What is phishing, anyways?
Email phishing—a scam in which a user is duped into revealing confidential information—is a type of online threat that preys on all kinds of people. “Phishing” emails often impersonate legitimate corporations, or even your acquaintances, in order to extract money or information from their targets. It doesn’t matter if you work at a big company or just use your email for sending cute videos of sloths—you could be a phisher’s next victim. Avoid online scams by recognizing these phishing red flags.
Red Flag #1: The email is from “Social Security”
If you’ve ever gotten a call from a scammer that alleges to be from the Social Security Administration, you’ll be familiar with this common phishing email scheme. Though thousands of calls and emails that claim to be from the SSA are received daily, so few of them are coming from the actual government agency. “The volume of phishing scams from sources claiming to be the social security bureau is on the rise,” says Susan Dahl, CEO of Levatus Wealth Services. “The first thing to know is that Social Security rarely calls or emails, so if you are receiving a call, be skeptical.” According to the Social Security department, a government employee will never;
- Call you to demand immediate payment,
- Require a specific means of payment,
- Ask for your personal information over the phone,
- Or threaten you with arrest or deportation.
To verify the legitimacy of text messages, emails, or phone calls, you may call Social Security’s nationwide toll-free customer service at 1‑800-772-1213. This is why you should never say your social security number over the phone.
Red Flag #2: The email evokes an emotional response
The most effective phishing emails evoke a sense of urgency or emotional interest. If scammers want you to click a link, they have to make sure you’re intrigued! Some examples, explains Michele Bousquet, a professor at Tulane University, include threats of revenge pornography, threats about overdue bills, and enticing “special offers” you can only get if you “act now.” In these cases, it’s always important to check with the entity that is supposedly contacting you. If it’s a family member asking for money, give them a call. If it’s an electric company, Bousquet says “your best bet is to call the number shown on your actual bill to find out if there really is a problem.” Don’t think that a phishing email would be targeted to you? Mark Gazit, CEO of machine learning company ThetaRay understands. “Most of us feel like we aren’t important enough to be hacked,” he says. “But these days, everyone is vulnerable because it’s all done automatically. These AI-driven systems search the entire world of IP addresses and attempt to hack into as many systems as possible.” Apparently, not all scammers are evil—read the story of a man who befriended his scammer.
Red Flag #3: The file attachments seem weird
Courtesy Dani Walpole/rd.com
When was the last time your bank sent you a file attachment? Or when did your uncle last email you a PDF? If a file attachment looks sketchy, it might be time to close the window. Links and attachments could be coming from a phisher or one of your friends’ compromised accounts. Many intelligent people are phished simply because they act hastily, and checking their email feels as safe and routine as brushing their teeth. When a link or attachment comes from a sender with a name or URL that the recipient trusts, they will be less skeptical. Most people aren’t exactly alert at 7 a.m. while catching up on their inbox, so phishers prey on that sense of trust and lack of attention. Nikolai Tenev, founder of DigidWorks advises email users not to fill out “any sensitive information in files you receive over email unless you’re absolutely sure who the sender is.”
Red Flag #4: The email has grammatical errors
Would your school, tax service, or employer confuse the forms of the word “their” or spell simple words incorrectly? Probably not. Most of us have memorized the most difficult spelling rules. Since many phishing attempts originate from countries other than your own, you may find that the emails urging you to wire over your savings or enter passwords may be grammatically incorrect. Aside from this, spell-checking and proper grammar is considered important at legitimate companies, as error-riddled emails would negatively affect their reputations. Stacy Clements, a retired Air Force cybersecurity operations officer, and owner of Milepost 42, tells Reader’s Digest that grammatical errors will not always appear in a modern phishing email. “Phishing techniques have become more sophisticated,” she says. “The common red flags such as misspellings, poor grammar, etc. may still be present, but today’s phishing emails may be well written, appear to be from a legitimate source, and even use correct logo marks.”
Red Flag #5: It’s from a sketchy sender
Phishers may also trick their targets by using links that resemble the email accounts of actual trusted companies, with subtle variations on the usernames or websites that are largely unnoticeable, especially on a mobile device. For example, a phishing email that comes from a sender purporting to be “Reader’s Digest” may actually originate from the email address [email protected] (with a secret L inserted,). A message from someone impersonating “Bank of America” may originate from an address like “1[email protected].” Accidentally downloading a virus can be one of the fatal mistakes that shorten your laptop’s life.
Red Flag #6: The links are hidden/hyperlinked
Courtesy Dani Walpole/RD.com
A technique that many phishers employ is called “combo-squatting,” a method in which phishers craft their malicious links to look like reputable sites. Cyber-security expert Greg Scott puts it best: When you’re tempted to interact with a scary, urgent-looking email, “first, on a computer, hover over the ‘Click Here to Make Everything All Better link. Look carefully where it leads and watch for URLs designed to look similar to legitimate URLs. www.amazon.myevilwebsite.com is not the same as www.amazon.com,” writes Scott. The same strategy of caution is applicable to mobile devices. If you press and hold a blue link within an email on the Gmail app, a pop-up will display the actual URL that the hyperlink is directing you to, and ask if you would like to proceed. In the “Mail” app on the iPhone, this is not an option. While you’re upgrading your security strategies, study these time-saving Gmail hacks.
Red Flag #7: The Dropbox or Google Drive link requires login
Always be wary of file-sharing links that require you to enter your password in another window. Justin Lavelle, Chief Communications Officer for BeenVerified.com and expert on identity theft, tells us that since “Google Drive supports documents, spreadsheets, presentations, photos, and even entire websites. Phishers can abuse the service to create a web page that mimics the Google account log-in screen and harvests user credentials.” These “false” windows are officially called hijacked domain name systems, and the phenomenon is known as “DNS hijacking,” a common way that phishing emails target individuals and companies. Next time you’re entering a password on a link from an email, think again. Try logging in from Google or Dropbox’s homepage instead.
Red Flag #8: They’re threatening you with an old password
“A big [scam] to watch out for is the hacked password extortion email,” says Jason Glassberg, ethical hacker and co-founder of Casaba Security. “The sender claims to have recorded you, through your webcam, while you were viewing a pornographic video, and threatens to release this to all your contacts unless you send them payment in bitcoin. To prove they did, they will include one of your passwords to show that they got access to your accounts.” This particular scam is terrifying and seems like it might be legitimate since they’re using a real password of yours, but websites you trust are often compromised. Most likely, Glassberg says, “the criminal got it by buying a password dump from a darknet seller. Ninety-nine percent of the time, the ‘hacker’ hasn’t hacked anything of yours. They just have your password, probably from an older account. It’s very important that consumers do not reply to these messages.”
Red Flag #9: The sender claims to be tech support
Atif Mushtaq, CEO and founder of anti-phishing firm Slashnext says that phishing emails disguised as technical support scams are a common way that phishers gain access to victims’ computers. “[They] use scare tactics to trick gullible victims into believing that their computer has either crashed or that a virus has been detected on their computer,” says Mushtaq. “These scams try to lure victims into calling fake technical support hotlines to gain remote access to the system and to collect sensitive user information. These scammers may also ask their victims to pay for their fake support. Once the hacker is connected, they may install malware for remote access or stealing data.” Be prepared the next time you need tech support with these 20 words that make you sound cyber-savvy.
How can I protect myself from phishing?
Taking precautionary measures against phishing emails begins with making your accounts more secure.
- First, make sure your password is hard for hackers to guess.
- Then, ensure your accounts require a second form of login verification (two-factor authentication).
- Always be careful when opening links, and investigate their legitimacy before opening them.
- Consider installing anti-virus software on your computer, and don’t ignore security warnings.
- As a final step, download an anti-phishing browser to protect yourself from future attacks.