What Are Phishing Emails, How Do I Identify Them, and How Do I Deal With Them?

What Are Phishing Emails, How Do I Identify Them, and How Do I Deal With Them?
Content List


"Pawn Storm," an espionage outfit, sends a bogus email to Gmail subscribers with the subject line "Your account is at risk." The email states that the user's account has been subjected to many unauthorized sign-in attempts and recommends that the user install the "Google Defender" software.

The email is a hoax designed to trick customers into handing over their Google account's unique access token. In the event that a victim falls for the trap, they will be led to a legitimate Google website, where they will unwittingly allow the "Google Defender" application to read and handle their email.

Even if the victim did not provide their account's login password, they did provide what is known as an OAuth token. An OAuth token enables Gmail users to authorize access to their Google accounts to legitimate third-party applications. However, this is just one of the numerous techniques con artists employ to fool unsuspecting victims.

Even staff of well-known internet companies are susceptible to phishing assaults. According to CNBC, Google and Facebook were the victims of a sophisticated phishing attempt that targeted both businesses' workers. Employees were duped into wire transfers totaling more than $100 million to foreign bank accounts.

Evaldas Rimasauskas of Lithuania is accused of impersonating Taiwanese electronics business Quanta Computer through phishing emails sent to workers of both companies asking for payment for goods and services.

In related news, former Homeland Security Secretary Jeh Johnson stated during a November 2016 Financial Crimes and Cybersecurity Symposium in New York that the threat his government fears the most is the simple phishing email.

What Are Phishing Emails, How Do I Identify Them, and How Do I Deal With Them?


Phishing emails' hazards

In the context of identity theft, the term "phishing" refers to a scam that uses electronic communication methods, specifically email and text messages, to trick unsuspecting users into disclosing sensitive personal or business information that can be used to steal their identities, raid their bank accounts, and engage in other criminal activities.

Phishing emails and websites are used by criminals to deceive people into revealing information that bad actors can then use to make their lives a living misery.

Despite the fact that emails and other types of internet contact appear to come from a reputable source, be cautious.

Examples of companies that may be targeted include a victim's bank, an online payment processor such as PayPal, an auction site, a law enforcement agency, or even the information technology department of the victim's employer.

Phishing puts individuals, businesses, and educational institutions at risk by allowing criminal actors to obtain financial information, personal data, confidential company information, health information, and student data, among other things.

Internet service providers or financial services organizations may blacklist businesses and educational institutions in the most severe examples of phishing attacks, barring the entities and their workers from connecting with the outside world or making payments for goods and services.

Phishing can also be used to divert the focus of valuable staff employees, such as those in the IT and human resources departments, away from their normal productive activities and toward repairing the harm created by phishing.

Phishing email types

Phishing can be classified into three distinct categories. There are three types of spear-phishing: spear phishing, clone phishing, and whaling. While each type is designed to target a distinct demographic of people, they all share one goal: they want to steal your personal and business information.

Phishing with a Spear

Spear Phishing is a type of phishing attack that is targeted at a specific individual or business. The attack is intended to gather information about the target, increasing the likelihood of success. This sort of phishing is responsible for the great majority of current online phishing efforts.

Phishing with a Clone

Clone Phishing is a technique used to construct an almost identical or "cloned" email from a valid and previously sent piece of online contact. The cloned correspondence will contain malicious links or attachments, which the victim will almost certainly trust based on previous email interactions.

Whaling

Whaling is a type of phishing attack that targets a senior executive or another high-profile target within an organization. A whaling attempt will tailor the counterfeit email correspondence or website to the target's position within the firm or organization. This content could be legal in nature, such as a subpoena, a customer complaint, or another matter that requires the attention of an executive.

How to tell whether an email is a phishing attempt

While phishing emails might be convincing, there are a variety of ways to spot them. As is customary, the proverb "If it seems too good to be true, it usually is" applies to the majority of phishing correspondence you may encounter. Whether you believe it or not, African kings do not often give away their immense wealth troves to complete strangers.

I'll walk you through several methods for detecting and identifying phishing emails in this part. I'll discuss the obvious, and occasionally not-so-obvious, ways to detect when you're being phished.

Take a thorough look at the email address in question.

Perhaps the most common phishing technique is to fake an email address so that it appears to originate from a credible domain. You might receive an email purporting to be from "Bank of America Customer Service" or the "Federal Reserve Bank," for example.

At first sight, this email may appear to be real. However, a closer examination of the email address reveals that it is a "federal reserve bank."@blake.ocn.ne.jp." Contrary to popular belief, the Federal Reserve does not use the "lake.ocn.ne.jp" domain for email communications.

If you receive an email urging immediate action from your bank, a credit card issuer, PayPal, or any number of other seemingly legitimate senders, always take a deeper look at the sender address. It may well reveal that something is wrong.

Verify for spelling and grammar errors.

This may appear strange at first glance, but major firms are quite particular about their employees adopting good spelling and language. If an email purporting to be from a large financial institution or government agency contains several misspellings, grammar faults, and a strange layout, it is almost certainly a phishing email.

You would think that phishers would take the time to ensure that their bogus emails have good spelling and syntax, but a number of variables likely contribute to the errors.

Simply being adept at hacking does not imply that they earned passing grades in English class.

English is a second language for many of these scam artists. This is also evident in communications from credible sources in China, Russia, and other non-English-speaking countries.

While poor spelling and grammar are not always indicative of a phishing email, they are a sufficient reason to investigate more.

Examine the salutation of the email.

When examining an email for a possible phishing attempt, pay particular attention to how the sender addresses you. Is it addressed to "Dear Customer," "My Dear," "Dearest," or one of a variety of other unusual salutations?

A respectable firm with whom you have already conducted business will almost certainly employ a customized salutation, such as "Dear Jeff," "Mr. Lebowski," or simply "Jeff Lebowski," rather than the generic "Customer" greeting.

Phishers bank on you being unaware that a large corporation with which you have done business has your information on file and is able to access it for something as simple as an email greeting. It's referred to as mail merge, and it's fantastic.

Take a look at the email's signature.

Another telling symptom of a phishing effort is the absence of information in the email signature of the purported sender. A respectable firm representative will always include their contact information in their signature.

Their entire name, formal title within the organization, their return email address, and even their phone number and the direct extension will typically be included in the information.

Additionally, pay particular attention to the email address. A Chase Bank representative will not communicate with you using a "gmail.com" email address.

Do not rely on that link!

If an email's body has embedded links, avoid clicking on them.

To begin, hover your mouse pointer over them. Numerous email applications will display the link's complete text in the viewing window. Alternatively, you may right-click and copy the URL. Then copy the link and paste it into a text file.

Once you can see the complete link, take a close look at it. If there is a problem, it should be obvious.

To begin, never click a shortened link in an email. Shortened links make it simple to conceal the full URL of the link from prying eyes. A shortened URL would look something like this: "http://bit.ly/." (Don't worry; hitting that link will only result in an error message from Bitly.)

Additionally, keep an eye out for faulty links that appear to take you to a valid website but really redirect you to a page where you may be deceived into providing your login credentials or other sensitive information.

This attack makes use of a faulty URL that, when copied and pasted into the address bar of a browser, looks to be harmless. Even Google Chrome's built-in security is incapable of detecting it.

Ransomware is one of the risks associated with clicking links in phishing emails.

Ransomware can be placed on a victim's computer via following a malicious link or visiting a website that downloads software. The ransomware then either prevents the user from accessing their files or threatens to publish them unless the ransom is paid.

What this means is that you should never click on a link in an email.

If the email seems to need action on your part, locate the company's genuine website URL and collect their customer service contact information from there. Contact them. They'll determine whether any action on your side is actually required in response to an alleged security breach or account change.

Links in emails can also direct users to a rogue website that will pretend there has been a security breach or another emergency and will request access to the user's Google or another form of online account via Open Authentication (OAuth). This enables the offender to access an account in the same way that they would if it were their own.

OAuth is a handy way for third-party programs to access your account for social media, gaming, and other uses without requiring the requesting party to give your password. Unfortunately, it can also be used for malicious purposes, allowing criminals to cause havoc with your personal or business accounts.

Fortunately, revocation of OAuth access to your account is simple for any app to which you've authorized access. The majority of providers give a page that details all of the applications you've granted access to your account. For instance, Google's OAuth Access page is available here. (Check it out sometime; you may be shocked at the length of the list.) You can withdraw access from this page.

Likewise, do not open the attachment!

Along with malicious links, the world's bad actors enjoy including attachments in their phishing emails. These attachments appear to be a harmless PDF or Microsoft Word document to the untrained eye.

They may, however, contain viruses and malware meant to damage your computer's files, get administrator privileges to make changes, steal your passwords, or otherwise monitor your every online move.

The attachment may be a fake invoice for an overdue bill or a schedule for a business vacation. Malware-infected documents can take on a variety of forms. You'll want to be especially cautious of emails that look to come from trusted sources, such as your child's school or bowling league, but actually contain unsolicited files.

Refrain from disclosing any personal information.

A genuine email from a bank, credit card company, college, or other legitimate entity will never request personal information by email. This is especially true for banking and credit card account numbers, as well as usernames and passwords for websites and other sensitive information.

As soon as you receive an email requesting any of the information listed above, contact their known, legitimate customer support phone number for a talk. There is a good likelihood that customer service is aware of this fraud and can provide additional information.

Credit card firms, I've seen, appear to be particularly vigilant about scams affecting their clients.

Do not allow yourself to be intimidated by the frightening language.

Always exercise caution when you get an email with a subject line that demands a rapid response. Be suspicious of subject lines such as "Your account has been frozen..." or "An unauthorized login attempt has been discovered on your account."

The initial goal of any phishing email is to make you feel as if immediate action is required to prevent your world as you know it from collapsing. In reality, it is your hasty, unthinking action that eliminates the first piece of the Jenga jigsaw that is your security.

Phishing emails frequently include wording in the body urging you to take action immediately to avoid your account being canceled or frozen and may even give a "helpful" link to make taking action easier.

How to Protect Yourself from Phishing Emails

When you receive a phishing email (certainly not if), do not respond in any manner. Do not provide any information requested in the emails. Never click on any links in the email or call any phone numbers given.

Avoid clicking on, opening, or saving any attachments provided in the email. File attachments may include malware, viruses, or a link to a website where such malware can be downloaded.

Do not provide the senders of the phishing email with any personal, financial, or login information. If you wish to verify that the communication is indeed from the firm represented by the email, contact the company by a known, official channel, such as their known email address, website URL, or customer support phone number.

Make a habit of reviewing all banking and credit card statements as soon as they arrive. Ascertain that no unlawful withdrawals or charges have occurred. If you observe any unusual activity on your account, immediately notify the institution's customer service department using the contact information provided on your bank or credit card statement.

If your banking or credit card statement does not arrive within a few days of its scheduled date, contact customer care to confirm your billing address and current amounts.

Users of smartphones and tablets can also typically access their account information, including previous transactions and current account balances, via a mobile application. The apps are available through the app store on your smartphone. Consult your bank for additional information.

This strategy would enable you to monitor your transactions on a daily basis, allowing you to detect suspicious activity much more quickly.

Report phishing emails immediately to the bank, firm, or institution that is being portrayed as the sender. Provide as much information as possible to the business to which you are reporting the email.

If you have cause to believe that your email accounts, online banking, credit card, shopping, or other log-in credentials have been compromised, change the passwords for all of your online accounts immediately. Use strong passwords that are at least eight to ten characters in length and contain a combination of letters, numbers, and symbols.

If you opened an email attachment from a suspected phishing email, you should immediately install or update your computer's antivirus and malware scanners. Then immediately run a virus and malware scan on your computer. ​​​​

Additionally, you can contact the Anti-Phishing Working Group at [email protected] to report the phishing email. This category covers Internet service providers, financial institutions, security firms, and law enforcement authorities. The group was founded to combat this type of phishing.

If you live in the United States, you can report phishing scams using the FTC Complaint Form. Citizens of Canada can obtain assistance and additional information at the Canadian Anti-Fraud Centre. Residents of the United Kingdom have the option of reporting fraud and unwanted phone calls.

Keep track of any discussions and other communications relating to the phishing event. Make a mental note of everyone you speak with, including their names and phone numbers, and retain copies of all communication.

Uh-Oh! I was duped into providing data! What happens now?

If you believe you have been duped into providing personal or financial information via a phishing email, call the Federal Trade Commission immediately. You can report the following sorts of fraudulent activities via the commission's website:

Scams and Rip-Offs involving Identity Theft Unwanted Telemarketing, Text, or Spam on Mobile Devices or Telephones

Computers, Internet Services, or Online Shopping

Education, Employment, and Earning Money Credit and Debt

If you accidentally exposed credit or debit card information, call your bank or credit card provider immediately at the toll-free number listed on the back of your credit or debit card. This enables you to cancel your cards and request replacements, or even to shut existing accounts and open new ones that the phishers are unaware of.

Your maximum responsibility for illegal credit card use is $50. However, liability for an ATM or debit card varies according to how fast you disclose the loss or compromise of your card and its data.

If you provided checking or savings account information, contact your bank immediately using the toll-free number shown on your bank's website or on your monthly statement. Closing your compromised bank account and opening a new one is the best course of action.

Contact the three major credit agencies (Equifax, Experian, and TransUnion) and request that they place an alert on your file, notifying potential lenders that you may have been a victim of identity theft. This may make it more difficult to acquire a new genuine line of credit in the future, but the inconvenience is worth it to prevent a bad actor from starting a new account in your name.

If you divulged your eBay credentials, immediately attempt to log in and change your password on the auction site. Keep an eye out for any fraudulent activity on your eBay account. If you are unable to log in, contact eBay immediately via the specific link they provide in the event of suspected account theft.

If you have shared your PayPal login information, you should immediately attempt to log in and change your password. Keep an eye out for any fraudulent activity on your account. If you are unable to log in, notify PayPal immediately using the unique link provided for suspected account theft.

Additionally, keep in mind that if you were duped into providing OAuth account access to a rogue app, you can remove OAuth account access for any app to which you supplied access. Consult your service provider for additional information about the revocation of OAuth access.

Be cautious of additional sorts of phishing scams.

Email phishing is not the only tactic used by criminals to acquire your personal information. They will also employ alternative ways.

Telephone spoofing

Always be suspicious of any phone calls from Microsoft – or any other well-known technology business, such as Apple or Google – offering to assist you in resolving computer issues or selling you a software license.

None of the big software or hardware vendors will contact you without your permission and charge you for assisting in securing your computer or resolving any issues you may be experiencing with the machine, its operating system, or apps. (No corporation has perfected the method of ESP support, and it is unlikely that any will ever do so.)

Once a criminal gains your trust, they may ask for your computer's username and password, direct you to a specific URL to download software that enables them to remotely access your computer, or request your credit card number in exchange for their "services."

Accept no "assistance" given in this manner. Again, no big software or hardware company will contact you unexpectedly regarding your machine. Always maintain a healthy skepticism for such calls. Never submit information about yourself, your computer, your credit card, or your bank account details.

Phishing on Amazon

Amazon, the world's largest online retailer, is not immune to phishing assaults. Recent reports indicate that sellers on the Amazon Marketplace have had their accounts hijacked. The account is then used to defraud clients of their hard-earned money.

The hijackers obtain an Amazon seller's username and password in the traditional manner – through a data breach or an email phishing assault – and then use that information to hijack the seller's account and begin causing financial hardship.

After gaining access to an Amazon seller account, imposters perform one of two actions.

If the account is operational, they will modify the seller's banking deposit information and begin siphoning cash from sales.

If an account is dormant, they will build a list of unbelievable, too-good-to-be-true products for sale and collect as much money as possible.

Why are Amazon merchants being targeted? Because they are so numerous and earn so much money. This results in an extremely appealing population of potential victims.

According to a lawyer who represents Amazon sellers, over a dozen of his clients' accounts have been hijacked, and many of them have lost about half of their monthly revenue ($15,000 to $100,000) to the schemes.

Amazon merchants are urged to monitor their accounts closely and to report any phishing efforts involving Amazon to Amazon customer service. Amazon customers are cautioned that if an offer appears to be too good to be true, it almost always is. A trustworthy Amazon seller will not sell you a brand-new MacBook Pro for $300.

What we've discovered

When it comes to phishing emails, the question is when not if. Let's take a look at what we've learned about phishing attempts thus far.

The most common forms of phishing emails

Phishing emails are classified into three categories. Spear Phishing is used to target a specific individual or business. Clone Phishing is a technique in which a "cloned" email is used to reassure the recipient. Whaling is a type of phishing attack designed towards a company's or organization's senior executive or another high-profile individual.

How to spot a phishing email

Phishing emails can be identified by attentively inspecting the email address, checking for spelling and grammar errors, and examining the email's unique salutation or signature.

NEVER EVER CLICK ON A LINK OR AN ATTACHMENT INCLUDED IN AN EMAIL

NEVER open a link in an email, particularly one that appears dubious. Phishing emails contain links that will take you to an authentic-looking website meant to obtain personal information from you.

Additionally, attachments may contain viruses or malware meant to steal your information or damage your computer's data.

Never divulge private information.

Never provide your personal information to a third party. Any respectable bank or credit card representative will never contact you via email to request personal or financial information. Safeguard your account numbers, login credentials, and other sensitive data.

Do not be intimidated by phishing emails.

Phishing emails frequently contain language designed to compel you to respond immediately. You'll notice topic lines like "Your account has been frozen" or "An unauthorized login attempt on your account has been discovered." Do not allow yourself to be intimidated into falling into the trap.

Maintain vigilance on all of your accounts.

If you feel you've been a victim of phishing, be vigilant about monitoring all of your accounts. Ascertain that no unlawful withdrawals, charges, or purchases have occurred. Ensure that you update the passwords on all of your accounts. Notify the bank or other entity that was misrepresented in the email immediately of the phishing attempt.

If you are duped, contact your bank, creditors, and credit bureaus.

If you believe you have been duped into providing information, contact your bank, credit card provider, retailer, or another lender immediately to report the behavior, stop existing accounts, and start new ones.

Contact the three major credit bureaus and request an alert. This makes it more difficult for someone to start a new account in your name.

If necessary, change your eBay and PayPal passwords.

If you believe your eBay or PayPal account information has been compromised, contact the firm directly. Then, update your password and monitor the account for any suspicious behavior.

Be suspicious of 'cold calls' from callers posing as representatives of software or hardware vendors.

Attempts at phishing are not confined to email. Be suspicious of unwanted "cold calls" from someone claiming to represent Microsoft, Apple, or another software or hardware manufacturer and offering to assist you in resolving your computer problems.

Be suspicious of pricing that appears to be 'too good to be true in internet retailers.

When buying on Amazon or other online marketplaces, be suspicious of dealers offering exceptionally low prices on popular items. If you're an Amazon seller, keep an eye out for attempted account hijacking.

While phishing attempts continue to increase, you may avoid being a victim by being extra cautious when reading emails or clicking links. In the future, be informed about the newest developments in phishing and other methods used by the bad guys by becoming a frequent visitor to my website.

FAQs about phishing emails

What are the dangers associated with opening phishing emails?

Regrettably, responding to a phishing email, clicking a link, or downloading any attachments contained within such an email can pose serious hazards. Typically, attachments include malware, while links direct users to phishing websites.

What is an example of a Facebook phishing email?

There are numerous variations on the Facebook phishing scam. They can take the form of bogus security alerts, password reset requests, and announcements of fraudulent contests, among other things. Each of them makes an attempt to lure the victim into clicking a link or opening an attachment that may contain a malicious payload.