Today’s online environment can be characterized not only by ease of access and communication, but also by spam, phishing and other online threats. As this piece is part of a series meant to bring a bit of awareness among internet users, we advise readers to check out the key differences between spam and phishing.
Phishing, also known as email scams or spoofing, is nothing more than fraudulent emails sent in an attempt to trick victims into handing over important information, such as account credentials or credit card data to scammers.
Most phishing emails are related to white collar criminals who impersonate different companies or individuals in order to make victims trust them.
We have compiled a list of phishing signs to help you understand the way email scams work. However, it won’t actually filter your emails, as for that you need to deploy a professional email filtering solution.
Signs of phishing
You either have no idea who the sender is or the scammers impersonate a specific company or known individual – Scammers usually rely on tricking you by introducing themselves as a familiar figure, an individual or a company you know or whose services you are using. This way they bypass the first question you may ask yourself when receiving an email: “Who are you and why are you sending me this email?”.
You did not initiate the conversation – On top of having no idea who the sender is or if he’s trying to impersonate someone else, you were not even expecting this conversation.
The email presents small grammar mistakes – Although you will probably notice more grammar mistakes with spammers than scammers, who are really careful when sending an email due to the fact that they have a well-set target, scammers also lack proper proofreading.
Dangerous attachments – You never know what kind of malicious attachments phishing emails contain. Scammers might ask you to fill out a MS Office document with your personal information or may send a document that contains macros which run automatically when opened. This is how phishing authors not only trick you into revealing personal details, but also infect your computer with some malware strain such as spyware and exfiltrate all data they find on your computer.
Links leading to web forms – Scammers may often provide links in phishing emails that redirect users to phony websites, where they are asked for specific credentials or just their personal or credit card information, such as Name, Credit Card Number, Expiration Date, and Card Verification Value.
Check for domain typosquatting – As we have mentioned in “How to Identify Spam”, scammers also leverage typosquatting to their advantage by taking well-known domains and changing a certain letter or TLD to trick victims.
They ask for money to cover expenses – You’ve won the lottery in Nigeria but they need some cash to wire the whole million back to you? There’s no such lottery and your cash certainly won’t be used to wire you anything. The same applies to tax return phishing emails or any other kind of scam asking you for money.
Things are either very good or very bad – Scammers often use threats or their message seems too good to be true. Got any mail from the FBI or the IRS recently?? Check again! It is 99% a scam, as the FBI or the IRS will never send you emails. They may just visit you at home, but never message you to ask for money or request personal information over email.
Leaving emails aside, there are also phishing websites that usually attempt to impersonate popular social media websites such as Facebook, Twitter, LinkedIn or payment services like PayPal and so on. There are also copies of popular marketplaces, for example eBay or Amazon, where scammers attempt to replicate the brand pixel by pixel to trick victims into filling in their details.
Here are some signs you also need to be aware of when visiting a phishing website:
The URL – Before you do anything, double-check the link. Also look for typosquatting, as mentioned above.
An encrypted connection and a valid SSL Certificate – If it’s not HTTPS, never fill out any kind of forms for the following reasons. The first would be Man-in-the-Middle attacks, which are very popular these days, and the second the lack of authenticity, as that website can’t prove that it is legitimate. In this niche you will also find phishing websites with HTTPS enabled, but with a fake certificate. Always remember to check the certificate when in doubt.
Be aware of pop-ups that ask you to type in your credentials – Most pop-ups, even on legitimate websites, demand some personal information alongside an offer “you can’t refuse”. Just don’t give away any information, especially on phishing websites.
It’s pretty obvious that a scammer needs to possess some good social engineering skills to trick their victims into handing over sensitive information. Though social engineering is used by both scammers and spammers, mind the differences between them.
Key Fact! Never send any credentials, personal or credit card information over email or phone. That, of course, in case you can confirm the sender. Even so, try and password protect any attachments you send over email and make sure you know who you send them to.
Overall, most companies never ask for sensitive information over email or phone, as you will usually be requested to fill out some forms on their websites over an encrypted connection.
If you know any other traits of phishing or you have encountered phishing scams different from the “standard” one, let us know by commenting below.