When it comes to email, we’ve all come across a phishing email that appeared to be legitimate. Phishers take advantage of the fact that it is difficult to know with absolute certainty with whom are you communicating via email. They use this uncertainty to pose as legitimate business, organizations, or individuals, and gain our trust, which they can leverage to convince us to willingly give up information or click on malicious links or attachments.

How does it work?

Have you received an email, an instant message, or another communication that just did not seem right, even though the communication appeared to be from a reputable organization? This communication could very well be a phishing scam. It’s important to note that in the past, phishing scams were often more easily detectable, because of misspellings, typographical errors, and blatantly bad grammar; however, they are increasingly more difficult to detect because they often appear so legitimate.

Phishing scams try to “bait” the recipient in a number of ways; the malicious email could include notice of an account cancellation, a request to verify / update personal information, a notice of a purchase that you did not make, or just about anything else that would get you to respond to the communication. The types of messages used in phishing are expanding almost every day, so it is important to be cautious of any communication you receive.

If the email communication, with its enticing subject line, is the “bait”, what is the hook? The hook is getting “YOU”, the “USER”, to take some action that enables the phisher to obtain information or otherwise gain access. You may be “tricked” into visiting a website, which appears to be a legitimate organization’s website. Once at that site, you may be asked to enter personal information.

Another method of attack may be to get you to open an attachment in an email, upon which malicious code, such as a Trojan horse will be installed onto your computer.

Other variations include a telephone call, in which the phisher will ask you to provide personal information. Once the phisher has “hooked” you, they may use the information to open accounts in your name, access your bank account or make purchases using your credit card.

There is also a type of phishing attack known as “spear phishing” where the attacker targets specific individuals by name or organizations. For example, an email invitation to attend an event that may be of interest could be sent to an organization’s employees. When an employee clicks on the link contained in that email, malware is downloaded to the employee’s computer. The attacker may be targeting specific employee information, such as user names and passwords, or proprietary organization information.

Protecting Yourself:

In most cases, opening and reading an email or message is fine. For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack. Here are the most common ones:

1. The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account.

2. You receive an email that you were not expecting or the email entices you to open the attachment.

3. Instead of using your name the email uses a generic salutation like “Dear Customer.”

4. The email requests highly sensitive information, such as your credit card number or password.

5. The email says it comes from an official organization, but has poor grammar or spelling or uses personal email address.

6. The link looks odd or not official.

7. You receive a message from someone you know, but the tone or wording just does not sound like him or her.

What can I Do?

1. Be cautious about all communications you receive. Think before you click.

2. If the communication looks too good to be true, it probably is.

3. If it appears to be phishing communication, do not respond. You can forward it to the IT Department.

4. Be suspicious of unsolicited emails, text messages, and phone calls. Use discretion when providing information over the phone, and never provide sensitive personal information via email.

5. Only open an email attachment if you are expecting it and know what is contains. Be cautious about container files, such as .zip files, as malicious content could be packed inside.

6. Do not click on any links listed in the email message and do not open any attachments contained in suspicious emails.

7. Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.

8. Ensure that your computer is up-to-date on all patches.

9. Ensure that your antivirus program is installed and up-to-date.

10. Use bookmarks in your web browser for the organization’s which with you regularly communicate to limit the chances of being redirected to malicious sites.

11. Look for unauthorized charges or withdrawals on your credit card and bank statements / bills.

12. Visit websites by typing the address into the address bar. Do not follow links embedded in an unsolicited email.

13. Use discretion when posting personal information on social media. This information is a treasure – trove to spear phishers who will use it to feign trustworthiness.