Phishing — Don’t Be Phooled
Phishing is the practice by scammers to get access to your information or your computer, usually using email. Phishing scams are varied, cheap, and powerful: 80% of reported security incidents are caused by phishing.
Every. Email. Is. Potential. Phishing.
Every single one.
It doesn’t matter if it’s from your boss, your spouse, your mom, the government, an online shopping website, or your bank. Any email address can be — and likely has been at some point — hacked. Any email address can be spoofed. Any email signature can be phony.
This doesn’t mean that you should stop using email. It means that, just like knowing the signs of counterfeit money or a crooked used-car salesman, everyone should be able to read the signs of a phishing email.
How to check for phishing emails
Here are a few things to look for when going through your emails to keep yourself safe from phishing attacks.
They ask for something
Important processes are never carried out via email. If an email asks you for a “favor”, anything of monetary value, or any of your information, it’s got a red flag. 🚩
Hover over ALL THE LINKS
Links can also be verified by “hovering” over it with the mouse. On the bottom of the webpage a little string of text should show up. If the link says something like yourcreditunion.com and the hover-over box shows “badguystryingtostealyourdata.tank.digital” then it’s trying to fool you — literally saying one thing and doing another. Red flag. 🚩
If the email doesn’t have your name
You are not “Dear Sir/Madam” or “Valued Customer”. If you got a piece of snail mail that said that you would automatically know that it’s junk mail. Junk mail, in this instance, is phishing, and can get you hacked and your information stolen. Red flag. 🚩
There’s something wrong with the sender’s email address
If you’re expecting an email from email@example.com and you get an email from firstname.lastname@example.org then that’s not the same person. Each email address is specific — no substitutions allowed. It has to be spelled exactly the way it should be. Red flag. 🚩
I don’t care if the person you’re talking to has learned English as their seventeenth language or is just a natural English speaker who can’t remember when the i before e rule doesn’t apply. If there’s a spelling or grammar mistake, it should put you on alert. Typos — anywhere — are a red flag. 🚩
Free email services
Sometimes scammers use free email services, like Gmail, Yahoo, or Outlook, to send phishing scams. email@example.com is not firstname.lastname@example.org. Free email accounts make the world go round. Free email accounts trying to steal your information make the darkweb go round. Red flag. 🚩
Why it there an attachment?
A message from your dear old grandma just saying “hi how are you I thought of you today” shouldn’t have an attachment. Microsoft Office documents, PDF’s, and other things that are regularly attached to email are reliable ways to accessing. Unexpected attachments are a red flag. 🚩
If I think an email is phishing, what should I do then?
If an email has ANY of the red flags labeled above, treat it like it’s a gooey kleenex: dangerous.
Don’t click anything.
Some phishing emails are disguised as one BIG link. The entire email is an image that will take you to badguystryingtostealyourdata.tank.digital and download the virus.
If there’s something in question that you feel like you want to take a second look at, open a new tab (Ctrl+t is the keyboard shortcut for a new tab) and manually type in the website URL in question. If you have to search for it, that’s fine too. But don’t trust the link on the page.
Call ’em up.
“Hey boss, did you mean to send me this message asking for me to mail ten $500 iTunes gift cards to India?”
It will rarely be that preposterous. But the easiest way to verify someone’s identity is to call them and have a conversation with them. Ask about the email specifically, and then ask about a few other things. There have been verified hacks based on voice impersonation, so ask some questions that only the person you’re talking to would know. You don’t have to make it weird, but if they ask why you’re being weird, tell them the truth. If someone gets mad at you for not wanting to get scammed by someone pretending to be them, that’s not your fault — they’re being ridiculous.
And if the email in question is from her, call your grandma anyways.
Many email providers have their own algorithms and teams dedicated to getting rid of phishing emails before they hit your inbox, and even your spam folder. Here are official how-to’s for reporting to Gmail and Outlook. You can also report phishing to the US Government.
Phishing is a big deal, and will probably remain a big deal until scam artists go away. Which will be never. As we get better at figuring out how to discover scams, the scammers will get better at tricking us. Keep a wary eye out, and always err on the side of caution.
If you already have Brave, please head over to Khan Academy and tip them a few BAT. They deserve it. Thanks!
Right now the world is under quarantine because of COVID-19. Make your time at home matter in the long run. Follow me here on Medium, follow my Facebook page, or send me a message and tell me to start a newsletter.