Phishing emails continue to trick people into giving away personal information which can be used by fraudsters to inflict harm and financial losses on their victims. Emails can be compelling, made to look like they come from anyone, and with just enough bait on the hook to easily catch people. Fake websites are easy to set up and look like the real sites, and fake emails are easy to send, which can look as though they came from your bank.
Using simulated phishing emails within an organisation for testing employees’ security awareness proved that even experienced information security professionals were susceptible to some phishing emails.
Here are some thoughts to prevent you from becoming the next victim:
- Never reply to emails asking for passwords, PINs or other logon credentials. No legitimate business will ever ask for these details. Never give your password to anyone, regardless of the circumstances.
- DO NOT open attachments unless you are 100% sure about the origin of the email
- DO NOT click on links in emails. Always go directly to the real website and log in to your accounts in the usual way
- Phishing emails often have poor spelling and grammar along with non-personal greetings such as ‘Dear customer’. However, if they obtained your name and email address from another source, personalised phishing emails will look more authentic.
- DO NOT reply to any SPAM or Phishing emails.
- Phishing emails will often create a sense of urgency. For example, if an offering is too good to be true, or a deal is only available for a short period, or the email informs you of account deactivation if you don’t log in within a specific timeframe.
- DON’T assume that because the link is HTTPS:// that it is genuine. The fact is that anyone can buy a certificate or set up a certificate authority. Personal details you disclose may be encrypted when sent, but that means nothing if you send encrypted information to a fake website set up by fraudsters.
- Report phishing emails to the imitated organisations and delete them
- Phishing emails will often use current events as a means to get your attention and encourage you to take action. People injured in an earthquake, for example, will likely trigger phishing emails asking for financial support and playing on people’s natural empathy for those in need. Likewise, if the deadline for tax returns is approaching, a phishing email would attempt to exploit that urgency.
- Links in phishing emails will often be hidden behind the text so that it appears to be a link to one site, but the actual URL is for a different website. Hovering over the link will reveal the correct destination.
In terms of the economic viability of phishing emails, with emails sent to millions of potential victims, it only takes a small number of catches for the operation to be profitable.
Robert is an information security professional with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through Telegram.