Phishing is a way of attempting to gather sensitive information such as bank account information, credit card numbers, personal information, usernames and passwords by masquerading as a trusted entity. Phishing attempts are usually made via email, instant messaging and websites. Common phishing emails claim to be from popular social media sites, financial institutes, auction sites, payment processors or IT administrators. The term comes from the term fishing, where the fisherman puts a bait on a hook and casts it out waiting for a bite. Here are some tips to help identify the fakes and keep your confidential information secure.
Take a look at an actual email I received posing as an email from Paypal.
There are a few “tells” to watch for, and I’ve annotated them above.
- Notice the email is from an email address @sec.paypl.com. This certainly didn’t come from paypAl.com, but a domain similar in hopes that unsuspecting readers don’t catch the difference. Pay close attention to the domain name that the emails come from, or that the link sends you to. Many emails will try to cleverly disguise their links such as paypl.com or us.b.ank.com for example. More on the links below.
- Grammar and spelling mistakes. Cyber criminals aren’t known for there punctuation, and may even be non English speaking. Grammatical errors can be a sign of a phishing attempt.
- Threats. Have you ever been threatened by your bank via email that your account would be closed if you didn’t respond? No. Cyber criminals often use threats as a way to scare victims into taking the actions the cyber criminal desires.
- Not annotated but common sense comes into play here. Would Paypal really want me to download a file, and execute it to update my account info? Of course not.
As stated in #1 above an additional item to watch for is links in emails.
Often links appear to be to a valid trusted site, however, upon hovering your mouse over the link you can discover the true destination of the link. In the example above what seems to be a link to USBANK is really a link to somesite.u5bank.com.
The cyber criminals can be extremely crafty, and often spoof or mimic an entire site to look exactly as you would expect a trusted site to look. If you ever believe an email is truly from a trusted site its always best to contact that company you do business with to verify. Keep in mind you should contact them at the contact information you know to be true, not what is presented to you by a potentially fake email or website.
Phishing can be done via phone also. There have been numerous scams where criminals call unsuspecting victims and claim to be their bank requesting verification of their account information. When any company you do business with you calls and asks for personal information, its always best to error on the side of caution and ask to call them back. Call them back at their publicly available phone number to ensure you are talking to the right people.
I hope these tips have been informative and helpful. Feel free to contact us directly with any questions you may have on information security.