What is email phishing and how do I prevent it?

What is Phishing?

Phishing, not to be confused with actual fishing, is a common form of internet scam designed to gather information from its recipients. Cybercriminals use social engineering, often in the form of fake emails or pop-ups, to bait and lure people into giving up sensitive information such as passwords and credit card information.

While many of these phishing campaigns come in the form of low effort emails telling you that an account you don’t even have has been compromised, a growing number of phishing campaigns come in forms that are almost indistinguishable from companies legitimate communication. Phishing is on the rise. The FBI estimated that in 2019 US citizens lost a whopping $57 million to phishing attacks, so it’s easy to see the importance of being able to identify these attacks.

What does a phishing campaign typically look like?

While they can come in many forms, some of the most commons forms are:

1. Fake invoices
2. Claims of an account problem (ex. Netflix needs to verify your payment information)
3. Suspicious Activity Claims (ex. A suspicious login was detected, update your password now!)
4. Offers that are too good to be true (ex. You’ve won a free TV! Act now to claim your prize.)
5. Government communication (ex. The IRS has discovered an issue with your tax refund.)

Often these attacks come littered with grammatical errors, generic greetings, and questionable links, but as mentioned earlier, sometimes a phishing attack isn’t always apparent. 

Here are a few ways that you can identify a phishing attempt before getting lured in:

1. Is the email address recognizable? Before taking any action, take a quick look at where the message is coming from. Make sure the domain matches the sender, a legitimate email from Netflix would most likely be from something like example@netflix.com, not netflixsupport@gmail.com.
2. The email includes a link, but does it match a site associated with the sender? For example, an email that is supposed to be from the government is leading to an unrelated site. Pro tip: hover your mouse over the link before clicking on it; this will expose the entirety of the linked address.
3. Does the message look legitimate? Take a quick look at the message you have received and be skeptical. Does this look like communication you have received from the sender before? Have you ever received communication from them?
4. If a link has been clicked and is asking you to login, does the login page match the site? An Amazon link almost certainly won’t bring you to an Office 365 login page.

While it is important to know a few quick ways to identify phishing attacks, the most crucial aspect of prevention will always be training. Training presented by your IT provider is a great way to get users in your business aware of the dangers and common patterns in phishing campaigns. Often these training platforms come with useful tools to help end-users identify and report phishing attacks before they become a real problem.

Not sure if that email from the CEO is legitimate or not? Well, press that shiny new button installed in your Outlook application to report it for review. Security awareness platforms like Ironscales (which happens to be the one we use) also provide IT staff the ability to launch their own fake phishing campaigns. These are designed to present end users with real-world examples, without the risk, of course, and can act as a method to direct them to train if needed.