A guide to identifying phishing emails and what to do about them
Unless you’re a person who has been living behind a rock that pre-dates the internet, you’ll likely have heard of the term ‘phishing’ (no, not the one with a rod and tackle). It’s one thing to know what it is, but another to identify when you’ve got a phishing case right in front of you. This guide is designed to help you determine if you’ve received a phishing email and what you can about it, alongside some suggestions of what you should do if you’ve fallen for one.
Phishing is defined by dictionary.com as:
“[The action] to try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.”
The above description is a great one, but knowing a phisher’s intention is not the same as knowing the many methods for how they try to reel you in. For an obvious analogy, it’s like with real fisherman: they stand at the water’s edge with their rod and tackle, but you’ve got no idea how they’ll go about their fishing until they fit their lure and cast out.
Most commonly, a phishing attempt will reach you as an email, usually appearing to come from a well-known and established brand that offers a widely used service type (such as email, financial or technological service). As most phishers won’t always be aware of what services you use, they will likely imitate large, customer-rich companies like a major bank. Sometimes they take an educated guess based on what they do know, such as imitating an email from Microsoft saying something like your Office 365 subscription failed to renew, because you have an @outlook.com email address.
Taking this approach is like using a fishing net, where spreading out wide by using something common not only increases the chance for believability of the email, it increases the phisher’s chance of catching an unsuspecting person amongst us. Of course, there are more targeted approaches of phishing, but right now we will cover the more common, ‘blanket’ approach.
How do I identify a phishing email?
- Are they for real?
Is the email not from a service that you use? There is a possibility that it’s not legit. Be careful though! There are services that you may not have dealt with before that may contact you for a perfectly valid reason. An example of this could be a debt collection agency about an unpaid bill from a year ago.
Have a good look at who the email is from (what the actual email address is and not just the display name). If it’s from something like notifications@ii.combank.wc (for example) then it’s unlikely it’s the real deal.
- Visual Indicators
Whilst at first glance the email might look legit and official, there are a few things that might raise questions (and a few laughs, in some cases). For Example:
– Incorrect or poor-quality images
– Generic introductions (eg. Hello francine.kitten@onetruemail.com instead of the account contact’s actual name)
– Design and layout inconsistent with the real brand
– An unreasonable amount of spelling and grammatical mistakes
If they are a legit company or business, and their communications look like phishing emails, then maybe point them in the direction of this guide.
Be aware that some phishing emails can really look the part, so relying on visual indicators alone may not suffice. - What is it asking from me?
Sometimes phishing emails ask for a direct reply. Many ask you to click a link, such as one to ‘unlock’ your account because it ‘has been suspended due to suspicious activity’. Good utility, financial and service providers WILL NOT ask you to log in to your account directly from an email. It is always far better to go directly to their website through a web browser (by typing in the web address yourself) or using their official mobile app.
Some email programs will allow you to look at the web address that the link is pointing to, so if you get a look at one of them, chances are it looks completely out of place (such as www.pullover.ca/xy/hotmail-login to login to your Microsoft account). - Too good to be true?
Some phishing emails might be notices of congratulations, letting you know that you’ve won a new phone, car, tropical getaway, or simply to notify you that your inheritance is waiting for you in Nigeria. If you won a competition that you don’t remember entering, that’s a pretty big red flag. Simply put, if it’s too good to be true, then it probably is. This method uses the lure of excitement to capture off-guard, acting on the emotion before logic has a chance to catch up.
What do I do with a phishing email?
- You’re still not sure if its legit or not?
If the phishing email is from a company you have a product or service with, contact them directly (by phone if possible) via contact details found on their website, or through a reputable directory (eg. White Pages or Yellow Pages) and verify the validity of the email with them. Often these same companies post notices to their customers if there is a major scam affecting their customer-base. - Don’t reply to the email or provide any personal information.
That is the phishing email’s goal and a pretty obvious no-no. Asking the phisher to stop emailing you (whether there is a person at the other end or a robot) it will let them know that you (and your email address) are active and could lead to loads more spam/phishing attempts. This is also true to many ‘unsubscribe’ buttons for newsletters you never signed up to. Deleting these, or marking them as spam, is often the best course of action. - Don’t forward it
Sending the phishing email to colleagues or friends can be as destructive as if it was sent from the original phisher, and this is because you are more of a trusted source. Some email filters may catch it, but if not the unsuspecting or oblivious readers may fall for it. If you are trying to alert others then send them a new, separate email, provide the relevant details and let them know to watch out for.
Also, don’t send it to someone as a joke. If they are not aware of what to look for (and don’t realise that it was sent from you) then it could spell all kinds of trouble, even for you. - Advise your IT Administrator as per their required process
Many business’ IT Support teams will have a process in place for reporting phishing and spam emails, so get in touch with them if you are unsure of the process. Often, providing an ‘attached’ copy of the original email in a new email composed to their support team. - Delete the phishing email
Hit that delete key with the might of an angry god (actually, don’t—you can calmly use whatever gesture is applicable to the device you are using). In some email programs, marking it as spam will delete it and report it to the relevant spam-filter service or application. - What if you’ve fallen for it?
Immediately contact the real company or provider (e.g. your bank if you gave your online banking details to a scammer) to advise them of what has happened so they can lock down your account, protecting your information, and provide you an opportunity to change your login details. If you have provided personal information to the phisher, then immediately contact the relevant agencies that the information is applicable to (e.g. If you gave credit card number, then quickly get in touch with the bank or financial institution that issued the card).
In Australia, you can also contact iDcare, a free government-funded service which may be able to assist. Visit the iDcare website - Consider what could be improved
Getting a lot of phishing emails at your business? Perhaps consider implementing or improving your spam filtering technology. Not all are created equal and none are full-proof due to the ever-evolving nature of phishing emails and the tactics of scammers.
We like to recommend Fortinet. We partner with them because, among their strong range of products and services, the quality of their spam/phishing filtering is exceptional. They constantly monitor changes and phishing trends to make sure they keep the filtering up-to-date and as accurate as possible.
To conclude…
If you have come through this guide feeling empowered to identify and repel phishing emails, then we’re glad. Share this with your friends. Get the knowledge out there.
Together, we can help make the digital world a safer place, both in our personal and professional lives.