A phishing e-mail is a bogus e-mail request that is designed to look like a legitimate request from a sender you trust in an effort to get you to provide your credentials such as login information to a specific website. It can also try to trick you into clicking on links so you can unintentionally trigger a virus download.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or an American Express notification, UPS or FedEx tracking number, bank correspondence, Snapchat alert, etc. This is social engineering at work: what makes these fake emails dangerous is their ability to convince you they are legitimate because they LOOK legitimate.
5 tips on identifying a phishing email
- Beware of Account Impostors. First, just hover (DON’T CLICK) over the URL in the email to see the actual linkURL of a website you’ll be directed to. For example, the link may say “americanexpress.com” but the actual link on hover displays as “americanexpress.sr01.digit.com”. If you believe that URL does not match or looks suspicious, delete the e-mail right away. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. The hover method may not show the real link in some mail clients.
- Check for spelling errors. Another telltale sign is poor grammar and spelling errors: hackers are not dumb, and most of those errors are there for a reason. For example, the anti-virus software may have a way to check for phishing offenses by looking through a database of commonly used phrases employed by hackers. For example, a “Wire Transfer” may be written as “Wlre transfer” – human eye may not always catch the letter “l” instead of letter “i” and would still be readable to you, but it may not be caught by some software that is not up-to-date on definitions and is trying to match the word “Wire” spelled W-i-r-e instead of W-l-r-e.
- Be suspicious of emails that ask you to “verify”, “validate”, or “confirm” your personal information or ask for your login credentials. Think logically: why would your credit card need you to confirm your account number? They should already have that information.
- Beware of scare tactics. Crooks are counting on people responding to a sense of urgency or fear. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”
- Watch out for the offer is too good to be true… use your judgment. We are not just talking about obvious Nigerian money scams – but less-than-obvious coupon claims, free vacations or deeply discounted limited time deal offers on otherwise expensive purchases such as vacations, mortgages, cars, etc.
Here are some examples of an Account Impostor Email. These emails have arrived into my mailbox a while back and I kept them so I can refer to them in other articles like this one. Tip #1 would work great on these.
Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services, and companies with which you do not even have an account. More information about phishing emails can be found in related article: Rise of Email Scams and CryptoWall
Example of Phishing Email
The most common phishing attack is email sender asking for a wire transfer. Typically, the attacker composes the email from one person of the organization and sends it directly to another, asking for some amount of money to be transferred. Below is how a typical wire transfer scam email may read:
I need you to take care of a payment (Wire Transfer) as soon as possible.
Let me know as soon as you get this email so I can provide you with the amount and banking info for the receiver, as well as reference.
Sent from my iPhone
A while ago the popular App developer, Snapchat, was the target of an isolated phishing attack in which the scammer sent an email pretending to be the CEO and asked an employee for payroll information. In this case, the email was constructed very well and it looked legitimate. The employee did not determine it as a scam and released the information to the attacker.
Snapchat took the correct actions after the breach was realized. They released a notice of the breach on its blog outlining some of the details as well as notified the FBI. It also worked victims of the breach and offered free credit monitoring to those individuals.
Impact of Phishing Emails on Small Business
This type of breach can occur within any type of organization. Let’s take a look at healthcare or medical providers, as one of most vulnerable to phishing exploits. In the healthcare industry, users have to be especially careful what they release through email. If patient records are unintentionally released and HIPAA compliance has been breached, organizations can face severe penalties for wrongful disclosure. Medical organizations should take necessary precaution to try and prevent data leaks, such as deploying a firewall, antivirus software, and spam filters. Medical organizations should also routinely train workforce members on new security threats.
Any business should have proper internet security policies and practice safe procures.
If you receive an email that is asking for a large amount of data or requesting you to submit personal credentials into even legitimate-looking website/portal, always question it. Do not reply via email: instead, call or ask the sender first to validate the request. Why? Because if you reach out via a reply to an email, the hacker would know that your email account is legitimate and active – and will continue to send phishing attempts.