Phishing and other social engineering attacks are only increasing in frequency, and unfortunately, sophistication. However, there are a number of common indicators of a phishing attack. Knowing what to look for goes a long way to protect yourself against attacks. If you spot any of the following tip-offs, proceed with caution.
This is a dead giveaway. If you receive an email from, say, your bank, and it is riddled with typos, awkward language, or formatting errors, it is most likely fraudulent. Legitimate organizations take care when crafting communications to current or prospective customers. While cybercriminals are getting more sophisticated, they are still sloppy by comparison.
For example, a recent phishing email identified by the IRS reads “We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server.”
Personal information requests
Exciting offers or scare tactics
Beware of emails offering rewards—vacations, cash prizes, etc. If an offer comes with a request for personal information, a link to claim your prize, or an attachment to download, it’s a phishing scam. It’s like the old saying “if it seems too good to be true, it probably is.” This type of phishing email frequently encourages recipients to act quickly, because there is a time limit on the offer. The Federal Trade Commission reported an example of this type of scam which offered a free trip to a World Cup game.
Some phishing emails take the exact opposite approach—attempting to scare recipients into clicking a malicious link or providing personal information. For example, an email from your credit provider that says your account has been compromised and a link to take some form of immediate action.
If you hover your mouse over a link without clicking, you should see the full URL appear. If it doesn’t match the organization’s site name, or if it looks suspicious in any other way, it’s probably a malicious link. Look out for slight alterations to URLs that you visit frequently. For example, http://www.largenationalcompany.com might appear as http://largenatonalcompany.com.
Check out the “From:” field in the email header. Is it from a legitimate email system? Using the example above, an email from Large National Bank should come from firstname.lastname@example.org not email@example.com.
Generally speaking, if an email seems sketchy, it probably is. If you don’t feel comfortable clicking on a link or downloading a document but aren’t completely confident that it is fraudulent, try to contact the sender in a separate email (or better yet in person or on the phone) to determine if the message is legitimate. Err on the side of caution, and you’ll avoid most attacks. Finally, be certain that you have a proper backup of your files. In the event that your computer is compromised by a phishing attack, backups allow you to restore files that were lost or corrupted.