You might be wondering,
“Where the heck did this guy learn English?! He can’t even spell fish right! And what does that have to do with online security?”
It has a lot to do with it, actually.
No, I didn’t mis-spell “Fishing” in the title.
“Phishing” starting with the P-H instead of an “F” is when a spammer, impersonating another person or an organization sends emails to people maliciously, in an attempt to trick them into doing things like:
- Hand over usernames, passwords, banking details, or other information
- download malicious files or viruses,
- pay or transfer money through fake invoices, fake ransom requests, etc.
If the name sounds funny, thats because it is! It’s meant to be a play on the fact that spammers are trying to lure you in just like a fish so you’ll give them what they want.
Just like how you’d lure a fish into biting down on the hook you’re dangling in the water, a phishing email is meant to get you on a spammers hook.
To convince you that you really do have to give them your bank information, or enter your username and password.
But these types of attacks are really nothing to joke about.
They try to not only look as legitimate as they can, but also instill fear, curiosity and play on our desire to do the right thing.
The scary part is, these types of emails aren’t always that easy to detect! Spammers like to craft their emails to impersonate popular online services and brands to get you to enter in your usernames or passwords and banking details.
So, how do you detect a phishing email? Here are 7 characteristics you can check for. These aren’t exhaustive, as spammers are always trying to change up their methods, but they are a good starting point.
Is this a company you actually do business with? Is this someone who you normally receive this type of email from? Did you actually order something for which you are expecting a confirmation?
If the email seems like its completely out of the blue, it very well might be.
The “From:” address
Check the from address carefully. Spammers often try to register domain names that look very similar to the organization they’re impersonating. Others will make the name look credible, but the email address its coming from will be something different.
Ask yourself: does it make sense that I’d receive an email from this address? Have I received email from this address before?
Bad grammar and spelling
If the email is full of bad grammar and spelling, then this should be a red flag. Any email that comes from a corporate business will sound professional, and will have been checked for grammar and spelling multiple times before being sent out.
Also, now many corporations have either removed salutations altogether, or will greet you in a manner consistent with your region and with your proper name.
If your email starts with “Salutations user” and you don’t know anyone who would say that or “hello first [email protected]” or “Dear Member” this should be a red flag.
A weird link
Phishing emails commonly include a link of some kind. They want to get you to go to another page and enter your details, such as usernames and passwords.
If there is such a link in the email, hover your cursor over it but don’t click it!
This will show you the actual URL. If the URL displayed in the email is different than the URL that pops up when you hover your cursor over the link, its probably a phishing email.
In addition, if the URL that pops up doesn’t look quite right, like its a misspelling of the legitimate domain name, it is completely unrecognizable, or the real domain name looks like part of another domain name such as: realDomain.com.someOtherDomain.com, then its probably a phishing email.
A sense of immediate urgency
Spammers don’t want to wait around. Part of their game is the sense of urgency. They want you to act without thinking and feel like there is no time to do anything but to do as they ask.
Sometimes they’ll build this sense of urgency by saying that “Your account is going to be suspended” or “your free gift is going to expire” or “the authorities will be contacted”, or other threatening language.
Don’t fall for this game. Take a moment to think if the threat is practical.
In addition, most government agencies don’t use email as their first means of contacting you.
It sounds too good to be true
Did you win the lottery, but didn’t buy a ticket? How about a long-lost relative that you’ve never heard of wants to give you millions of dollars? Maybe that new smartphone you wanted is now 99% off?
If it sounds like it might be too good to be true, it probably is.
Trust your gut
If all else fails, and you’re not too sure, or if it just feels “off”, Don’t open the email, click on any links or open any attachments.
What do I do if I get an email that doesn’t seem right?
Check with the person or company who supposedly sent it if they actually did send it.
If its a company, call their customer service line or get to their website the way you normally do, and ask if the email you received was legitimate.
If its a person, call them on the phone or in another manner that you can verify you’re actually talking to them and not someone attempting to impersonate them.
But, don’t try to verify the email via a reply email.
If the attacker already has access to their inbox, it’s really easy for them to reply with “yes, of course it’s me!”.
This Week’s Challenge
This week’s challenge is to think about these characteristics and the emails you’ve received lately and see if these characteristics apply. Can you find any that stand out as phishing emails?