Phishing is a method used to gather personal information such as usernames and passwords using deceptive emails and websites. Attackers attempt to lure you into entering password information or account information onto a site that looks like a real site. This can then be used to compromise and steal your accounts!
The goal is to trick the email recipient into believing that the message is something they want or need so that they will click a link or download an attachment.
Phishing is a play on the word “fishing”, as it is a way of “throwing out bait” to see who bites. The best way to protect yourself from phishing is to learn how to recognize it.
1. The email asks you to confirm or reset personal information. Companies do not request personal information over email since email is insecure. If an email is asking for personal information, it is most likely a phishing email.
2. There is a generic greeting or message. Phishing emails are sent in large quantities in hopes that a percentage of recipients will not realize it is fraudulent. Do a quick check of how the sender addressed you!
3. The web and email addresses do not look genuine. Many phishing emails do not send the email from an email address with the correct domain (i.e. from the correct company). Some sender emails will try to trick you by having the correct subdomain, but not the correct domain (i.e. @am.amazon.com instead of @amazon.com). Senders can mask website links as well. You can hover over a link (don't click!) to see its real destination.
4. It’s poorly written. An email from a legitimate organization should be well written. Any email with poor grammar should be enough to cause you to pause and evaluate the email.
5. There’s a suspicious attachment.
6. The message is designed to make you panic with a sense of urgency. Phishing emails normally make you think that something needs to happen fast to fix the situation. If an email is asking you to act fast, don’t! Slow down and assess the situation.
Think you are ready to spot of few of these phishing emails on your own? Play the game below to see how well you can identify the clues that the emails are not legitimate emails.
Spear phishing takes this a step further. Instead of sending out a generic email to masses of people, spear phishing actually targets a specific person or group of people by using personal details. This makes the emails appear more legitimate. Spear phishing emails may include details like the name of an employer, a friend or family member, or a trusted business to trick victims into clicking on links, downloading malware, or sharing their credentials.
It's your turn to go through your work inbox! See if you can correctly identify each email as a legitimate email or a phishing email.
I’ve spotted a phishing email! Now what?
Uh oh. I fell for a phish! What now?