Threats & Vulnerabilities > Phishing & Spam

Threats & Vulnerabilities Phishing & Spam Threats & Vulnerabilities


Phishing
Phishing refers to the act of sending an email pretending to be a business, organization, or authority in an attempt to deceive the receiver into divulging information or giving resources. Phishing remains one of the most reliable ways for hackers to scam people out of money or hack into organizations by stealing credentials. You may have seen these emails in your inbox recently – they’re very common. You may have even received emails that look like they come from a big bank or business that you don’t associate with, saying that there’s a problem with your account and you need to log in to fix it. A lot of times scammers don’t even know who they’re sending these emails to; they just send them out to as many people as possible, hoping to “hook” a few of them.

Some phishing emails are a little more sophisticated. “Spear phishing” emails are tailored to be convincing replicas of legitimate emails and are usually directed toward a certain group of people. One common example of spearfishing are emails that appears to be from a software vendor asking for login credentials to a cloud service that is directed toward a company’s Human Resources staff. These emails take a lot of research and planning, but they are harder to detect and are sent to people the hackers know have access to valuable information.

“Whaling” is a relatively new term, and, as the name implies, it means going after a big fish. Whaling refers to sending a very targeted phishing email to a high-level executive or person of authority within an organization in the hopes of getting them to give up information. A person at that level of management is likely to have access to a lot of valuable information.

It’s not a good idea to interact with these emails. The best thing to do is to delete them or block them as soon as you see them. But, some of them can be convincing at first glance and may require a little more investigation. Every phishing email is a little different, but there are somethings you can watch out for:
 
Who is it From? Check the email address to see who it’s coming from. Read the email address carefully and make sure it comes from the business or organization it claims to be. Sometimes scammers will make the email address look really close to a legitimate email address, but the spelling will be off by a letter.
The Subject Line The subject of the email will sometimes be vaguely threatening. They might tell you there’s a problem with your account that needs to be fixed right away or that you are in violation of some law and this needs your immediate attention. The idea is to make you panic just enough that you open the email and follow the instructions within.
 
If they aren’t threatening you, they might offer to give you something. They may pretend to be your bank sending you an email about free money if you log in. The goal is to make you excited enough that you don’t look more closely at the details of the email before clicking.
Greeting Most of the time, the greeting in the opening of the email will not address you by name. It may say something like “Dear member” or “Valued customer.” This occurs frequently with mass phishing email campaigns because they don’t actually know who they’re sending the email to; they’re trying to get it into as many inboxes as possible.
This is not a concrete rule. Spear phishing campaigns involve a lot of research by the scammers, and they may include names in their emails to be more convincing. Do not take the inclusion of a personal name in the greeting as proof that an email is legitimate.
The Body There are several things to look out for in the body of the email. First, is everything spelled correctly? Does it sound right? Does it use language and terminology that stands out? Phishing emails oftentimes have spelling and grammar errors throughout the text. In recent years, phishing emails have gotten a lot better at having correct spelling and grammar, so don’t solely rely this rule to determine whether an email is real or not. If you do find errors, it may be a sign that the email is fake.
 
The body of the email will probably lay out what “issues” your account is having or what “prize” the scammers want to give you with instructions on what to do next and a link to a site.
 
Keep in mind that the email may look convincing. It might have all the right font and font colors, logos, graphics, and effects, but that doesn’t mean that it’s legitimate.
The Link Phishing emails rely on tricking you into clicking a link to take you to a site where you can give up your credentials. Sometimes the full link is pasted into the email where you can easily read it and see if it’s fake, but other times it may show up as clickable text. If you hover your mouse over it (place your cursor over the link text without clicking) a box should pop up with the address that you can then examine. Be very careful when reading the link; just like with the email address, hackers like to make link addresses look really similar to legitimate sites’ addresses. Never click on these links as they can take you to websites that can infect your device with malware.
 
So what can you do if you suspect that you actually do have a problem with your account or if you want to check to see if you’ve won a prize? The best solution is to open up another web browser window and navigate to the service (your bank, payment account, online retailer account, gaming account, etc.) and log in that way. Don’t use a link in an email.