Let's Talk About Phishing

We live in uncertain and troubling times, especially in the midst of this virus outbreak. And this hasn’t done anything but help the proliferation of one of the internet’s most annoying – and scary – forms of theft: phishing. With all this time on their hands, hackers and people with malicious intent are coming up with more and more ways to try and get your secure data for themselves.

For those who have never had the experience of being the target of a phishing attempt, you can break the experience down into a couple points. First, you’ll receive one of two types of emails; a fairly believable one, or a pretty obviously scam-like one. I’ll start by breaking down the ones the feel like a scam first. Some of the major things to look out for are noticeably poor grammar and spelling, the sender telling you to click on a link, sender email address looking like a recognizable one but with extra letters or numbers, links not being https, etc.

The point of a phishing attack is to try and send as many emails as possible to as many people as possible in the hopes that lots of people will click on or follow a link to take them to a site that will capture and steal their login information. This is very bad for anyone, from companies to individuals. Usually these sites will ask you for login information, and then ask you to verify your payment or credit card information, and then just steal it to use as they see fit. They’ll also sometimes include something for you to download, like a PDF, which can put viruses or keyloggers on your computer.

Even worse forms of phishing are whaling or spear phishing. Spear phishing is like the next level of phishing; it is more sophisticated, more personalized, and more focused. Really believable stuff. These might look like they come from your company’s IT department or Sales department, or like they’re from someone whose name you remember. Whaling, then, is the top level of phishing attacks. Highly personalized, very sophisticated, and usually targeted at the higher ups of a business or organization. With a whaling attack email, you might think you’re getting an email from the CEO of your company asking you to wire them money, or asking you to respond immediately. Responding in any way will give the attacker information they can use to further pull you in, with the goal usually being to get login or credit card information. These forms of attacks can also have malicious attachments, which you definitely do not want to open.

And it’s only getting worse. More and more large-scale phishing and whaling attacks are occurring all the time. So how can you prevent yourself from falling victim to them?

1. Check the sender’s address. Does it seem strange? Do you recognize it? Does it look like a legitimate email address?

2. Ask yourself: are you expecting anything from this person? Especially in the case of spear phishing and whaling attacks, the emails will be very believable, and asking yourself whether you’re expecting something from the ‘sender’ can save you a headache.

3. Look to see if the email sounds pushy or has obvious misspellings. A lot of times, phishing attack emails will have misspelled company or service names, and just hope people don’t read too thoroughly.

4. Everyone knows that prince from some foreign country has millions of free cash waiting for you story – if the email sounds like that, it’s probably a phishing attack.

5. If there are attachments, don’t download them unless you know who they’re from.

There are definitely services you can purchase or subscribe to in order to help keep you safe on the internet, especially while using email. But, even these aren’t foolproof and can be tricked. Email services nowadays do a very good job at trying to filter out spam and phishing attempts, but with those attacks becoming more and more sophisticated every day, the only one you can really rely on to keep your important personal data safe is yourself. Bottom line, if it seems even a little phishy, delete it and don’t open any links. If it’s from someone you’ve had contact with and you can reach out to them, check to see if they actually sent you the email.

At the end of the day, you can only try to keep yourself as safe as possible online. But if you do click on a link, make sure you don’t put in any info. Every time you don’t open those emails, links, or download those attachments, you make it a little harder for the attackers to succeed. Stay safe out there.