Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as usernames, passwords, or banking information. The information is then used to access important accounts and can result in important data or financial loss.
When attempting to identify a message as legitimate or not it’s important to pay attention to the details of an email. Even if a message appears to look legitimate based on the sender, subject, or any descriptive text it contains that does not mean that it can’t be a phishing scam.
For example, take a look at this phishing email. Can you spot the things that make it a phishing email?
Look at the “From:” field.
Scammers can forge email addresses, use email addresses that look almost identical, or use email addresses that look like they might be legitimate because of the wording used. Montclair State University does attempt to block as many phishing and spam messages as possible, but it is impossible to block every single one. In the email above, the “from” field is a random address that is not associated with Bank of America.
Look at the greeting.
Most phishing emails will have a generic greeting such as: “Dear Member” or “Hello Bank Customer,” instead of using the recipient’s name. The greeting in the email above is a very general Hello, instead of addressing who the email was sent to.
Are they requesting personal information?
Legitimate companies never ask customers to enter login information or private information by clicking on a link to a website. In the email above, they are asking for the person to “log in” and check their account information.
Is the email made to seem urgent?
Phishing scammers attempt to create a sense of urgency by saying things like: “respond now or your account will be locked.” This makes a person feel rushed into doing whatever the instruction in the email are instead of thinking clearly about what’s really happening. “Awaiting your urgent response” is the telltale sign here.
If there is a link in the page does it actually lead to where it claims?
Check the link by hovering over it with a mouse but do not click on it. On the bottom left of your web browser, it will show you where the link is actually trying to take you. Look for URLs with https. The S indicates that the website is using encryption to protect its users. Scammers can be quite clever about changing links in emails, however, you can typically use Google or another search engine to determine the real domain of the company in question through a quick search and observing the resulting URL in your browser. So for example, a Google search on “Wells Fargo Bank” results in the top hit of “Wells Fargo Home Page” which points to www.wellsfargo.com. (The “www” representing the hostname and “wellsfargo.com” representing the company’s domain.) So any messages from the company should contain links that end specifically in “wellsfargo.com”. If you are not sure about a message originating from a company, you should always contact that company to confirm BEFORE proceeding. (Most company’s customer service lines have become quite accustomed to these inquiries.)
In the above example, when hovering over the download link, you can see that it would take you to a random Google document instead of to the Bank of America account page.
Are there attachments in the email?
Beware emails with attachments, especially .pdf files and .exe files. If a sender that you do not know is sending you an attachment it could be harmful. In the above example, there is a .zip attachment. Do not open a .zip attachment from anyone you do not know. Companies will never send you attachments to open in any of their emails to you.
Is the email confusing when you really look into it?
The sender of the email is not Bank of America, there is a download link even though the email is asking the person to log in and check their email, there is a .zip file in the email. The signature of the email says “Thank You, ADP Payroll system,” which is a tax service, yet the email is made to look like its coming from the Bank of America. When emails are confusing and do not add up logically, it can also be a sign that it is a phishing email.
Unfortunately, there is no 100% way to avoid every single phishing email out there. Some of the emails are very sophisticated, and even the most trained people can potentially fall for a phishing scam. There is also a chance that a phishing scam can be sent by someone you do know if they fell for a scam and their account was used to send out the same scam to get more people to fall for it.
If you follow the above tips you should be able to avoid most phishing emails. If you think you were phished, please contact firstname.lastname@example.org.