The more we become reliant on the internet for storing data, shopping, banking, etc, the more cybercriminals will seek to exploit it. Through phishing it is possible for your sensitive data to become compromised. Organizations in particular are at great risk because a single employee who is phished could potentially compromise the entire company’s data. In this post, I’ll be discussing what phishing is, how to identify it, and some best practices to keep you secure in the event you come across it.
What Is Phishing?
Put simply, phishing is the practice of passing oneself off as a legitimate organization via email with the purpose of tricking individuals into revealing their personal information (e.g. usernames, passwords, credit card numbers, social security numbers, etc.).
How Can I Identify A Phishing Email?
Unfortunately, this is a hard one to answer, because every phishing attack is different. That said, there are a few things to look out for:
Misspellings, Poor Grammar, or Typos, ESPECIALLY in Links to Websites:
Phishers will often try to get you to visit a website that is disguised to look like a legitimate popular website. Even if a web address looks correct in an email, it could redirect you to a different website, so watch out!
Requests for Sensitive Information:
If an email ever asks you to provide your password, credit card, bank account number, etc. there is a good chance it is a phishing attempt.
The Email’s “From Address” Differs from the Organization’s Domain:
If you get an email from your bank or from a website you visit, then the email address sending that message should match that organization.
The Email is about Something You Don’t Recognize:
If you receive an email saying that your order has shipped, you won a contest or that you won the lottery, but you never bought anything, entered a contest, nor bought a lottery ticket then it is probably a scam.
The Message Is Threatening
Be especially wary of any email that says things like: “Urgent Action Required”, “Your Account Will Be Closed”, “Final Warning”, etc. Scammers will often try to scare you into giving up information.
It’s Coming from a Government Agency:
This goes hand in hand with the last point, but scammers will try to pose as the government to intimidate you. It’s unlikely that a government agency will try to reach out to you through email.
Suspicious Emails That Match the Seasons:
It’s not uncommon for a scammer to adapt to the time of year or current events. For example, you may see more scams revolving around packages being delivered and online shopping around the holiday season, or fundraising scams looking to capitalize on a recent tragic event.
What Should I Do If I Receive A Phishing Message?
This will depend on what actions you took upon receiving the message:
I Got the Email, But I Didn’t Respond Or Click on Any Links:
Good! Delete the message and/or report it as Spam. If you got the message to your work email address, you may want to let your IT/Security team know, in case anyone else at your company receives a similar message.
I Clicked a Link in the Email, But Didn’t Enter Any Information:
You’re probably ok. Just to be safe, I’d recommend running a virus scan on your computer, and once again, informing your IT/Security team if it was to your work email address or the link was accessed from your work computer.
I Clicked a Link Or Responded And Provided Sensitive Information:
First, immediately update any username or password that you may have provided. If you use the same username or password for multiple websites (which, as a reminder is not a recommended practice) then be sure to update those as well.
Be sure to contact your IT/Security team if it was to your work email or work computer, as well as any organization related to the scam. For example, if you provided bank account information in response to the phishing message, be sure to contact your bank and tell them. You may need to have new credit cards reissued, added security to your account, etc. You will also want to run a virus scan just in case clicking on the link installed any malware.
Continue to be on the look out for fraudulent charges, suspicious account activity, or anything that may seem out of place.
Please keep in mind that these are only general practices, it would be impossible to dig down into each individual type of phishing scam. A good rule of thumb is: if it makes you uncomfortable, don’t click it. If you are unsure, many websites have in-product messaging, so if there is an issue with your account, there is a good chance you can log in directly from the website and read about it there. When in doubt, contact the organization that potential phishing email appears to be from, but always get contact information by typing website’s URL into your search bar and visiting their website directly, NOT through the possible phishing message.