According to the FBI’s Internet Crime Complaint Center, in one year people lost 30 million dollars to phishing schemes. It is an important skill to be able to spot a phishing attempt. In this article we will cover what a phishing email is, ways to spot a phishing email, and tools to verify the authenticity of links placed within emails. After reading this article, you will be able to better protect yourself from phishing attempts.

What is email phishing?

A phishing email is an email that appears to be from a legitimate company but will actually be from a malicious party. These types of emails will direct you to either respond or log in to a website with either your credentials or other personal information. This information is then captured and sent to the malicious party. Phishing emails lead to identity theft, loss of funds, and loss of access to personal accounts.

Spotting Phishing emails

Phishing emails are designed to look like legitimate emails from legitimate companies. This makes spotting them quite tricky. If you have any doubt of the authenticity of an email, start by contacting the company via a phone number listed on their website and not from the email because the number has likely been spoofed as well.

Below is a list of items to help identify phishing attempts:

  • The email doesn’t use your name. The email opens along the lines of Dear Sir/ Madam or Dear Customer. A company that you have an account with will have access to your full name.
  • Grammatical errors Emails that request account resets, etc. are all generated using templates that have been proofread many times.
  • Sender’s email address An email asking for any type of account or personal information will be sent from an email address that matches the company’s website address.
  • Pay attention to where links actually lead. Imbedded links can appear to be correct but when followed, they can lead to a different website that may have a similar appearance and spelling. A great resource to verify a link is https://isitphishing.org.

Using a password manager like LastPass https://lastpass.com or keypass https://keypass.info will also help. Password managers along with saving your password also have the proper website address associated with them. When you may have otherwise been tricked by a realistic looking phishing email, you will not be presented with your login information. This will alert you to an issue and stop you from giving out your information.

Using multi factor authentication such as SMS based (less secure), hardware keys like a YubiKey https://yubico.com, or an application like Google’s authenticator Google Authenticator can provide a layer of security as these second factors of authentication cannot be spoofed.

Some useful links for further reading:

www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

https://www.identitytheft.gov/Info-Lost-or-Stolen

https://www.imperva.com/learn/application-security/phishing-attack-scam/

https://www.webroot.com/gb/en/resources/tips-articles/what-is-phishing https://www.securitymetrics.com/blog/7-ways-recognize-phishing-email

November 7, 2019
Steven Nuhn