Don't take the bait

How to spot phishing and social engineering scams

Try Sophos Phish Threat

We see them every day: emails, calls, and instant messages asking for access to your computer, your personal information, data that needs to be protected. Sometimes these thieves ask for passwords, account numbers, or personal identifying details; other times, they want you to run a malicious attachment or visit a dangerous website to pick up some malicious code.

Remember: technology isn’t perfect. There’s no infallible solution able to prevent all attacks. Part of the responsibility falls on the end user – you – to know when to be suspicious, and to know how to protect yourself.

The first thing to know about phishing? If it smells “phishy,” there’s a good chance it is. Trust your nose. If you’re not sure, look for advice – don’t be afraid to approach your IT security expert. And yes, you can mark phishing emails as spam and ignore them, but it can be helpful to IT security to see new messages and help raise awareness to your colleagues that such a message is making the rounds.

Browser-based exploits are still pretty common, also. Even a fully-patched system can be compromised by visiting the wrong website. It’s always safer to just not click on a link if you’re suspicious. And be aware that it’s not just email you’ll need to watch out for. Thieves make use of instant messenger programs, texts, and even plain old telephone calls to try to gain access to your private information.

Telltale signs of phishing

There’s an infinite variety of phishing emails out there, in all shapes and sizes, but fortunately there are some “tells” you can look for to help suss out potential scams.

  • It just doesn’t look right. Does the message claim to come from someone you do work with, such as a client, your bank, a social networking site, or even your own company, but there’s something a little off about it? Trust your instincts.
  • Generic salutations. Instead of directly addressing you, phishing emails often use generic names like “Dear Customer.” This is because phishing emails are often sent out in large batches, and using impersonal salutations saves time.
  • Links to official looking sites asking you to enter personal information or confidential data. These spoofed sites are often very convincing, so be aware what information you’re being asked to reveal.
  • Unexpected emails that use specific information about you, like job title, previous employment, or personal interests. This information can be gleaned from social networking sites like LinkedIn to make a phishing email more convincing.
  • Emails asking you to take action quickly. Thieves often use unnerving calls to action (such as saying your account has been breached) to trick you into moving fast without thinking, revealing information you ordinarily would not.

Common phishing scams and mistakes:

  • Poor grammar or spelling. This is often a dead giveaway. Unusual syntax is also a sign that something is wrong.
  • “If you don’t respond within 48 hours, your account will be closed.” By creating a sense of urgency, the thief hopes you’ll make a mistake and act without thinking.
  • “You’ve won the grand prize!” These phishing emails are common, but easy to spot. A similar, trickier variation is asking you to complete a survey (thus giving up your personal information) in return for a prize.
  • “Verify your account.” These messages spoof real emails asking you to verify your account with a site or organization. Any time you receive a message asking to verify your account, look for signs of phishing, and always question why you’re being asked to verify – there’s a good chance it’s a scam.
  • Cybersquatting. This comes into play with spoofed websites. Often, thieves will purchase and “squat” on domain names that are similar in name to an official website in the hopes that users go to the wrong site. Always take a moment to check out the URL before entering your personal information.

Not everything is phishing, but…

Not everything that smells ‘phishy’ is a phishing email. Other potential messages include:

  • Spear phishing. This is targeted phishing, often using spoof emails to trick specific people within an organization to reveal sensitive information or credentials. These can come in the form of spoof email from an executive or an internal system (like “helpdesk” or human resources) commonly used by the company.
  • Spam email. These messages are unwanted, but are simply bulk unsolicited messages. The electronic version of junk mail.
  • Marketing. This is often confused as spam, but marketing email is legitimate – you may have ended up on a mailing list by subscribing when making a purchase, for example. Marketing emails can be stopped by unsubscribing.

Phishy Flowchart

Unsure about an email? Check it against the flowchart to help determine if it’s a phishing message or not.

Phishing flowchart

 

The First Line of Defense: You

You are your own first line of defense against phishing. Arm yourself by knowing the signs and acting with caution. By educating yourself, you’ll be able to avoid falling victim to a phishing scheme – and putting your personal data, or that of your organization, at risk.

Start testing and training your end-users today.

Free TrialGet Pricing