Understanding and Identifying Phishing Attempts

What is phishing?

Phishing (pronounced: fishing) is a form of cyber crime in which targets are tricked into providing sensitive data such as personal information, financial account details, and passwords via phony emails, phone calls or text messages. The information provided is used to access these accounts, often resulting in identity theft and financial loss. Often, attackers will harvest contacts from your address book and extend their attacks to other, using a legit email address as cover.

Common attributes of phishing emails

Here is an example of what a phishing email message might look like:

  • Bad spelling/grammar: Professional companies ororganizations usually have proofreaders. If you notice basic grammar orspelling mistakes, it is likely fraudulent.

  • Ultimatums: Claims or threats that your account will be suspended/deleted if you do not respond with your personalinformation within some amount of time.

  • Spoofing popular websites or companies: Cyber criminals use logos in email that appear to be hyper-linked tolegitimate websites but actually take you to phony websites. Their hyperlinks may also use slightly altered addresses of companies (i.e. gooogle.com or micrsoft.com) to throw you off.

  • Surveys that require you to enter your credentials. Cyber criminals will often send out bogus surveys that look enticing to complete. The phony survey site will request your username and password so that they can later compromise your account.

  • Request for account information: Often cybercriminals will use one or several of the following phrases to fool youinto providing information, such as your username, password, credit card numbers, etc:

    • Verify your account...

    • Update your account...

    • Due to regular account maintenance...

    • Failure to update your accounts will result in account suspension...

Identifying Phishing Emails

Other than some smaller businesses, most larger organizations will have their own email domain and company accounts. For example, any emails to and from an individual from Scotiabank will never be from an @gmail.com domain address.Tip: The gmail.com part of an email address is called the domain name.

If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate. The best and quickest way to check an organization's domain name is to research the company in Google. Find their website and confirm email addresses that match the domain name of the email you received. This makes detecting phishing seem easy, but cyber criminals have many different ways to deceive.Tip: Look at the email address, not just the sender.

Many of us don't ever look at the email address that a message has come from. Your inbox displays a name, like 'IT Department, and the subject line. When you open an email, you already know (or think you know) who the message is from and jump straight into the content.

When the individual sending the phishing email creates their fake email addresses, they often have the choice to select the display name, which doesn't have to relate to the email address at all. They can therefore use a bogus email address that will turn up in your inbox with any display name of their choosing.

But these attempts rarely depend on the victim's ignorance alone. The bogus email addresses will use the organizations name in the local part of the address.

Take this example of a phishing email mimicking PayPal:

This is a nearly flawless scam email. It uses PayPal's logo at the top of the message, it is styled professionally and the request is believable.

But as much as it attempts to replicate a genuine email from PayPal, there's one huge red flag: the sender's address is '[email protected]'.

A genuine email from PayPal would have the organizations name in the domain name, indicating that it had come from someone at (@) PayPal. That PayPal isn't in the domain name is proof that this is a scam.

Unfortunately, simply including PayPal anywhere in the message is often enough to trick some. They may glance at the word PayPal in the email address and be satisfied, or simply not understand the difference between the domain name and the local part of an email address.

Phishing do's and don'ts

  • Don't directly respond, click links, open attachments or provide any information requested by the sender. Ever.

  • Do report any phishing attempts to the IT Department.

What to do if you responded to a phishing attempt

  • Change all passwords or PINs on any accounts you think may be compromised.

  • Monitor accounts that you think may be compromised for unusual activity.

  • Report the incident to the IT Department immediately.

Can You Spot A Phishing Attempt?

If you feel you can spot phishing attempts, please take the quiz at https://phishingquiz.withgoogle.com/.

PreviousSecuring Workplace ComputersNextComputer Tutorials