How Not to be Phish Food ... Don’t Take the Bait
Be Skeptical of Your Emails
For emails that ask you to click on something (a link or an attachment) -- take your time reading the email. Who is it from? Is the sender someone you do not recognize?
If it’s in the news, it will probably be used in a scam shortly thereafter (i.e. Coronavirus fears; Tax time = W2 / IRS scams).
Think About the Request for Action
If the email is urging you to take action, stop and consider what it is asking you to do. Beware of certain social cues, urgent requests, gift or money offers.
Messages that appear to be urgent requests for immediate payment, updates to your account, password changes, you have won the lottery or someone has left you money all play on your reactive emotional response to get information from you quickly.
Be Wary of Attachments
Phishing emails come in many forms. If the message comes from a sender you don't recognize and you are prompted to download images or attachments ... don't.
An attachment can contain malware. You receive an invoice and don’t know if it was intended for you or not until you open it. You open the attachment and it was a phishing email it then will be too late. Never open an attachment unless you are fully confident that the message is from a legitimate party. Contact the sender through an alternative means of communication and to verify that it’s legitimate.
Or you receive an email that asks you about charges and provides you with a “Yes / No” Option to Select. The email asks if you have shopped at store XYZ. (Of course not.) And you click on the “No” option just like the hacker wants you to. This is where the phishing attempt lives. Click either the “No or Yes” button and your computer has been compromised.
Check Out the Link
Almost all phishing emails have a link in them for you to click on (unless they are asking you to open an attachment). The link could say it is going to your Facebook page, PayPal, Amazon, to your bank website --- but where is it really going?
The fastest and easiest way to find out is to hover your mouse over the link and look at the bottom left corner of your browser window. There you should be able to see the exact URL that you will be directed to if you click on the link.
Another way to check is to expand the sender line on the email. If the email is not in the same structure from whom you believe the email is from then it probably is not. Delete it.
DON’T Fill Out Anything
This is very important. PayPal, Amazon, Microsoft, Netflix, your bank, your company finance/HR will not be sending you an email asking you to confirm your password. They will not send you a link asking you to re-enter your username and password. They just won’t.
If there is an action-item for you in the email, go directly to the company’s website for the customer service area instead of taking action from the link within the email.
Use the Phone
If the email seems urgent and you are unsure of it being valid; verify the sender via a different channel of communication. Consider using the phone. It's how we can still converse with others.
What to Look Out For
To spot a phishing text, look for a combination of red flags.
1. Suspicious sender: The text was sent by an unknown phone number.
2. Unusual text entries: Contains a combination of all caps, arrows, ID numbers, exclamation point.
3. Unprompted identity request: The request to verify the recipient’s identity was unprompted.
Email Phishing Examples
Look at the email address, not just the sender name - No legitimate organization will contact you from an address that ends “@gmail.com” or “@yahoo.com”.
The domain name - how is it spelled? Is it misspelled?
Look for grammatical mistakes, not just spelling mistakes - Grammatical errors, like “We detected something unusual to use an application”; or, missed used words, such as in “a malicious user might trying to access”.
The best advice to dodge phishing scams is to avoid clicking on links that arrive unprompted in emails or text messages. Most phishing scams invoke an emotional response that warn of awful consequences should you not respond or act swiftly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually.
Companies need to combine training and technology together to build a comprehensive approach to protecting against phishing attacks. Spam filters on their own will never be fully effective, so it’s up to each of us to read the context of messages and look for anything suspicious.
As individual users for our personal accounts we can set-up two-factor authentication (2FA) for every account to protect against unauthorized access via phishing. Or, use passcode based methods if that is offered.
Also check for and run software updates. Keeping your software and devices up to date is one way to protect against malware compromises and data theft as the result of phishing.
Editorial note: Our articles provide educational information for you. Our goal is to increase awareness about cyber safety.
Marilyn Sousa, CISA, CISM
Senior Cyber Security Engineer