Ignoring emails from financiers in Kenya promising shipments of gold is pretty easy. But when an email arrives from a business you work with, a close friend, or colleague asking you to click on a link about your job, your account, or this weekend’s party, what do you do? Over the years, phishing emails have matured from obvious, laughable scams to sophisticated emails that cleverly conceal their deception while seeming to come from trusted sources. And no matter how smart or savvy we get about them, they just keep on coming. In fact, according to the Anti-Phishing Working Group (APWG), phishing attacks in 2016 shattered all previous years’ records with a 65% increase from 2015 and a 5,753% increase over the past 12 years.
Phishing scams work by tricking you into clicking on a link or attachment that can infect your computer or take you to a website that looks real, but isn’t, and can steal your private information. According to the APWG, 100,000 new phishing attacks get reported every month, and thousands of people fall for them.
Bottom line? Unless everyone around the world stops clicking on email links or attachments all at once, phishing will continue to exist. It’s inevitable that phishing will hit your Inbox, at home and at work, again and again. But you can boost your chances of identifying and outsmarting them by following these three guidelines.
Think twice before clicking
Stop and think before you click on anything in an email. The whole point of phishing is to get you to do something that seems like no big deal and without raising the alarm. Like “logging into your bank” by clicking a link that takes you to a page that looks like your bank. Then recording your passwords so that they can access your accounts later when you’re not paying attention. The trick is to practice skepticism – even when the email looks like it’s from your best friend. Do not download attachments or click on links unless you were expecting them or have separately verified they are legitimate, no matter how harmless it may seem.
Look closer at the source
Did you know that email is over 20 years old? It was designed in an era when the computers connected to the internet trusted each other and there was very little need – or ability – to verify the authenticity of emails and other transactions. For example, the “From” line in email is easily forged. You can put whatever you want in it, just like you can put whatever address you want for the return address on postal mail.
In the past, we’ve helped Softcom customers who have dealt with emails falsely pretending to be official Softcom communications. The messages are usually scary and compel action, such as “Your account will be locked/disabled if you don’t click here.” Or “You’re out of storage, click here to verify your account info and get more storage.” Or “Your account has a security issue. In order to protect your private information we need you to verify by clicking here.”
These email links, when clicked on, take users to a website that looks like our webmail site, but is actually hosted on a hacked server and designed to gain access to that person’s e-mail address and password. For what purpose? Cyber-criminals are in constant need of a fresh supply of “clean” email addresses. Reason one: they use it to send out their Viagra spam and whatnot. Reason two: “clean” email addresses either get shut down or blacklisted and become unusable, so they need a constant stream of “clean” email addresses.
Here at Softcom, we want you to know that we NEVER send out emails like the ones we described here and advise our customers to always treat emails like these with suspicion. Call our help line and check it out if you’re not sure. We’ll thank you for it! If we need to let you know something important, an announcement will be on our web page and social media helping you to anticipate and authenticate it’s from us.
For business or corporate emails there is the issue of dealing with campaigns that target specific companies or organizations. This is also called spear phishing or whaling. Cybercriminals employ individually designed approaches and social engineering techniques to personalize messages and websites. As a result, even high-ranking targets within organizations, like top executives, can find themselves opening emails they thought were safe.
A close look at the source of the email is another way to combat phishing. Often something small is tweaked in the email address that makes it look legitimate. Such as an email saying it came from firstname.lastname@example.org. Note that the “l” in gmail is actually the number 1. If the address looks legitimate, however, but what it says or the links it provides are unexpected or out of character ask yourself, “Would Mom really send me this?!” If it feels wrong, don’t click. And follow up with that person to warn them so they can warn other possible contacts who might be affected.
Have a backup plan: If you lower your guard and accidently click on a link one day, you’re not alone. Even IT people have fallen for some pretty sophisticated phishing emails. The next step in fighting these, though, is to have a plan for when it does happen. This means taking precautions like regularly backing up your data, enabling multi-factor authentication for accounts that offer it (such as banking), and changing all passwords using strong unique entries.
The key to protecting yourself from scam emails is to always be on guard. Phishing scammers are savvy, but you can be too. Stay vigilant. Follow the three guidelines we’ve provided here, and above all, remember that when it comes to email you can’t really trust anything.