What is phishing?

Phishing is a form of social engineering where a threat actor attempts to trick you into giving out sensitive information by posing as a trusted source. Most phishing attempts come in the form of an email message with an urgent request for you to take action by clicking on a link in the email.

Phishing attempts are also common in the form of voice calls. This method is commonly called “Vishing”. In these type of attacks, the threat actor will attempt to get you to disclose sensitive information over the phone. This method can also be used as an information probe where the information gathered can be used to craft a more personal and convincing phishing email message.

There are 2 types of phishing that you should be aware of:

  1. Phishing: this is a generic attempt to trick a large number of people. These messages are sent to thousands, or even millions of users and usually are made to look like they came from an organization that most people have an account with already like a large bank or technology company like Microsoft, Apple, Facebook or Google.
  2. Spear Phishing: This is a targeted attach on a single individual or a small group. Spear phishing is more common in a workplace where the targeted individuals have access to information or data that the attacker is targeting. These attacks are far more convincing and effective at tricking their victims since they are using more specific information to craft their trap.

ALL phishing attempts need their victim to feel a sense of URGENCY!

Beware of urgency

Urgency is the primary weapon in a phishing attempt. When our minds are triggered into an emergency response mode, we tend to be less cautious and more likely to miss the red flags that would normally tip us off to their attempt to trick us.

Urgency can be communicated in several ways. Here are some examples:

  • Your bank has detected fraud
  • Your social media account needs to be “verified”
  • Your online account has been compromised and you need to change your password immediately.

Phishing attempts are only successful if you are tricked into taking action. The action is usually as simple as clicking on a hyperlink in an email or text message.

Hover your mouse over any hyperlink and the URL that you will be sent to when you click the link will be displayed. Make sure this is the place you are expecting to go.

It is always best practice to not use hyperlinks sent in an email unless the message was expected, for example, you created a new account and the site sent you a message to verify your account.

Phishing Identification

The single most effective way to not fall victim to phishing attempts is to learn how to identify the red flags of phishing.

Email Security, or Not

The electronic mail system in use today has very little security. It is extremely easy for a malicious actor to place fraudulent information into the email in effort to trick you.

DO NOT TRUST

  • Who the email says it’s from. Name or email address.
  • Who the email says it was sent to, or copied to.

These parts of an email message can be crafted to say anything that will make you think the message is legitimate.

Red flags

When the email sent. Look at the time the message was sent, if it is overnight, this may be a red flag.

Does the message invoke urgency by threat or appeal to your nature to help someone or some cause?

Does the message have a hyperlink that you are being asked to click on to take action?

Does the message contain spelling and grammatical errors?

Does the message contain an attachment that you are being asked to open?

When in doubt, verify the message is valid before taking any action. You can verify the message by contacting the sender or logging into the site as you normally would without clicking on links in the email.