According to Commtouch’s quarterly Internet Threats Trend Report, an average of 97 billion spam, phish, and malware-laden emails were sent worldwide every day during the first quarter of 2013. The United States Computer Emergency Readiness Team (US-CERT) defines phishing in the following way:
“Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”
As more and more people continue to rely on the Internet as a primary communication tool, hackers and cybercriminals are developing and using increasingly clever phishing strategies to steal sensitive account information, money, and even entire identities from unsuspecting victims online.
If you regularly use the Internet to communicate with family and friends, make purchases, manage your bank accounts, or read the news, it’s important that you take the time to learn how to prevent cybercriminals and hackers from accessing and stealing your private information.
In the remainder of this post, we’ll outline how to recognize a phishing message in four simple steps.
Does the message contain information that could be found on social media sites or your personal website?
You may not always remember it, but you give away a lot of personal information when you sign up for accounts on social media sites like Facebook and Twitter. In order to gain the trust of their victims, hackers and other cybercriminals often use personal information (name, email address, hobbies, interests, employer) that can be easily found or accessed on popular social networking sites.
This is part of a tactic that many Internet security experts refer to as social engineering. According to US-CERT, “in a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.”
The first step in recognizing a potentially malicious phishing message is to pay attention to the personal information used in the content or subject line of the email. If the information used is outdated (a reference to an old employer), no longer relevant (you moved cities but you haven’t updated it on Facebook yet), or looks peculiar in any other way, be cautious of the email.
Does the message contain questionable URLs or spelling?
The second step in recognizing a phishing message is to determine if the message contains any questionable URLs or misspellings. Most legitimate companies and organizations that send out emails on a regular basis will take the time to proofread copy before sending a message out to subscribers. If you receive or open an email that contains obvious misspelled words, there’s a good chance that it is not legitimate.
The same is true for unfamiliar or hard-to-read URLs within the copy of the email. On a page within the Safety & Security Center section of their website, Microsoft offers the following advice on how to identify potentially malicious URLs within suspicious email messages:
“If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message.”
This is an important step to take before clicking on any URLs you see within the body of an email. Although a URL might look familiar at first glance, you must carefully check to see whether it is actually linked to the same destination.
Does the message mention a timely current event or pop culture reference?
According to Commtouch’s quarterly Internet Threats Trend Report, hackers often use current news topics of the day or week to lure recipients into opening emails or clicking on links. The same can be true for popular culture references and related stories.
The third step in recognizing a phishing message is to determine why you are receiving information about current events (did you sign up to have news digests emailed to you?), who the information is coming from (is the message from a source you know and trust), and whether the URLs within the body of the email are safe to click on. If you receive an email with an inciting subject line about a recent news story, but you don’t remember signing up to receive email updates like the one sitting in your inbox, avoid opening the email.
If the message appears to be from a person or company you know, does it actually sound or look like them?
Although an email may appear to be from a person or company you know, it’s still important to be cautious when opening the email or clicking on any links in the copy. As mentioned above, hackers often use social engineering tactics to gain your trust. Always check the email address of the sender before clicking on any links or downloading any attachments. Even if the name of the sender appears to show up correctly in your inbox, you should still take time to check the actual email address from which the message was sent. If it looks unfamiliar, delete it to prevent clicking any malicious links or downloading any harmful material.
You should also be cautious of any links within emails that take you to login pages. Logos and the appearance of legitimate websites are easy for hackers to copy. In order to trick you into giving away your private login information to secure sites (ex. banking), hackers and cybercriminals will include a link to a fake website that looks almost identical to the real thing.
A Yahoo! Security article recommends paying attention to the company name that appears on a site you think might be fake. The article states, “Often the web address of a phishing site looks correct, but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look out for tricks such as substituting the number “1” for the letter “l” in a web address (for example, www.paypa1.com instead of www.paypal.com).”
The fourth step in recognizing a phishing message is to be aware of where an email is actually coming from, and to pay attention to any unfamiliar design changes on login pages you’re used to visiting.
SMiShing: An Emerging Threat To Watch Out For
A growing number of victims are falling prey to phishing attacks that occur on their mobile devices. According to a T-Mobile Privacy & Security Resources article, ““SMiShing” is really just another form of Phishing, and occurs when a fraudster sends you a SMS/text message asking you to provide sensitive, personal, and/or financial information via a web link and false website, or a telephone number.”
To learn more about how to protect yourself from SMiShing attacks, click here.