Episode 76: How to Identify Phishing Emails

When it comes to phishing emails, the bad guys use a variety of strategies in an attempt to part you from your personal information, money, and anything else they find valuable.

Before I get into specific types of phishing attacks though, let’s go over some of the more typical aspects of phishing emails.

1. Seems Pfishy - As with anything, this is where your situational awareness and instincts kick in. You can tell your instincts are firing when your subconscious tells you that there’s something weird about an email, instant message, or website. Look for emails and messages that are not like your usual emails. In other words, keep a suspicious eye out for emails and messages that are NOT normal.
2. Who Sent This - When you look at an email and aren’t sure about who sent it, odds are you don’t need to open it. Not only do you not need to open it, but if you do, you don’t need to do what they tell you to do. Like, click on a strange link. Think of it this way; you don’t open your door to every stranger and do what they say without question. Then why do so many of us do just that with an email?
3. Too Good To Be True - When it comes to email scams, the old saying “If it sounds too good to be true, it probably is” definitely applies. In other words, think twice before believing that you’ve won the lottery, a new car, or something else that seems so fantastic, that you’re in shock and can’t believe your crazy luck. After all, you never win anything. Yeah, you never win anything, that is EXACTLY the point.
4. A Sense of Urgency - Scam artists often use the tactic of creating a sense of urgency in the victim or buyer. They instill this sense of urgency in people by presenting them with an incredible opportunity. However, they also let you know that their incredible opportunity has a quickly approaching expiration. They hope you don't think it through and instead act fast for fear of missing out. So, when you read an email telling you to act now, do the OPPOSITE. Slow down and consider why they are trying to get you to take quick action.
5. Hyperlinks & Attachments - An email link or attachment may not be all that they appear to be. When you receive a link or attachment in an email that doesn’t make sense, or “Seems Phishy” think twice about clicking on it. Rather than clicking on the link or attachment, take a better look at it. Hover over the link by placing your mouse over it, but NOT clicking on it. When you hover over a link, you should see the actual web address that you will be sent to if you click on it. In the case of a scammers link, the address will often not be spelled correctly or may be completely different than what you expect it to be. The scammers want you to click on their link or attachment because that’s how they infect you with viruses and turn you into a victim.

The types of phishing attacks are continually evolving. However, many fall within one of these five types of phishing attacks.

Spear Phishing

Spear phishing is a tactic that uses personalized emails or messages to convince you into clicking on a malicious link or email attachment. When you do, you may be giving the bad guys personal information that they can cause you harm with. When using spear phishing attacks, con artists customize their emails with your name, phone number, or other bits of information in an attempt to make you believe the email or message is from a legitimate source. Remember, when you consider replying to an email, double check to make sure it is legitimate.

Email Spoofing (Name Impersonation)

Email spoofing uses the name of a person or organization that you are familiar with. By using a familiar name, the attackers hope to get you to click on their link. Once you click on it, the bad guys then use various techniques to get you to hand over personal information. The best way to avoid email spoofing attacks is to read the sender’s email address carefully. If anything doesn’t appear to be normal, consider not clicking on the link.

Website Spoofing

Website spoofing is similar to email spoofing but is more complicated on the part of the attackers. When website spoofing, attackers copy a legitimate website and use it on their con artist fake web address. These websites are often nearly indistinguishable from legitimate sites. Therefore, if you are concerned that a website contained in an email or message may not be authentic, don’t click on any links. Instead, open a new browser window and manually search for the site on your own. Once you’re sure that you’re on a legitimate site, contact the person or organization through the legitimate site or phone number.

Clone Phishing

Clone phishing happens when bad guys attack a person’s email account by using a previously sent email that contains a link or attachment to make you think the cloned email is legitimate. Criminals replace the link or attachment from the legitimate email with a malicious link or attachment in their fake email. The phony email is then forwarded to the contact list from the victim’s inbox. The criminal’s hope that the recipients of the cloned email will believe it to be legitimate and click on the link or attachment.

Image Phishing

Do you receive emails that contain images? If so, then you need to use caution because it could be a phishing attack. Scammers use pictures and other types of media to infect your systems. There are a couple of ways for bad guys to embed a phishing image in an email. The first is by linking an image in the email or message to the malicious web address. The second is to send an attachment, such as a photo or other type of media file, with a virus embedded in the file that infects your computer when you open the attachment. The best way to avoid image phishing attacks is to not open or click on links from unknown sources. Don’t forget, you don’t have to click on everything people send you. Far from it, instead, be wary about emails from sources that are unknown or seem out of the norm.

Use Caution When Opening Attachments or Clicking on Links

Remember, your family and friends online accounts can be hacked and used by criminals.

Do Your Own Search

If you receive an email from a person or organization that you know, which contains a link or phone number, don’t click on it. Instead, open a reliable search engine and look up the website or phone number on your own. It’s good to remember that even though a link or phone number looks legitimate, it may not be.

Pick Up the Phone

When you receive an email that requests personal or financial information, DO NOT RESPOND to it. Phishing attacks try to instill fear and prey on your willingness to be helpful. If you think an email or message requesting your sensitive information is suspicious, pick up the phone and call using the number in your address book, or on their website after doing your own research into it. DON’T call the number contained in the email!

Backup Your Data

Backing up your data on a regular basis makes the potential loss of data to ransomware, or other viruses less impactful. So, be smart and prepare in advance.