A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file!) from a site you trust in an effort to get you to willingly give up your login information to a particular web site or to click and download a virus.
Phishing attacks will often use domains like ‘apple.iphone.com,’ which looks like it could be legitimate, but is actually a spoof domain! Unfortunately, this will be enough to fool some users into putting in their password or making a payment to an attacker.
Phishing attacks can go beyond just e-mail. It’s getting more and more common for users to be targeted by SMShing and Vishing; phishing attacks using phone calls and text messages. These types of attacks are often very successful because we don’t approach a text message with the same caution that we would an e-mail. 98% of people will open every text they receive, whereas only around 25% of e-mails sent are ever actually opened.
Often these e-mails appear 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. So how can you tell a phishing e-mail from a legitimate one? Here are a few telltale signs…
First, hover over the URL in the e-mail (but DON’T CLICK!) to see the ACTUAL web site you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately. In fact, it’s a good practice to just go to the site directly rather than clicking on the link to get to a particular site. We also recommend hovering over the e-mail address in the ‘from’ section. For Gmail users, there will be a little arrow under who sent you the e-mail. Clicking this arrow will drop down more information about the sending address. Often times the email address will be from somewhere unrelated to the e-mail with a bunch of gibberish.
Example: you get an e-mail from a company called Provide Insurance, offering a deal on car insurance. Upon inspecting the e-mail address of the sender, we see it came from CabzlaM.1Q!mjJE_NoReply@provoke-wide.animalread.com. It doesn't look like they're affiliated with any real insurance company, and the e-mail would promptly be moved to the trash!
An obvious telltale sign is the e-mail being littered with poor grammar and spelling errors.
A typical warning sign is that the e-mail is asking you to “verify” or “validate” your login, asking for personal information, or other call-to-action style requests-- Why would your bank need you to verify your account number? Shouldn't they already have that information?
A phishing e-mail is also often times sent to you as an image. It can be difficult to detect right away, but it still comes off as your run of the mill spam e-mail. When we recognize something as spam we tend to seek out the unsubscribe link. When the e-mail is an image, you are tricked into thinking that they have provided an unsubscribe link, when in reality you are clicking on the whole image. It's a clever design that results in you clicking on whatever threat they've sent you.
Finally, if the offer seems too good to be true, it probably is! When in doubt, throw that e-mail out!
