How to Protect Yourself Against Email Phishing (Spear Phishing Update)
I will be the first person to tell you to never click a link in an email from a bank or what you think is a legitimate link to any online account you may have. Whether it be Netflix, Amazon, Fed Ex, PayPal, Capital One or Spotify, the list of companies used by scam artists is endless.
Those sending out phishing emails use trust in these companies to fool us when we least expect it. This is how I came to click on one of those lines, even though I know better. It happened to me when I had my guard down. More about that in a moment and how you can protect your online accounts and identity.
My story in a moment, but first let’s define exactly what I am talking about.
What is Phishing?
Phishing is a malicious attempt to steal your personal information and gain access to an online account you have with a reputable company. The scammer will send you a fake email that links to a fake login of that company.
The word phishing is is pronounced like ‘fishing’ and just like when commercial fisherman casts a wide net to catch fish, scammers and hackers send out millions of emails in hopes to catch easy prey who unwittingly click on the links in those emails.
First of all, most online services will never send you a link asking you to sign into your account for any reason. If they do, I’ll explain why you should still not click it and how to access your account safety to see if the email actually came from a legitimate company. In most cases, these malicious emails contain alarming news about your account being compromised, hacked or suspended.
We’ve all seem these emails. They come from hackers and scammers that state “Your Account Has Been Locked” or the message I recently received from Netflix:
“Thanks for choosing Netflix membership! due latest security issues we need you to upgrade your account details in order to continue your membership.”
Notice how there was even a grammatical error in the message, but yes – I still clicked it. I knew full well that if our account had needed changing or was compromised, Netflix is one of those companies that would have emailed a notice and then instructed me to go to their website via usual methods (such as Googling Netflix or using a trusted bookmark you made in your browser). They won’t put the link in the email.
I Knew Better, but I Still Clicked a Phishing Link
In my case, I had just made changes to the WiFi password in our home and this of course would effect Netflix’s ability to connect via the devices that were previously set up using the old password. Even though I know about phishing and to be careful when receiving these emails, my wife had just mentioned to me that she was unable to connect to Netflix.
At the same time the fake Netflix email arrived in my inbox. I was annoyed that Netflix may not be working so I clicked the link. Fortunately, I realized immediately what I’d done so I closed my browser before any harm was done.
Upon further investigation, I noticed that the link actually was going to a different website than Netflix, but in that moment of frustration it made sense in my mind to be receiving an email from Netflix.
Cyberthieves count on catching people off guard.
Those taking extra precautions to be safe online, such as using only secure public networks or secure websites, can easily be stolen from if not paying attention. For example, if you don’t have a Chase bank account, then chances are you won’t pay much attention to the email. You know it’s probably fraudulent. But if I do have an account related to the email, it makes sense to be receiving an email about a problem with your account. Especially when you’ve recently logged in your this account and made changes.
For example, imagine that you just shipped a package via FedEx, and later that day a FedEx email comes in stating that your package can’t be shipped. You immediately get stressed… “What?” If you’re not thinking, you will click the link to see what the problem is.
It’s a ‘game of chance’ as hackers send out millions of these emails. They know they will trick some people because by coincidence alone these same people will not only have an account related to the email, some of them will have recently made changes to their account, or shipped a package with UPS, or applied for a loan at a bank.
If there is a legitimate problem with your online account, there will be a notice posted about it after you log in. If all is normal, then you know the email you received is a scam.
Phishing, also known as Spoofing, is very common. If you click the link in a phishing email and you attempt to log into your account, thieves gain access to your user name and password. Once inside the account, they have access to all of your personal information.
Beware of Viruses Coming as Email Attachments
Protecting yourself against phishing is as easy as never clicking a link to an online account from within the email. Always go to your account by typing in the website url in a browser directly. Or use the bookmark you’ve set up. Computer infections caused by viruses in email attachments however, are a different story. This is why Anti-Virus software is important to stop spyware, Trojan horses, adware and computer worms. But there are new email virus schemes that employ the same methods as phishing.
You may have see them. These emails contain attachments in the form of a seemingly innocent Word doc or a zip file. The email may say, “Your loan has been approved!” Or “Attached is Your Out Standing Invoice”. If you happened to have just applied for a loan or are curious about if you owe money, you will be more likely to open the attachment.
Invoice Scams are an example of phishing: You may you receive a fake invoice from PayPal or another invoicing platform. Usually, the dollar amount is high enough to cause alarm when you receive it, but low enough that it doesn’t look like an obvious scam.
If you’re not expecting an invoice or it’s unknown to you. Don’t click the link. Log into your credit card account from your trusted bookmarks or access the payment platform to see if there are any charges. Chances are, there won’t be.
While phishing emails gain access a single account to access your personal information, viruses via email will activate malware that infects your entire computer. In both cases, your personal information is compromised.
While phishing emails gain access a single account to access your personal information, viruses via email will activate malware that infects your entire computer. In both cases, your personal information is compromised.
If you have accidentally given access to one of your online accounts for any reason or are not sure, log in and change your password as soon as possible.
If you think your computer has been infected by a virus, read more about how to remove malware – as well as protect yourself from attacks.
Protect Yourself Using the SLAM Method
S stands for Sender:
Check to make sure the sender matches the request in an email. If things don’t line up, tread lightly. The email may also be spoofed to look like it’s from a friend or your boss. Or, their email may have been hacked. If unsure, contact the them by creating a new email from your contacts, see them in person, or call to verify the message.
L stands for Links:
Inspect any link that is contained in any email or text. In emails, you can hover over the link to see the real destination. Pressing and hold the link on a phone will reveal the destination in a popup. Close the popup without proceeding. Texts should also be verified. If you know the sender, check with them first to see if they sent you a text with a link. This includes companies.
A stands for Attachments:
Be cautious of all attachments in all emails you receive. Attachments can be named in a way the seems trustworthy. Verify the sender and if they are familiar to you, check with them first before opening the attachment. Installing anti-virus software will help screen for viruses, but this does not mean you won’t receive attachments that are infected with malware or spyware.
M stands for Message:
Examine all messages you receive via email or text. Check for spelling errors or unusual use of words or phrases. Grammatical errors are common signs of phishing email. Even if everything looks legitimate, check for oddities that seem off. This includes requests for personal information or a topic that doesn’t line up with your personal situation.
Spear Phishing
Spear phishing attacks often use specific details about an individual to get them to trust the message. This information can be gathered from social media, responses from victims if they unknowingly reply to phishing emails or texts. This is why privacy settings should be updated to be more secure.
But even if you do everything correctly, company data breaches can mean that your personal information is stolen and sold to scammers. Therefore, all accounts should have multi-factor authentication set up.
To clarify:
Phishing is when generic emails or texts are sent out to the masses, like a wide net casted out into the sea to catch a lot of fish.
Spear phishing is when you receive an email sent directly to you with personal details.
When you get a phishing email per personal information, it can look legitimate. With AI, cybercriminals can generate these messages easier than ever before. Just because a message includes information personalized to you, doesn’t mean you can automatically trust it. Extra vigilance is required.
How to Stop Phishing Emails
There are things you can do to help stop hackers who send phishing emails. Virtually every online account service you use will have security departments that investigate phishing. As such, many have email addresses that you can forward these bad emails to for further investigation. When you get a suspicious email, report it for possible phishing. Simply Google the company name with the word phishing (i.e. ‘Report PayPal Phishing’ or ‘Report Chase Phishing’). You will often find information about where to send phishing emails and perhaps help these companies catch the cyberthieves.
If you land on a URL that appears to impersonating a legitimate website, report the phishing website to the Google Safe Browsing team.
With new technology, there’s more to educate needed to avoid being scammed:
Read about SMishing and Vishing, as well as Quishing.