The email drops into your mailbox. It’s from PayPal, informing you that due to some unauthorized use of your account, it has been locked. “Damn hackers,” you think, “trying to guess my password again!”
You need to click the link in the email to re-enable your account and set a new password… but stop right there. The email you’re reading is a very well-crafted phishing email, designed to scam you. The information it contains is false: your account is not locked or restricted.
Phishing emails are becoming increasingly sophisticated, so what can we do to spot one and avoid being scammed?
Spotting a Phishing Email is Tough
While it’s not impossible to spot a phishing email (a message purporting to be from a legitimate company, designed to con you into divulging personal information) for most people – 80%, according to a new survey by CBS News and Intel Security – it’s pretty difficult. It’s not all bad news though; while I managed 90% in the survey, which you can still take online, a previous Intel survey revealed 94% of information security professionals were tricked by a phishing email at least once.
Being duped by phishing emails means more than just enabling someone to harvest your details. These scammers might glean enough information to be able to steal your identity (available for pennies on the Dark web), use it to borrow money in your name, and leave you with some financial headaches. Meanwhile, that cash is used for illicit purposes, funding illegal industries such as the drugs trade, human trafficking and child pornography. There has even been suggestion in the past few years that terror groups are generating funds by converging their interests with organized crime.
Allowing yourself to be conned and letting the banks and credit card companies clean up the mess is not the answer. At the very least, it is an incredible risk to take, one that can be avoided by educating yourself about how to spot a phishing email.
Some Example Phishing Emails
It’s not possible to share every single example of a phishing email, but the chances are you’ll get one of these over the next few months. Even if you don’t, we can use these examples to demonstrate the continually improving sophistication of these messages. These days, it can be tough to spot a phishing email simply because they look so convincing.
This is a very convincing phishing email targeting PayPal accounts. While phishing messages in the past might have been littered with links, this one just has the single “Log in here.” Style and subtlety clearly win out here, and there is little indicating that it is fake. However, three clues tell us it is a fake:
- We have a spelling mistake: “its just an error…” which you can see in the bold type towards the end.
- The sender’s address, “email@example.com” – this is clearly not PayPal.
- PayPal will not send you an email with a login link.
Apple – Or Is it a Bank?
This is a very polished phishing email, seemingly from Apple, asking the recipient to check some unread messages. But if you get fooled by this email, you’ve a long way to go:
- Sender is listed as “firstname.lastname@example.org” – is this from Apple, or a bank?
- Hovering the mouse over the “Read Now >” link reveals a link that is clearly not the Apple website (nor that of a bank).
- The App Store doesn’t store or route messages.
WhatsApp with this Email?
With this email, the presentation is reasonable, but the brevity of content – that there is a WhatsApp message to play – is enough to convince the recipient to click Play to find out who is trying to get in touch. As with the other messages, however, there are clues here:
- The sender email, “email@example.com”, has clearly nothing to do with WhatsApp. Arguably, it might be misconstrued by the recipient as being the sender of the voicemail message, but in this case, if it’s an unknown email address, you’d be advised to avoid it.
- “Whats App” is displayed as two words at the top of the message, and as one word in the footer.
- I don’t have a WhatsApp account.
In each of the three examples above, there is enough information, if you look closely enough, to determine that the message is bogus. If you receive these or anything else that you have doubts about, you should mark them as junk.
Tools You Can Use to Block Phishing Emails
If you’re still not 100% confident (and you shouldn’t be, as this is a tough game to play), take advantage of the various tools at your disposal that can help with the detection and blocking of phishing emails.
For instance, if you’re using Microsoft’s Outlook email service from www.outlook.com, you’ll have a built in spam email detector, which is designed to pick up phishing emails. This works well about 95% of the time, with occasional phishing attempts making it into your inbox. If you spot these, you should mark them as “junk” to help Microsoft prevent them being picked up by other users. You should also take the time to confirm that you’re not spamming your friends with dangerous emails thanks to malware installed on your PC.
Similarly, Google’s Gmail service will also detect and divert spam and phishing emails to the junk folder, leaving you free to carry on with your email reading without criminal distraction.
Meanwhile, premium online security suites, such as Bitdefender 2016, include tools to protect you from phishing attempts. Rather than protect you at the email inbox level, these tools tend to focus on your browser, and prevent you from visiting fraudulent websites or entering information in them.
Do you know how to spot a phishing email? Have you been caught out in the past? Tell us about it in the comments box below.