Phishing emails are one of the most common types of cybersecurity attacks and were the #1 threat action committed by cybercriminals in 2020. Phishing attacks are messages that attempt to lure users via social engineering into revealing sensitive information, downloading malware or interacting with a malicious site. Scammers may try to steal your passwords, account information or Social Security numbers. Phishing is often the precursor to more sophisticated cyber-attacks like Business Email Compromise (BEC) and ransomware, so it is very important that you learn how to spot a phishing email or phishing scheme before it's too late.
These messages could come in a variety of forms, so stay alert:
- Email – this is the most common
- Phone, called Vishing
Given the prevalence of phishing, it is more important than ever to keep your guard up against this common threat type and to understand phishing red flags, along with key tips to help avert an incident. They can and often will look at first glance like a legitimate email. Knowing what to look for, and then taking the time to slow down and be vigilant, will go a long way in helping you spot a phishing scam.
Red flags to help you spot a phishing email:
- Generic greetings – Phishing emails sometimes include generic greetings, such as “Dear Sir or Madam” or “Dear Customer” rather than using the recipient’s name
- Personal information – Bad actors leveraging phishing techniques may ask users for personal information. Most legitimate companies will never email customers and ask them to enter login credentials or other private information by clicking on a link to a website.
- Urgent response – Some phishing emails attempt to create a sense of urgency. For example, claiming that the recipient’s account is in jeopardy if they don’t act immediately.
- Use fear – Phishing emails will sometime claim there is a problem with one of your accounts – or that it is on hold – and then ask you to click on a link to make a payment or update some personal information to “correct the issue”
- Subtle misspellings – The logo in the top corner appears to be legit, but the email account has a typo
Now that you know how to spot a phishing email – how do you protect yourself?
- Slow down and review emails carefully for four seconds before responding; don’t automatically click on links or download attachments
- If the content of an email is concerning/seems suspicious, call the company in question using the phone number on the website (not the email) to find out if the email is legitimate
- Be on the lookout for spoofed (fake or disguised) links. To check to see if a hyperlink in the message body leads to the page it claims, hover your cursor over the link to verity its authenticity before clicking.
- If the email sender is asking for sensitive information or requesting a financial transaction, verify the authenticity of the request via a known phone number or legitimate email address
- Always be cautious about opening emails, clicking on links and downloading attachments from senders you do not recognize
- Don’t click on a company’s link in an email, type the site into your browser by hand
- Be careful of what you post on social media. Bad actors will leverage information on social media to created targeted phishing attacks.
And when in doubt, don't click. It's better to be safe than to be sorry. Just remember everything you know about how to spot a phishing email and be confident in your precaution. A real sender will never be offended that you decided to verify the validity of what you received.
Stay cyber safe out there.