In short, a phishing e-mail is a fraudulent attempt to trick you into providing personal information. It is often designed to look like a legitimate email from a sender you trust urging you to take action, in an effort to get you to provide your credentials such as login information to a specific website. It can also try to trick you into clicking on links so you can unintentionally trigger a virus download.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or an American Express notification, UPS or FedEx tracking number, bank correspondence, Snapchat alert, etc. This is social engineering at work: what makes these fake emails dangerous is their ability to convince you they are legitimate because they LOOK legitimate.
5 tips on identifying a phishing email
- Beware of Account Impostors. First, just hover (DON’T CLICK) over the URL in the email to see the actual link of a website you’ll be directed to. For example, the link may say “americanexpress.com” but the actual link on hover displays as “americanexpress.sr01.digit.com”. If you believe that the URL does not match or looks suspicious, delete the e-mail right away. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. The hover method may not show the real link in some mail clients.
- Check for spelling errors. Another telltale sign is poor grammar and spelling errors: hackers are not dumb, and most of those errors are there for a reason. For example, anti-virus software may have a way to check for phishing offenses by looking through a database of commonly used phrases employed by hackers. For example, a “Wire Transfer” may be written as “Wlre transfer” – the human eye may not always catch the letter “l” instead of the letter “i” and would still be readable to you, but it may not be caught by some software that is not up-to-date on definitions and is trying to match the word “Wire” spelled W-i-r-e instead of W-l-r-e.
- Be suspicious of emails that ask you to “verify”, “validate”, or “confirm” your personal information or ask for your login credentials. Think logically: why would your credit card need you to confirm your account number? They should already have that information.
- Beware of scare tactics. Crooks are counting on people to respond to a sense of urgency or fear. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”
- Watch out for the offer is too good to be true… use your judgment. We are not just talking about obvious Nigerian money scams – but less-than-obvious coupon claims, free vacations or deeply discounted limited time deal offers on otherwise expensive purchases such as vacations, mortgages, cars, etc.
Here are some examples of an Account Impostor Email. These emails have arrived into my mailbox a while back and I kept them so I can refer to them in other articles like this one. Tip #1 would work great on these.
Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services, and companies with which you do not even have an account. More information about phishing emails can be found in related article: Rise of Email Scams and CryptoWall
Example of Phishing Email
The most common phishing attack is email sender asking for a wire transfer. Typically, the attacker composes the email from one person of the organization and sends it directly to another, asking for some amount of money to be transferred. Below is how a typical wire transfer scam email may read:
I need you to process the wire transfer as soon as possible to avoid suspension of service
Let me know as soon as you get this so I can provide you with the reference ID amount and banking info.
Sent from my iPhone
When something like this comes across your inbox it is sure to be a phishing attempt. If you want to be 100% certain, talk to the person you believe sent you the message – not by responding to the email, but via phone or in person, if you share the location – to double-check. Better be safe than sorry!
A while ago the popular App developer, Snapchat, was the target of an isolated phishing attack in which the scammer sent an email pretending to be the CEO and asked an employee for payroll information. In this case, the email was constructed very well and it looked legitimate. The employee did not determine it as a scam and released the information to the attacker.
Snapchat took action after the breach was discovered. They released a breach notice outlining details as well as notified the FBI. Working with victims of that breach, Snapchat provided optional free credit monitoring to those individuals.
Impact of Phishing Emails on Small Business
This type of breach can occur within any type of organization. Let’s take a look at healthcare or medical providers, as one of most vulnerable to phishing exploits. In the healthcare industry, users have to be especially careful what they release through email. If patient records are unintentionally released and HIPAA compliance has been breached, organizations can face severe penalties for wrongful disclosure. Medical organizations should take necessary precaution to try and prevent data leaks, such as deploying a firewall, antivirus software, and spam filters. Medical organizations should also routinely train workforce members on new security threats.
Any business should have proper internet security policies and practice safe procures.
If you receive an email that is asking for a large amount of data or requesting you to submit personal credentials into even legitimate-looking website/portal, always question it. Do not reply via email: instead, call or ask the sender first to validate the request. Why? Because if you reach out via a reply to an email, the hacker would know that your email account is legitimate and active – and will continue to send phishing attempts.