Email phishing is a form of attack where a scammer attempts to obtain sensitive information (such as your username and password, sensitive personal information, or financial details) fraudulently or have you install malware by clicking a link contained in the email message.
In the past, this type of scam was perpetrated through phone calls and physical letters, but the prevalence of email communications today means that it can be applied on a massive scale so that from thousands of emails, only a few need to succeed for the scammer to achieve their aim.
These types of attacks are particularly dangerous because, no matter how good a computer system’s or bank’s security, once the scammer has legitimate credentials, it is almost impossible to identify them as fraudsters and prevent them from causing harm until it is too late. It’s important to remember that there are real consequences for people that fall prey to these attacks, and they can cause significant financial loss and possibly identity theft.
Following is information on how to recognize phishing attacks and steps you can take to protect yourself against them.
How the Phishing Scam Works
Scammers will use psychological techniques to make you take specific actions that they desire. Usually, they do this by imparting a sense of urgency to the action, implying you will receive money by taking action or simply by playing on humans’ natural curiosity to get them to click a link or open an attachment.
Sometimes scammers may ask you to send sensitive details in a return email. This is a red flag; banks and financial institutions never ask for information to be sent by email.
Often scammers will claim that they need to confirm certain details with you and ask you to enter them on an apparently legitimate website. Clicking the link in the email displays a fake website that mimics the legitimate site and asks you to enter your user ID and password (or other sensitive details) which are then stolen.
Some of the most insidious forms of this scam ask you to click on an attachment in the email. While attachments may appear harmless, malicious software can be installed in a matter of seconds without your knowledge or consent; this can occur even when you are only opening a document attachment (such as a Word or PDF file).
How to Recognise and Avoid a Phishing Attack
Phishing emails often have certain common features that give them away. Emails that impart a sense of urgency or contain an implicit threat if you don’t take the requested action are another sign that they are likely a phishing attack.
Use common sense when opening emails from an unknown or questionable source. Ask yourself: ‘Is there anything suspicious about this email?’ ‘Does it contain spelling or other obvious errors?’ ‘Is the content highly unlikely or just too good to be true?’. If they are using an impersonal greeting in the email, this is a sign they don’t have your personal details and, it is therefore suspicious.
Also, look out for the following red flags in the email:
- claims that there has been suspicious activity on your account and requires you to reset your password
- claims there is a problem with payment or that you are due a refund
- requires you to confirm personal information by entering it again
- contains an invoice for services or goods you did not order
- claims you are eligible for a refund or are due other money
- offers a special discount not available elsewhere
You should never click on an attachment in an email from an unknown sender. No matter how enticing the content of the attachment sounds, never open them. By opening such documents, you also allow privileges that enable the installation of unwanted software or malware on your computer.
This can include ransomware (which encrypts your data until you pay a fee) and key-loggers (that send details of everything you type on your computer to the scammer), among many others. No matter how harmless the attachment may seem, once you have clicked, it is too late.
How to Protect Yourself Against Phishing Attacks
Be wary of any emails asking for confidential information such as personal details or banking information, asking you to click a link to a website. If the site you usually enter such details (such as your bank’s website, for example) looks different, use your web browser to access the bank through the website you normally use. Banks, as a rule, never ask for sensitive financial details to be sent by email.
Be careful of shortened links (such as those created using bit.ly or tinyurl.com) that obscure the actual target website you will be sent to. These can be used to trick you into thinking you are accessing a legitimate site while redirecting you to a fake one. One way you can check the underlying site of a link is to place your mouse cursor over the shortened link text. Your browser will show the destination site at the bottom of your browser window.
Always check that site on which you’re entering sensitive information is secured (that is, uses the https:// protocol and displays a lock icon next to the address). Google now labels sites that do not use this protocol by prefixing the address with ‘Unsecured’).
Protect your accounts by enabling two-factor or multi-factor authentication. This means that as well as your user ID/password credentials, you must use one or more additional means of identifying yourself. This could be the answer to a security question only you know or authentication through your mobile phone or other means such as fingerprint or retinal scan, for example.
You should install anti-virus and other security software that will alert you when a process (such as that initiated by an attachment) is attempting to install software on your computer. Also, make sure that firewall protection is enabled on your computer so that it can block malicious sites.
Finally, you should always back up your important data in case the worst happens, and you fall victim to an attack. You should keep your backups in drive unconnected to your computer and preferably in a secure location or use cloud storage.