What are phishing scams?
Anyone with an email account has very likely received an email that is an attempt to get your personal information, an effort to get you to buy into something fake, or an attempt to get you to click into something malicious. This type of email is called a phishing scam. Phishing scams can be as obvious as a Nigerian prince asking for money, but they can also be very deceptive. They can look like your bank (or another account that you recognize and trust) wanting you to click on a link to go reset your password. They can seem like an advertisement for a really appealing product. They can also look like a fundraiser for the latest hurricane victims. In 2020, these attempts are more sophisticated than ever. But there are still ways to find out how to avoid phishing scams in 2020. The Nigerian princes are still out there, but scammers are creating more and more convincing emails that look like they come from sources that you recognize and trust – like your bank, your favorite charity, or even your work or school. These guidelines are designed to help you reduce the risk of you and your company falling victim to the latest email phishing scams.
Types of phishing
There are two types of phishing – spear phishing and whaling. Spear phishing is an attack directed at specific individuals who all have something in common. For example, you may all have an account at the same bank. Attackers know precisely who they are targeting, and they do everything in their power to make the attack seem as believable as possible. They very often have gathered specific personal data on a person, and they know as much as possible about the institution they are imitating. The best way how to avoid phishing scams of this type is to protect your personal information. Be sure to shred all personal documents, and also be sure to regularly monitor your credit report in case one of your institutions has some sort of data breach. If a request seems out of place, or if you didn’t initiate it at all, don’t click on any link in the email. Verify it separately on the webpage, or by calling the institution. A whaling attack is a phishing attack that is directed specifically at an executive or other high placed official. High placed officials have to be extra diligent to make sure they don’t fall victim to this sort of attack.
How to spot a scam
One of the first ways when learning how to avoid phishing scams is by learning how to spot a phishing scam. Look for these several red flags in the email content of the suspicious email:
- Were you expecting this email? If you get a password reset, or a request to verify account information and you did not do something to initiate this request, be suspicious.
- Beware of messages that ask you to open an attachment right off the bat
- Be careful of opening any attachment or link – think before you click.
- When you hover over the link text, make sure the link looks legitimate – it should match the website that it’s indicating.
- A message should never ask you directly to respond with personal information about yourself or others, like passwords, a credit card number or your social security number.
- Check the from address to see if it looks legitimate.
- If you click reply, check the address in the To field. Does it match the address of the person who sent you the message?
- Look for bad grammar, punctuation, and spelling. Poor grammar is often a sign of a malicious email.
If you are still in doubt about the email, you can check for these red flags in the metadata of the email. View the metadata by looking for the original or source of the email for your inbox provider.
- Check for a certificate or digital signature.
- Look at other emails from this sender – do they have security footers? Does the suspicious email match?
- Does the from address match the sender address?
Always report scams
If you do decide an email is a phishing scam, it’s important to report it. Most inbox providers, like Google, Outlook, and Yahoo give you an option to report a Phishing Scam – usually in a drop-down menu when you have the email open. Reporting the email as a Phishing Scam may help to protect other people who have gotten the email, and it also protects you from ever getting mail from this sender again.
What to do if the worst has happened
If you think a phishing scam has victimized you, start by reporting it to your email service provider.
Next, file a complaint with the FTC by going to their identity theft site here. In addition to being able to report identity theft, they have a ton of resources in place to help you deal with the breach.
Make sure to run virus scans, and Trojan horse scans on your machine. It may look like you just accidentally gave personal data, but scammers very well may have managed to download malicious software to your computer.
If the scam was impersonating an organization that you trust, it’s good to let the organization know that someone was imitating them with malicious intent.
If your personal information was breached, make sure to check your credit regularly, or to set up a trusted credit tracking monitor. If you accidentally divulged a password, reset your password and let the organization know that you think you have been breached.
If you the attack came through on a machine, network or account for an organization, like a school or work, make sure to report the issue to your IT department, or to your information security department so that they can take proper security precautions to make sure you, your peers and your network is protected.
Even though scammers have gotten more sophisticated than ever, you can still protect yourself by taking a few simple precautions by learning how to avoid phishing scams. If you and your team look for these tells, you will more often than not be able to spot even the canniest phishing scams.