By now, most of us know that the email from the Nigerian prince offering us large sums of money in return for our help to get the money out of Nigeria is a scam. We also recognize that the same goes for the email from our bank that is laden with spelling errors. However, phishing attacks have become more sophisticated over the years, and for the most part, it has become much harder to tell the difference between a legitimate piece of communication and a scam.
In recognition of National Cyber Security Awareness Month, we asked a nationally representative sample of ~2,000 computer-owning adults in the United States about their behaviors and knowledge when it comes to cybersecurity. This week, we’ll share some of the insights from our survey related to phishing—as well as resources and tips on how you can better protect yourself from falling victim to phishing attacks.
What is phishing?
Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a legitimate, reputable entity or person in email, instant messages (IMs) or other communication channel. Examples would be an email from a bank that is carefully designed to look like a legitimate message but that is coming from a criminally-motivated source, a phone message claiming to be from the Internal Revenue Service (IRS) threatening large fines unless you immediately pay what you supposedly owe, or the email from the Nigerian prince pleading for your compassion and promising a large reward. Attackers typically create these communications in an effort to steal money, personal information, or both. Phishing emails or IMs are typically designed to make you click on links or open attachments that look authentic but are really just there to distribute malware on your machine or to capture your credit card number in a form on the attacker’s site.
So do YOU know how to recognize phishing?
For the purpose of this blog post, we’ll focus on phishing emails as the attacker’s choice of communication. According to our survey, 70 percent of adults in the United States believe they can identify a phishing email. That percentage rises to 80 percent among Millennials.[i]Yet nearly four (4) in 10 people believe they have been victims of phishing. This goes to show that it’s not as easy to detect phishing emails as it may sound! Here are six tips to help you identify whether you’ve received a “phishy” email:
1. The email urges you to take immediate action
Phishing emails often try to trick you into clicking a link by claiming that your account has been closed or put on hold, or that there’s been fraudulent activity requiring your immediate attention. Of course, it’s possible you may receive a legitimate message informing you to take action on your account. To be safe, don’t click on the link in the email, no matter how authentic it appears to be. Instead, log into the account in question directly by visiting the appropriate website, then check your account status.
2. You don’t recognize the email sender
Another common way to identify a phishing email is if you don’t recognize the email sender. Two-thirds of those individuals we surveyed who believe they can identify a phishing email noted a top indicator to be whether or not they recognized the sender. However, our survey results also show that despite the warning signs, more than four (4) in 10 U.S. adults will still open the email—and among those, nearly half would click on a link inside—potentially putting themselves at risk.
3. The hyperlinked URL is different from the one shown
The hyperlink text in a phishing email may include the name of a legitimate bank. But when you hover the mouse over the link (without clicking on it), you may discover in a small pop-up window that the actual URL differs from the one displayed and that it doesn’t contain the bank’s name. Similarly, you can hover your mouse over the address in the “From” field to see if the website domain matches that of the organization the email is supposed to have been sent from.
4. The email in question has improper spelling or grammar
This is one of the most common signs that an email isn’t legitimate. Sometimes, the mistake is easy to spot, such as “Dear Costumer” instead of “Dear Customer.”
Other mistakes might be more difficult to spot, so make sure to look at the email in closer detail. For example, the subject line or the email itself might say “Health coverage for the unemployeed.” The word “unemployed” isn’t exactly difficult to spell, and any legitimate organization should have editors who review marketing emails carefully before sending them out. So when in doubt, check the email closely for misspellings and improper grammar.
5. The email requests personal information
Reputable organizations don’t ask for personal customer information via email. For example, if you have a checking account, your bank already knows your account number.
6. The email includes suspicious attachments
It would be highly unusual for a legitimate organization to send you an email with an attachment, unless it’s a document you’ve requested or are expecting. As always, if you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware.
What to do when you think you’ve received a phishing email
Report potential phishing scams. If you think you’ve received a phishing email from someone posing as Adobe, please forward that email to firstname.lastname@example.org, so we can investigate.
Google also offers online help for reporting phishing websites and phishing attacks. And last but not least, the U.S. government offers valuable tips for protecting yourself from phishing scams as well as an email address for reporting scams: email@example.com.
So while the Nigerian prince has become a lot more sophisticated in his tactics, there is a lot you can do to help protect yourself. Most importantly, trust your instincts. If it smells like a scam, it might very well be a scam!