request.”
- Review the signature: Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them!
- Don’t click on attachments: Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
- Don’t trust the header from email address: Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address, including the domain name. Keep in mind that just because the sender’s email address looks legitimate (e.g firstname.lastname@example.org), it may not be. A familiar name in your inbox isn’t always who you think it is!
- Don’t believe everything you see: Phishers are extremely good at what they do. Many malicious emails include convincing brand logos, language, and a seemingly valid email address. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, do not open it.
Our Proofpoint system does a great job of blocking the vast majority of phishing emails that come into our district, but no filter is perfect. Learn how to recognize phishing and treat every email with healthy skepticism--that will keep you safe.
(Really, it is okay to check your email!)