PHISHING – 6 CLUES THAT SHOULD RAISE YOUR SUSPICIONS
Credential (i.e. username and password) phishing is on the rise. Attackers send phishing emails impersonating familiar brands to trick you into handing over your username and password, credit card numbers, and other private information. Phishers imitate company email addresses, signatures, and logos to build a false sense of trust. Even if an email looks like it is from a legitimate company, you still need to exercise caution.
Phishing emails are designed to grab your attention and appeal to your emotions with narratives like account access suspended, payment transfer complete, or outstanding balance. The links in these emails direct you to a malicious site that looks like a real login page but is designed to steal your information.
Never enter username and password or other sensitive information into an unverified website, even if the site looks legitimate. If the layout, images or URL look strange, you might have landed on the fake copy of a real site. Look out for old logos, broken images, stretched or fuzzy images, and deceptive URLs (e.g. www.paypol.com instead of www.paypal.com). Cybercriminals are crafty so it’s important we remain vigilant.
Here are six (6) other common clues that should raise your suspicions that you’ve received a phishing email.
- Sender: Just because you recognize the individual or company name on the email doesn’t make it safe. A name is easy to fake. Check the sender’s email address to confirm that the email is really from that person. Take a look at this example:
From: PayPal Support <firstname.lastname@example.org>
Although the sender has a label of PayPal Support, the email address: email@example.com does not support that claim.
- Greeting: Take a good look at the greeting. If it says “Dear Client,” “Dear Customer” or “Dear Valued Customer,” instead of your name, beware! This is a telltale sign you have received a phishing email. Most legitimate businesses use an email feature that will insert your first and last name into the greeting of the email.
- Content: Scammers try to create a sense of urgency so that you act rather than think (e.g., “Your account will be blocked!”). You may also notice poor grammar and spelling mistakes, however, legitimate organizations have professional communicators who typically avoid these types of mistakes. Perhaps they are asking for your personal or financial information. Or, maybe they are asking you to update your account or change your password. Don’t fall for these tricks. If a work email looks suspicious, forward it to firstname.lastname@example.org.
- Link or button: Some phishing emails try to entice you with a link or a button, which then takes you to a fake website that is designed to steal your sensitive information (e.g. your username and password). Unless you can confirm the sender’s identity, you should never click on links or buttons.
Likewise if you recognize the sender, get into the habit of hovering your mouse over the links and buttons until a pop-up displays the real location. For instance, this link looks like it goes to PHSA, but it will actually take you to Google: www.phsa.ca. Can you spot the real link? If the link doesn't match up, don't click it.
- Attachment: Some phishing emails may contain an attachment. When you open a scammer’s attachment, you open the door to having malware installed onto your computer. This malware can wreak havoc on your computer and the organization’s entire network.
So the next time you receive an email with an attachment, take a moment to consider the legitimacy of the file. Were you expecting this file from someone you know? If you were not expecting the file but recognize the sender, give them a quick call to verify that the email you received is legitimate. If you cannot verify that the email is legitimate, delete it.
- Contact information: Legitimate organizations want you to get in touch with them, if necessary. They show their contact information in their email so you can call them and verify that they are who they say they are. Phishing emails do not do this. They often neglect to provide a signature, or the information in there is vague such as “IT Desk” or “John Doe”.
In recent weeks, cybercriminals have been impersonating reputable public health and government agencies offering BC residents an opportunity to sign up for a COVID-19 vaccine. See some examples of those phishing emails here. For accurate and up-to-date information on the vaccine rollout throughout BC, please refer to: http://www.bccdc.ca/health-info/diseases-conditions/covid-19/covid-19-vaccine.
Due to the huge increase in phishing emails, more than ever, we need to remain calm and cautious when reviewing our emails; especially if they contain urgent language, spelling errors, links or attachments. This will allow us to make informed decisions and avoid falling victim to a phishing scam.
It’s Contest Time!
This month’s contest will test your knowledge on spotting a phishing email. Click on the Spot the Phish Contest to participate in this quiz and we’ll enter you into a draw for a chance to WIN A PRIZE! Winners will be announced on Tuesday, February 23rd, 2021 via the Security Awareness News on the IMITS Infocentre.
Spot the Phish Contest
Written by Joseph Tesoro, education awareness specialist, security awareness program and Sabrina Young, education awareness specialist, information security.
If you need to reach PHC’s Infection Prevention and Control Team (IPAC), please call local 69357. Do not contact individual IPAC team members.