Phishing may sound like a fun outdoor activity, but it’s actually a malicious tactic used by scammers to try and get your personal information. Today, we want to help define the threat and pull the curtain back on all the little dirty tricks these scammers use that even the most digitally savvy people have fallen for.
First, let’s define phishing.
Phishing is a type of online scam where a scammer pretends to be a trusted person in order to trick their victims into giving up sensitive information that can then be used to steal their money.
Phishing attacks can happen via email, text, DMs, or any other platform where people are able to communicate.
These attacks are infinitely popular and happen millions of times per day.
Why would this ever work?
If you’re new to this concept, you may be asking yourself why on earth would anyone ever give their sensitive information to a stranger? The reason is that these scammers tend to be very good at what they do. They’re able to use sneaky tricks that can make you truly believe you’re talking to a trusted person.
You don’t actually think you’re giving the information to a random stranger. Tactics are used to make you believe you’re giving that information to someone you know or an organization you trust.
Thankfully, when you know what to look for, you can spot these attacks and stop them dead in their tracks.
How to Spot Fake Phishing Emails
Today, we’re going to focus in on phishing emails in particular. Do remember that these attacks can come via texts or other messaging platforms as well.
Here are six signs to look for that could signal an email is not as real as it seems.
1. The email address may swap out characters.
Most people know to look at the email address to verify who it came from. While this is correct, the email address may not be what you think it is.
First, scammers may swap out a character in the email address that you wouldn’t notice with a quick glance. For example, let’s say you get an email from “[email protected]”. Seems legit, right? Well, it’s not. The “o” that is normally in Bank of America has been swapped out with a “0” (the number).
This is not a real example, but if the scammers have purchased the domain name with the number zero in it, this could be a fake email. Here are some of the common letter swaps you might see:
- O and o
- 5 and s
- b and 6
- g and 9
- rn and m (that’s an R and an N together to look like an M)
- cl and D (same trick as the one above)
Some scammers may also even use non-English letters. For example, the Cyrillic ‘о’ looks identical to the letter ‘o’, but they are two totally different characters.
2. The email address may change the top-level domain.
Using our same Bank of America example, what would you do if you received an email from “[email protected]”? No letters swapped out, great. So, this must be legit, right? Well, it’s not. If you notice, the email address comes from a .co website, not a .com website.
If you’re getting worried, don’t worry. We will show you some helpful tactics to combat these in just a few minutes.
Remember, there are tons of different top-level domains out there that may seem legit like .io, .co, .net, .info, etc. Some companies buy up all of these variations to protect from this, but a lot don’t.
3. The display name and the email address are not the same thing.
No matter what the email address is, the sender can change their “Name” that shows up with the email to be whatever they want. And for those of you that already know this, please read on because there is a really sneaky trick that scammers can use that trips up even the most savvy digital experts.
Here’s what an email address looks like when you’re looking at it on a desktop computer.
The area Amazon’s log is conveniently pointing to is called the Name field. This can be changed to anything the sender wants it to be.
So, when you’re checking the validity of an email, obviously you want to see if this matches what you’d expect. But, you also have to look at the actual email address to confirm, as that cannot be changed.
The Sneaky Trick
Here’s where a lot of people get tripped up. Sometimes, scammers will change the name field to be an email address. This can catch you off guard and make you think you’re checking the email address field, but you’re actually just looking at the Name field which can be edited.
For example, you might see it saying this:
If you just look at the Name field, you might think everything is okay. But when you look at the actual email address the email originated from, the ‘o’ has been swapped with a ‘0’.
It’s sneaky, but now you know. Certain web clients may also just show the sender name field and not the email address without you clicking on it, which makes it even harder to catch.
4. The emails may have a strong push for urgency.
A common theme among these type of email threats is to cause a lot of panic and confusion so you can’t think straight. When you are rushed and confused, you are more likely to do something you normally wouldn’t.
Be on the lookout for emails that tell you if you don’t do something within a certain period of times (usually a very short one), something terrible is going to happen.
Here’s a real example of one of these emails we received recently.
Notice it says our files are going to be removed and destroyed today unless we install the “immediate upgrade”.
Real companies don’t push urgency like this with notices coming well ahead of time.
5. There may be typos and broken English.
As a quick precursor, this is not always a perfect identifier. Sometimes spam and scam emails may be well written with perfect grammar and a design that matches what you’d expect from the company. Sometimes the writers of legitimate emails have a bad day and make typos. That all said, a large percentage of these phishing emails contain typos and broken English.
Why? There are two theories here, both of which we believe to be true.
First, many of these scams originate overseas where English may not be the scammer’s first language. They may be trying their best to make it sound correct, but still making mistakes.
Second, certain types of scams are looking for people who are less digitally savvy. These scams may have multiple steps that will require you to do something else down the road. The scammers know that people who know a lot about these types of scams will instantly spot the broken English and know it’s a scam. They also know, though, that people who are new to this might overlook the bad grammar and still think the email is legit.
So, in theory, the scammers may be using the broken English as a sort of qualifying process. They want digitally smart people to spot them as fake. This weeds out the people who will spot the scam quickly at later stages, thus, ensuring the scammer only spends their time continuing the scam on people who are more vulnerable.
6. If it feels off, it probably is.
The last tip we have for spotting phishing emails is use your intuition. If the design of the email feels off, if the messaging feels off, if it doesn’t feel as professional as it should for that organization, if it’s an out of character email, if anything just doesn’t feel right, it probably isn’t.
What You Can Do About Phishing Emails
Thankfully, there is a lot you can do to protect yourself and your sensitive information. Here are some helpful tips.
- Educate yourself. – You’ve already done this step just by reading this guide! Knowing what to look out for is half the battle.
- Don’t click random links. – If you don’t know where the email is from, don’t click random links as this can be a way for the scammers to gain access.
- Consider not clicking any links at all. – The safest strategy is just not to click links from your emails. You can always just go to the website yourself without the need of the link. For example, if your bank sends you an email about needing to update some information, just close the email, go to your browser, and type in your bank’s website address yourself. This way, you know you are going where you want to go.
- Don’t trust a phone number in the email. – Sometimes these scammers will put a phone number for support in the email. You might think, “I’ll just call the company and confirm this email is real.” This is a great idea, but if you use the phone number in the email, it could be fake. Look up the phone number of the company you got the email from yourself, and then call them.
- Ask yourself if the person asking really needs the information. – There are absolutely zero situations where anyone would need your password, log in codes, SSNs, or anything like that via email (or at all for most of these). If someone is asking for information, make sure it makes sense to you why they would need it.
- Report it. – If you receive a phishing email attempt, report it. Use the Mark as Spam option in your email, report it to your IT department (if at work or school), and let anyone else you work with know about the attacks in case they receive it as well. Gmail has even recently added a “Report Phishing”
Healthy Framework Center for Digital Safety Team
Source link