Phishing emails continue to trick people into giving away personal information which can be used by fraudsters to inflict harm and financial losses on their victims. Emails can be extremely convincing, made to look like they come from anyone, and with just enough bait on the hook for people to be easily caught. Fake websites can be easily set up to look like the real sites, and emails can easily be sent which look as if they came from your bank.
Using simulated phishing emails within an organisation for the purpose of testing employees’ security awareness, proved that even experienced information security professionals were susceptible to some phishing emails.
Here are some thoughts to prevent you from becoming the next victim:
- Never reply to emails asking for passwords, PINs or other logon credentials. No legitimate business will ever ask for these details. Never give your password to anyone, regardless of the circumstances.
- DO NOT open attachments unless you are 100% sure about the origin of the email
- DO NOT click on links in emails. Always go directly to the real website and log on to your accounts in the normal way
- Phishing emails often have poor spelling and grammar along with non-personal greetings such as ‘Dear customer’. However, if your name and email address were obtained from another source, personalised phishing emails will look more authentic.
- DO NOT reply to any SPAM or Phishing emails
- Phishing emails will often create a sense of urgency. For example, if an offering is too good to be true, or a deal is only available for a short period of time, or the email informs you that your account will be deactivated if you don’t logon within a specific timeframe.
- DO NOT assume that because the link is HTTPS:// that it is genuine. The fact is that anyone can buy a certificate or set up their own certificate authority. Personal details you disclose may be encrypted when sent, but that means nothing if the encrypted details are being sent to a fake website set up by fraudsters.
- Report phishing emails to the organisations being imitated and delete them
- Phishing emails will often use current events as a means to get your attention and encourage you to take action. People being injured in an earthquake, for example, will likely trigger phishing emails asking for financial support and playing on people’s natural empathy for those in need. Likewise, if the deadline for tax returns is approaching, a phishing email would attempt to exploit that urgency.
- Links in phishing emails will often be hidden behind text so that it appears to be a link to one site, but the actual URL behind the text goes to a different site. Hovering over the link will reveal the true destination.
In terms of the economic viability of phishing emails, it is worth noting that emails can be sent to thousands if not millions of potential victims, and it only takes small number of catches for the operation to be profitable.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.