How to Recognize and Avoid Phishing Scams
Email phishing scams are the fraudulent attempt to use email to victims into giving sensitive corporate or personal information. FBI’s Internet Crime Complaint Center reported that in one year, email phishing scams cost people $30 million in losses. Many malware and cyber attacks begin with email phishing scams that give hackers information to escalate their cyber attacks to more targeted spear phishing email scams or to compromise a network.
Business Email Compromise (BEC) scams are email phishing scams targeted at companies and large corporations. BEC scams accounted for $1.3 billion in losses in 2018. Many people feel that they may not be the likely target of an email phishing scam because they think they have nothing to lose. There are a variety of tactics hackers use to steal money. Some hackers go after large numbers of victims stealing smaller amounts of money hoping to go undetected. More sophisticated hackers launch spear phishing scams against wealthier targets including corporations hoping to steal large sums of money from fewer victims before they are detected.
READ: What is a BEC Scam?
Email phishing scams can also be used to launch malware attacks and take over computers or entire IT networks. Emails are designed to convince the victim to click on a link, download of malicious attachment, or reply with sensitive information to the hackers and giving access they need to do further damage. Sometimes hackers simply asked a business recipient to pay a fraudulent invoice by wire transfer.
Limited time offer!
How To Detect An Email Phishing Scam
All emails have two names associated with the sender. The first name is the friendly name. The second name is the sending email box name. It’s important to understand the difference between the two.
The friendly name is the name that you may have been assigned to someone in your contact list because you legitimately know them. I tend to name my phone contacts with the person’s first and last names followed by how I know them. I do this as a reminder. For example, I might have someone listed as “Mary Smith Acme Company”. It helps me remember quickly how I know the caller. This is especially important for my phone contacts, so I don’t answer a spam call on accident.
You can also assign other information to your email contacts. When you assign a name to someone in your contact list that is a friendly name. For example, I can change Mary Smith’s name in my email contact list to simply read “Mary.”
Look Carefully at the Email Address
Hackers and spammers are capable up spoofing friendly names in the email scams they send in hopes of tricking you into thinking you know the sender. If the recipient of an email scam believe they know the sender, they are far more likely to open the email and follow the instructions inside.
The sending email box address is different than the friendly name. For example, the sending email address always has the @ symbol followed by the sending domain name. Bob @ gmail.com is an example of an email box name. Whereas just Bob is the friendly name.
Hackers spoof the friendly name to trick recipients into thinking that the Sunder is familiar to them. Tricking the recipient into opening the email is the first step to identity theft , launching a phishing campaign, or delivering malware via email campaign.
Beware of Website Spoofing
Next, look carefully at the sending domain name. Hackers often deply a tactic called website spoofing by using a closely named domain with a variation in spelling as another attempt to trick recipients into opening an email. A common tactic is to use singular or plural versions of legitimate domain. Other times hackers use some variation with extra words added on. For example, a scammer might send a scam email from something like chase credit card support or chase support hoping to trick you into thinking it was coming from Chase Bank.
Now if they combine the spoofed domain name along with some other piece of information, they already know about you – like your first name or the fact that you have a Chase account- and use an email friendly name like customer service, you are even more likely to open the scam email.
Spear Phishing Email Scams – What’s the Difference?
Hackers often use other data they purchased on the dark web and collaborate that into their phishing emails. The more data they have on you, the more they can refine the design and wording of an email phishing scam.
READ: How Does a Phishing Email Work?
In a spear phishing campaign, the hacker has already collected information about the target. The hacker may know their victims first name, where they work or what bank they use. A spear phishing email scam might address the recipient using their first name to make the email appear as if it’s coming from someone they know or business they have a relationship with like their bank.
A common phishing email tactic asks the user to check their online account, reset a password, or verify some piece of personal information. Sometimes a phishing email scam leads the recipient to a spoof website and asks them to enter sensitive data on a fraudulent web page. Often the webpage and the scam email are both designed to look just like the legitimate website.
If the victim does enter any data like account numbers, passwords, or personal information the hacker quickly collects the information and uses it to hack into the person’s account.
Sometimes hackers ask victims to simply reply to their scam email with the requested credentials. This is especially unsecured never give sensitive data like account numbers passwords or usernames an email because anyone could intercept the information.
Any unsolicited email could be a scam. Even if it appears to be from someone that you know.
What to Do If You Suspect A Phishing Email
Be suspicious of any email that asks you to update, check, or verify your account information. Do not click on any links in the email body.
Contact the company or person sending the email through another form of communication. Go to the company’s website and get the contact information from there. Be careful however that you are using a legitimate corporate website which is not necessarily the website listed in the email as that may be a closely named spoof website.
If the person in the email seems like they’re familiar, then ask them to verify their identity. Once I was sending emails to people I knew to ask for donations to a fundraiser. One of the recipients of my request replied and asked me a question to verify my identity. She asked me how we met. I replied with how, when, and where we met. it was a good way to check on who I was and if I had legitimately sent that email, which I had.
Another way to contact the company if you suspect a phishing email is to call them. If the email is from one of your credit cards, call the number on the back of the card. Don’t use any contact information or links in the scam email.
Hackers go to great lengths to make the phishing scam email appear as though it originates from a legitimate sender. They use the same color schemes, layout, and steal logos. They use their first name if they know it.
I was receiving phishing emails that were designed to look like a credit card that I actually have. My credit card has an email address that I can forward the scam emails to so they can help fight spam and phishing email campaigns. Once I called customer service because I was receiving so many of these phishing emails. Over the phone they showed me how to be sure that the email came from them and not a hacker. There are a few elements about a legitimate email that the hackers could not know. Since then it’s been much easier to detect and mitigate phishing emails from hackers.
Phishing Email Scam Checklist
- Examine the sender’s email address
- Do not click on any links in the email
- Call the phone numbers provided in the message
- Go to the company’s official website to log into your account
- Do not open or download any attachments
- Carefully examine all electronic requests for a payment or wire transfer of funds
- Be suspicious of any email that requires immediate action
- Confirm requests for wire transfers or payment in person or over the phone
- Do not verify any requests using contact information listed in the email
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers