Fishing Vs Phishing: 8 Tips for Spotting a Phishing Email
For many of us, learning to fish was an absolute must when we were young. Baiting your hook, running your lines, and of course, taking the fish off the hook. It was all innocent and fun. But now there’s a new form of phishing that isn’t so nice and we think it’s important to share some tips on how to arm yourself against it.
Phish·ing /fish·ing/ n noun. The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
The official definition of phishing leaves a lot to the imagination, so let us look at some important phishing warnings to look for within your inbox.
You’ve Never Had Any Contact With the Sender
One of the first signs to look for is whether you have had any prior contact with the business or person contacting you. Have you emailed them before, or have they emailed you previously? If not, tread carefully. Even if it looks like a popular business, like PayPal, double-check that they have a reason to be contacting you. And if they don’t, it’s most likely a phishing email. If they do, you’re not out of hot water yet.
Incorrect Domain Name or Email Address
Now that we’ve established that the company or person has contacted you before, it’s time to look a little closer. Many phishing emails can claim to be someone they’re not. If it’s a single person, they likely would email you from their professional email instead of a public email for work purposes or vice versa for personal.
For example, if you receive an email from jane.doe@gmail.com, and you usually get an email from her at jane.doe@businessname.com, it likely isn’t whom you think it is. The rest of the email might look correct, signature and all, but if the domain name isn’t right, it’s probably best not to risk it. Stop and take a moment to send Jane a separate email at her known address to confirm.
Now take a closer look at the address, does it have the correct domain address? If you are expecting an email from a school, does it end in .edu, or does it end in .com? Double-check that the address fits in with the person or business. If it doesn’t, it’s probably a phisher. It would be a good idea to not open that email or anything they might have attached.
And one more thing before we move on. Look a just a little closer at the email address even though it looks like the right domain name. Could there be a careful misspelling to make it look correct? Examples of misspellings to look for include a double letter or letters that, when put together, can be mistaken for another word. For example, in an email from john.doe@rnicrosof.com, the careful combination of the r + n may trick the viewer into reading Microsoft. Also, look for double letters that are next to each other, such as @miicrosoft.com.
It’s amazing how subtle changes to an email address can go unnoticed by an untrained eye. But knowing what to look for is half the battle. Now that you’ve learned how to spot a fake email address, let’s take a look at the rest of the email, so you have a complete arsenal to combat a phishing attack.
Impersonal Introductions and Generic Greetings
Everyone gets busy sometimes, so maybe you don’t have time to comb through every email address that pops into your inbox. If that’s the case, there are more signs to look for in a suspected phishing email. Specifically, you can look at the first line of the email.
If you receive an email from someone who knows, they’ll typically start with, “Dear {Your Name}” or something along those lines. Phishers don’t usually have time to look for the name of every person they’re targeting, and they also send out mass emails. To keep things simple, they’ll start with, “Dear Valued Customer” or another generic greeting. If an email starts like this, it could be a phishing email. You should be on high alert to look for further clues to a potential scam.
Incorrect Grammar and Spelling
Everyone in a professional setting can relate to the idea that grammar is the cornerstone of credibility. Having proper grammar is the mark of a professional, so it always seems jarring when we find an email from someone who typically is professional to a T filled with grammar and spelling mistakes.
If English isn’t a phisher’s first language, they might put the email through a translating app. These apps typically aren’t known for their grammar skills and might take a simple sentence like “We have been trying to reach you” to “We are always working to contact you.” Make sure to double-check that the email is written correctly and in plain language that makes sense to you.
The Email Asks for Sensitive Information
Here we move into the more obvious tactics phishers might use, namely, asking for sensitive information. It could be anything from asking for a phone number or a credit card number to outright asking for access to an account with your user name or password. Generally, reputable businesses and employees will already have the information they need to assist you, so it’s best to ignore this type of email or reach out directly by phone or website chat to confirm the request.
The Message Contains a Sense of Urgency
Not only might a phishing email ask for your information, but they will also ask for it in an urgent manner. Popular phrases email scams use are:
- “Please send this information within two days, or your account will be locked down.”
- “We noticed some suspicious activity on your account. Please validate that this is you by sending the following [private] information.”
Scammers will do everything possible to convince you to fall for this tactic by making the email look official by adding company logos and finishing it off with the names of real people who work there. If you see an email like this, it’s best to email or call the company directly to see if it originated from the correct source.
Contains Links or Images That Aren’t What They Seem
Humans are naturally curious creatures, and this can be our salvation and our downfall. Scammers know this and will put in pictures and links in the hopes that you will click on them without thinking. They may seem significant or look like an invoice or a link to reinstate your account. They might even ask you to download something.
If it is a link, they might doctor the website to look legit. Just like an email, phishers will add logos, copy designs, and make their copycat site seem official. If you haven’t already sensed a trend, we have the same advice as before: if you think it might be serious, call or email the company in question and make sure they sent it before clicking on anything.
Lastly, scammers can make a link look like it will take you to the official website of the real company when in fact, they’ve masked it to take you to a malicious website instead. For example, www.securedatatech.com (this one is completely innocent, we promise). For those of you who did not click the link, we sent you to Rick Astley’s Never Gonna Give You Up. For those of you who did click the link, we hope you enjoyed being Rick Rolled! To see if a link is real, hover your mouse over it, and the link will appear. Check to make sure the addresses are one in the same. Disguising a malware link as a legitimate website address is simple trick that anyone can do.
NEVER (and we mean NEVER) Open an Attachment From Someone You Don’t Know
Beware of any or all attachments to emails. If you’re unsure, just leave it be or forward it to your company’s IT support desk to get the all clear. All too often, a PDF or even an unassuming Excel document is really a malware link in disguise. It’s always better to be safe than sorry and in this instance, we recommend not opening a link unless you know the sender and are expecting it.
Scammers are getting better and better at convincing us to give them our information. As technology becomes more accessible, more people than ever are sending and receiving links, images, and sensitive information. To combat online scams, we need to get better at spotting all these tricks. From fake domains to fake links, noticing the small details and taking a few seconds to double-check something has the potential to save us a lot of problems in the future in the form of a cyber security breach.
If you’re a business owner or IT manager, educating your employees is the easiest way to combat potential scams. It could be the differentiator that keeps your company from falling victim to a ransomware or malware attack. Do you need advice on how to protect your company or assistance in monitoring and responding to potential threats? Give us a call and Secure Data would be happy to help.