Many of the posts on this blog warn you about specific phishing scams. But what is phishing? And how can you recognize and protect yourself from it?
What is phishing?
Phishing is one of the most common online scams today. In a phishing attack, the hacker or scammer emails potential victims and tries to manipulate them into surrendering their personal information, money, or control of their device or accounts.
Phishing scams often take advantage of social engineering to snare victims. Social engineering techniques involve exploiting human tendencies to manipulate victims into complying–as a result, victims may not even realize that they’ve been tricked. Some of the tendencies scammers may target include:
- Our desire to help people in need
- Our desire to be liked or to fit in
- Our trust in people and things we recognize
- Our sense of obligation to return a favor or comply with a rule
- Our respect for authority figures
- Our fear of consequences or punishment for noncompliance
The stakes with phishy emails are high. Clicking the wrong link or attachment can infect your device with malware. Phishy links might also direct you to websites that trick you into entering your personal or financial information. Sometimes scammers just want to control your device to steal files and hijack your network connection. Finally, some phishers will steal your money by demanding payment via wire transfer, check, or other methods.
How to recognize a phish
Earlier this week, we walked you through some new phishing techniques that scammers have used recently. As that post suggests, there are some red flags that are common in phish. Knowing these red flags will help you avoid falling victim to scammers’ tricks.
Sender: Just because an email appears to come from someone you trust does not mean that it is legitimate. One particularly potent trick phishers use is “spoofing” email addresses to impersonate representatives from your bank, government institutions like the IRS, or even your job. A spoofed email looks like it comes from one sender, but the email address may not match that sender or make sense in the context of the email.
Tone: Scammers have started beginning their emails with friendly-sounding “bait.” In the email linked above, the phisher’s first email was a simple “Are you at your office?” because few users would think too hard about answering such a question. Another phishing email we saw began with the overly-friendly “Hello Dear.”
Urgency: Scammers don’t want you to think too hard, so they try to rush you into action. They often try to do this by threatening consequences like the deletion of your account or a court appearance if you don’t do what they demand. If you receive an email that insists your money or account credentials are needed immediately, take a moment to think. To verify that the request is legitimate, contact the organization from which the email claims to come. Do not use the contact information listed in the suspicious email; instead, look up the information yourself on an official website or directory.
Grammar: Though it’s not the only indicator, many phishing emails have sloppy grammar or questionable word choice (see the “Hello Dear” phish above). If you receive an email rife with spelling errors from your bank or another trusted, professional institution, think twice about doing what it says.
“Take a BITE out of Phish!”
This month, the University started the Secure UD “Take a BITE out of phish!” campaign to raise awareness about phishing and encourage safe practices. Each month, a sample of UD employees will receive a harmless test phish. The test is non-punitive, and employees who fall for the phish will see a message about the test and resources for identifying and avoiding phish in the future.
Employees who see any suspicious emails should forward them to firstname.lastname@example.org.
A secure community starts with you. Learn more about identifying and responding to phishing attacks: Help “take a BITE out of phish!”
- Be aware of the threat
- Identify the warning signs
- Tell us about suspicious messages
- Erase phish from your inbox
Remember to forward any suspicious emails to email@example.com (whether you think they’re part of the test or not!).