The following article is a guest post by Guise Bule, editor of the security blog secjuice and founder of tuCloud Federal Inc.
With the holiday season in full swing and consumers deep in the online holiday shopping mood, cybercriminals are rubbing their hands together with glee.
Cybercriminals already send at least about 90,000 phishing email campaigns per month globally, according to the non-profit Anti-Phishing Working Group (APWG) - so they're always pretty active.
But this is the time of the year that phishing attacks are at their peak, because cybercriminals know that you are going to be receiving lots of extra email from friends, family and websites that you bought presents from, emails which you would not normally be receiving.
It is in amongst this email activity that cybercriminals like to hide, they think that because you have so much else going on, that you will not notice they are not who they say they are.
What's a Phishing Attack?
In case you did not know a phishing attack is an email based attack, where the cybercriminals email you something that appears to come from yourbank or payment provider. They send these emails to you in the hope that you will be fooled into clicking on them.
Don't be fooled. Clicking on a phishing emails can be bad for your computer's health, as well as your bank balance, credit cards and personal data if you are especially unlucky!
Here's how bad it is: according to a recent report, phishing emails cost large businesses more than $3.7 million per year in lost productivity and other costs. The FBI recently stated that it investigates phishing cases involving more than 7,000 businesses and losses of about $500 million every year.
I get it though, it's sometimes very hard for even a professionally trained eye to spot the best phishing email attempts and attacks, I have accidentally clicked on one before myself.
In fact, a recent survey found that 40 percent of people admit to being tricked and victimized by phishing attacks, even though more than 90 percent of them were already aware of the existence of phishing as a tactic.
Be Paranoid, Very Paranoid
Once bitten twice shy is doubly true when it comes to phishing attacks, you learn to spot the telltale signs and to scrutinize every email before engaging with it. I am going to teach you now how to be as paranoid as I am about strange emails, because it will help you spot them.
The best way to spot a phishing email is to begin with the mentality that every email is a threat.
This may sound overly paranoid, but phishing attempts are so skillful and so prolific these days, I personally have learned not to trust any email unless I am certain it is legitimate.
Turning off auto-downloading and HTML in Outlook (click for larger view).
My first rule of email is to change the settings on your email client so that the images and attachments in emails are not automatically downloaded when it comes in. This is important because images can be used to track you and strange attachments often contain malware.
If you stop automatically downloading email images and attachments and display your emails in the text version instead of HTML, you are effectively adding a layer of additional security and protecting yourself from the active content that is often hidden in emails.
Also, it's important to be aware that even the most advanced anti-malware and anti-spam systems may not block or filter out all phishing emails - so make sure you remain vigilant even if you have robust security protections in place.
Spotting a Phishing Email: The Top 5 Tipoffs
The whole point of a phishing email is to look like the real thing, but luckily there are always five clear telltale signs that give the fraudsters away 95% of the time. The rest of the time you will be dealing with professionals and you will not be able to tell the difference.
An example of a phishing email with all of the top telltale signs.
Tipoff #1: Spelling/Grammatical mistakes. Fraudsters do not often speak English as a first language, making spelling and grammatical mistakes. Very often the phishing email will look perfect, except from the spelling and grammar. It's a dead giveaway.
Tipoff #2: The email asks you for personal information. This is a dead giveaway too, your financial institution (bank, PayPal, credit card provider) will NEVER EVER NEVER ask you to send them personally-identifiable information in an email. This also applies to any company who takes security seriously, as no reputable company will ever ask you for any personal information in this way.
Tipoff #3: Your email contains a strange-looking URL. When you hover over links in your emails in most email applications, you will see the URL address of the link appear as a preview so that you can visually check it. If it looks shady because it is mismatched or clearly not a URL of the alleged sender, delete the email.
Tipoff #4: They say they are the government. Very often a cybercriminal will send you an email that pretends to be from the federal government, usually the IRS, but sometimes the FBI or the police depending on the scam. It's intended to scare the person receiving it, but you should know that the government ALWAYS sends physical letters by mail to initiate contact. They will never send you an email for anything, unless you asked them to email you.
Tipoff #5: They are threatening you. As with the previous telltale sign, this one is also intended to scare you and make you emotional when you read it. The fraudulent email will usually threaten some kind of drastic action like your bank account is being closed, or perhaps that your credit card has been cancelled,requiring you take urgent action. Ignore these threats, no reputable company will ever threaten you by email.
Bonus Tipoff: If it's too good to be true. I do not need to really tell you this one, it's something that you have all probably heard a million times before, but it still does not make the statement any less valid. Scammers love to dangle money in front of the people they are emailing. Always ask yourself if you see $ signs in an email, "Is this too good to be true?"
Fight Phishing: Send This Article to Someone You Know
Hopefully this guide to spotting the phishing emails and telling them apart from the real emails will help you this holiday season, especially when your email traffic should be higher than it normally is. Never trust email, it's too easy to pretend to be someone else, if in doubt pick up the phone and call the person emailing you, so you are sure it is actually them.
As a service to everyone this holiday season, SACA Technologies is sending out physical copies of this story with a holiday card to anyone who needs to read it. Please do let them know if you want them to send this story to somebody you know and who could benefit from reading it.
Simply drop them an email at [email protected] with the name and address of the person you want them to post a hard copy of this story to and they will mail out our story to them in a holiday card!
Welcome to my blog! I mainly like to write about the history of IT.