Most people know to steer clear of emails from unknown senders asking for personal data, but what happens when the same request comes from an individual or company you know and trust? It’s a lot more tempting to engage with a person who’s familiar to you, and before you know it, you find yourself the victim of a cybercrime like identity theft. These emails are called phishing emails, and every day they become more sophisticated and appear more legitimate, making user education extremely important.
What is phishing and how is it different from spam?
Let’s start with defining spam. Spam is classified as unsolicited email, or “junk mail,” from someone trying to sell something. Usually, spam involves a “latest and greatest” type scam. When a spammer sends a message posing as a company, it is relatively simple to spot the warning signs. For example, if you take a look at the “from” line in the email, you’ll see a random domain name that isn’t actually associated with the company. These attacks are broad – emails are sent out in bulk with no specific victim.
Now let’s take a look at phishing, defined as a targeted attempt to acquire sensitive personal information. Phishing emails appear to come from legitimate sources like banks or educational institutions, and typically say something along the lines of “To ensure your security, it is important you verify your personal information by clicking this link.” To convey a sense of urgency, they might also threaten to disable services if you don’t follow the instructions in a timely manner – something that responsible organizations would never do.
How to spot phishing
There are a few ways to spot phishing scams. In my experience, these are some of the top indicators:
- Misspelled words or bad grammar. Now, not everyone is always grammatically correct, but around 90% of the phishing emails I’ve seen have contained spelling and grammar egregious enough to immediately make you question their authenticity.
- Mismatched display name and email address. Cybercriminals are able to spoof company domains in the sender display name of a message, but if you check the originating email address, it will not match up.
- Suspicious content. Take a second to think about what the sender is asking you to verify. If a bank you’ve been with for years suddenly wants to verify your information, chances are good that the sender isn’t actually your bank after all. Hover over any links embedded in the email, and if the address looks off, don’t click it! Other warning signs include threatening, urgent language and signatures that do not include information about the sender or tell you how to contact the company.
Although there is no foolproof way of spotting or stopping phishing, educating yourself is the best defense when it comes to keeping your personal information secure. Always check for “phishy” clues, and call your IT department if you’re unsure of an email’s legitimacy. It’s always better to ask than to guess!
The goal of this blog is to answer the questions that you ask! For more information around business security- both the latest risks and what to do about it, check out related posts here. Please feel free to contact us with any questions or comments on this post!