Cyber criminals are constantly phishing for information, primarily by sending emails to unsuspecting users who click without thinking and put themselves in harm’s way. Unfortunately, hackers have more than one way of tricking you into clicking. First, they send you an email with a link to an imposter website. Once you click, you are taken to a site that may have a look and feel that’s similar to a legitimate site, but it’s actually fake and designed to collect sensitive information from you. Second, they send an email attachment, hoping that you will click on it and unleash the hacker’s executable on your computer. It could do just about anything, from recording keystrokes to making your system part of a botnet. Or third, the email will ask you to respond with confidential information. Don’t take the bait! If you get an email that looks at all suspicious, don’t click on any website link or attachment. Below are some examples of common phishing attacks that you may encounter.
#1: Financial Institutions Asking For Information
One day you may get an email from your bank—or so you may think. One of the most common ploys of hackers who are phishing is to pretend that their email is from a reputable bank. If you do get an email claiming to be from your bank, make sure that it doesn’t look like the example below (source: onlineowls.com):
Without too much investigation, several common phishing characteristics are obvious in this email:
- It’s not from Bank of America. Notice “comcast” in the sender’s URL.
- The email sender doesn’t know your name [“Dear member”].
- The email has problems with grammar and spelling.
- The link does not go to Bank of America. (Carefully hover over it to see the target.)
- The email is requesting urgent action.
#2: Offers of Money or Gifts
Like your parents always told you, if it seems too good to be true, it probably is. A contributor on the Psychology Today website discusses an age-old phishing scam in the article, “Why We Still Fall for the ‘Nigerian Prince’ Scam”. The subtitle tells us, “internet scams exploit human vulnerabilities, not technological ones.” Author Frank T. McAndrew, Ph.D. describes it this way:
“In its earliest incarnations, the scam involved someone claiming to be a Nigerian prince sending a target an email saying he desperately needed help smuggling wealth out of his country. All the target needed to do was provide a bank account number or send a foreign processing fee to help the prince out of a jam, and then he would show his gratitude with a generous kickback.”
This is a perfect example of social engineering. Dr. McAndrew talks about having “unrealistic optimism about our own future.” You may be dying to stumble into money somehow, either on the internet or elsewhere, but please don’t fall for the Nigerian prince scam, or any such promises of easy money or free gifts. Unfortunately, many people still do.
#3: Notices About Package Tracking
Are you expecting a package? The package tracking scam is another perennial phishing attack. The odd thing is that some people fall for it even when they are not expecting a package. It could be UPS, Fedex, the U.S. Post Office, or some other delivery service, but the game is always the same: Trying to get you to click or share information. Here’s another example from Mailguard:
As with the banking scam above, this email is not actually from UPS. The email also contains subtle grammatical and formatting errors.
#4: Emails from Your Boss
Normally you would want to respond to your manager’s email request right away. But are you sure it’s actually from your boss? Remember to think before you click. This targeted phishing attack is a particularly malicious strain of phishing known as spear phishing. The hacker didn’t just send the email to anyone—they sent it to someone whom they knew worked for this particular manager or CEO. Obviously, the scammer has done a bit of research. Trying to catch you off guard by impersonating your boss is a trick that many people fall for, and according to Lloyd’s Bank, the scam is on the rise. The consequences can be both financial and psychological.
#5: Disaster Relief Scams
Most of us are more than willing to help victims following a natural disaster. But scammers have other goals in mind. It’s bad enough that people are suffering, but cyber criminals take things a step further and try to take advantage of human compassion. The FCC has actually put out a warning cautioning people to be wary of scams after a natural disaster.
Remember that government agencies and charitable organizations generally don’t solicit personal or financial information via email. Of course, you can safely donate on their secure, official websites. But be careful about clicking a link in an email in order to make a donation—it’s better to back out and go directly to the website, or donate in some other way. The FCC says you should not even open suspicious emails. To report fraud, you can contact the FEMA Disaster Fraud Hotline toll free at 1-866-720-5721.
How to Spot a Phishing Scam: General Tips
- Be cautious regarding any email that comes with links, particularly if you weren’t expecting it. (On the other hand, if you request a password change from a website and you immediately receive an email with a link to reset your password, you’re fairly safe clicking the link.)
- Legitimate businesses like Bank of America are not known for spelling and grammatical errors. Those are dead giveaways that it’s a phishing attack. When you see such errors, don’t click. Mark the email as spam and move on.
- Emails that come with a generic greeting, like “Dear Valued Customer,” are likely a phishing scam. Beware if the sender doesn’t know who you are.
- Treat any email that urges you to take immediate action with suspicion. And don’t panic—if you really think there may be a problem, you can contact the company to verify that the request is legitimate. Go to the website and check for notices, or call them and discuss the email you received.
- A little bit of skepticism can go a long way. Whether it’s easy money or an unlikely email from management, better not to act at all than to click impulsively.
When in doubt, don’t click. But don’t panic either—as long as you haven’t done a left-click on a suspicious link or attachment, you’re probably alright. Just quickly mark the email as spam, and feel free to report the message to your IT department or the organization that is being spoofed. Bottom line: Always review your emails with the utmost caution. There’s a lot riding on it.
If you’re looking to start taking security and IT seriously at your organization, AaDya security was made for you. We’re dedicated to providing exemplary solutions for all of your InfoSec and IT needs. Email firstname.lastname@example.org to speak to an AaDya team member today!