How to Recognize and Handle Phishing
What is Phishing?
Phishing is an attempt to get personal, sensitive information for malicious reasons (usually used for the sender’s gain). Sending fake emails is called "phishing" because the sender is "fishing" for your personal information. It can be anything from passwords to credit card information and your social security number.
The old example is about the Nigerian Prince, who sent an email wanting to give you a couple million dollars. However, to get it, you must fill out some information. Or worse, you must send money somewhere to get the process started.
These days we see a lot less benefactor style phishing emails, and more that appear to come from a person or company you are familiar with. The phisher is counting on familiarity and trust to make you take the action requested in the email – whether that be simply clicking on the links or filling out sensitive information.
Phishing is one of the most common forms of online threats and is showing no sign of slowing down. It is important to know how to spot and handle a phishing attempt.
How to Identify Phishing
Phishing emails can range from very simple, to quite masterfully crafted to accomplish their goals. Often, they look very authentic. They may match the style you are used to seeing from your bank or other organization. Hackers/Phishers go to great lengths to make sure it looks legitimate, but there are things to keep an eye out for to help identify a phishing email.
1. The email asks you to confirm personal information
Watch for emails requesting you to confirm personal information such as banking details or login credentials. Legitimate organizations would never ask you to send personal information through email. If you are concerned that the email may be legitimate, contact the organization directly. Do not click on links or call numbers provided in the email; Contact the organization from either their website or a number you may have interacted with previously.
2. The message is designed to make you panic
Phishing emails are often written to alarm you, warning that an action needs to be taken immediately. The email may claim that your account has been compromised and that you need to verify your login credentials immediately or something bad will happen - something like the account closing or being vulnerable to attack. They are counting on you to fall for the false sense of urgency they created and reacting without thinking it through.
3. It’s poorly written
Phishing emails are often poorly written – with bad grammar, spelling errors or odd phrases. Legitimate companies thoroughly check for spelling, grammar and even legality errors. If you receive an email from a company you know, but it is written poorly – there is a strong chance that it is a phishing email.
Another thing to check for is how the email is addressed. Is it something vague and generic like ‘Valued Customer’? This could be a sign of phishing as most companies use names to address the people they are sending to.
4. The web and email addresses do not look genuine
Most of the time a phishing email will come from an address that looks legitimate. Phishers aim to trick you by including the name of a real company within the email address they are sending from. Glancing at these email addresses looks real, but if you take a closer look you may notice that they are a little off.
Links inside the email may be masked to look authentic. Make sure to hover over the link and inspect it before clicking on it. (This will vary a little between mail clients – but usually if you hover the mouse over a link, the actual address it will take you to pops up in the lower left corner of the program.)
5. There’s a suspicious attachment
It is a good rule of thumb to avoid email attachments unless you personally know for who sent it and were expecting it. Beyond that however, if a company sends you an email with attachment out of the blue, alarm bells should go off. The attachment could contain a malicious URL leading to malware or a virus being installed on your computer. If you think the attachment is genuine, scanning it with antivirus software first is a good idea.
What to do next...
Don't panic! This happens every day, and is not personal.
Report it. This can help others avoid future phishing attempts.
Delete it immediately: to prevent yourself from accidentally opening the message in the future.
Do not download any attachments accompanying the message.
Never click links that appear in the message.
Do not reply to the sender.
Most email platforms have security measures in place to handle spam and phishing emails before they get to you – including Microsoft Office 365. However, no system is 100% foolproof. The best plan of attack is to know what to look for, and how to spot phishing attempts.