Phishing attacks are unfortunately all too common, so it’s essential to learn how to spot them so that you can avoid them.
To start off, what is a phishing attack? Phishing attacks are a form of cyber-attack that are often used to steal information from the victim, such as login credentials or credit card details. These attacks occur when a cybercriminal masquerades as a trusted entity who convinces the victim to open an email, instant message or text message that often contains a weblink.
Phishing can be quite broad, like spoofing a legitimate company and sending out emails to anyone and everyone who may be associated with said company. For instance, you may receive an email that is supposedly from your bank, saying that your account has been compromised and asking you to click on a link and input your credentials to rectify the problem. This is known as deceptive phishing, where the attacker impersonates a trusted person or entity to garner user data.
Although phishing may be perceived to be quite a broad thing, there can be much more targeted attacks, such as spear phishing or whaling. Spear phishing relies on a more personal touch, often targeting a specific individual by including their name, company, work phone number or position in the company. It requires a bit more digging on the attacker’s end; however, it is still an extremely common form of internet scam.
Whaling, much like normal fishing, is the act of luring and catching a much, much larger target, such as the CEO, COO or any CXX within an industry or company. A whaling email might state that the company will face legal consequences for an action that may not even have occurred. In the email, it will say that you need to click on a link to access more information about the situation, and once the link is clicked it will ask you to input critical company data such as tax or bank account numbers.
How do we spot a phishing attack?
Many phishing attacks occur because of a lack of security awareness education. When faced with something you think might be a phishing attack, take a closer look. Is there a difference in the greeting or tone compared to any previous communication you have had with the person or company? For instance, is a company being overly friendly or is a friend or family member being a bit too formal? Another thing to look for is the spelling and grammar of the message. Most companies will have a spell check option enabled when sending outgoing emails to their clients, so if your bank is asking you to “pls put in ypur pasword”, I would immediately disregard the email.
Check the sender’s email address. Most company’s employees will have an email address containing the company name, such as [email protected]. Hover over any links in the email and see what pops up, alternatively, study the domain. For example, if you receive an email from First National Bank but the weblink in the message does not include anything relating to FNB, it’s a red flag.
If the email you have received is asking you for any personal information or credentials that you know the company already has, do not provide any information. Phishing attacks will often be presented with a sense of urgency or threats if the action is not completed; “We need you to make a payment to *this account* by 5pm today in order to rectify the problem, or your account will be suspended”
If you receive an email containing attachments from an unfamiliar source, or if you did not request any attachments to be sent, you should open the attachment with caution. If the attachment contains a file extension commonly associated with malware, such as .zip, .exe, .scr, or has an unfamiliar extension, you should run the attachment through virus-detector software before opening it.
As the saying goes, if you see something, say something. If you are an employee of a company and have received an email that is a suspected phishing attack, the chances are that many other employees have received the same email. Although it may take time to sift through everyone’s emails to determine if they have also received a phishing email, it is much better than having to deal with the consequences of falling for a phishing scam.