Phishing is a form of social engineering that attempts to steal sensitive information such as passwords, bank account details, or credit card numbers. Phishing attempts can be targeted attacks, which are known as spear phishing, or an attacker can cast a wide net targeting thousands of users, hoping to lure a few unsuspecting targets to download a malicious file or click on a malicious link.
Although phishing tactics have become increasingly clever over the years, here are a few tips to help you avoid falling victim to a phishing attempt.
Know Where the Path Leads
A common approach in phishing emails is to provide a link or URL that says one thing but actually takes you to a different location. Take a look at the image below. The link says http://notaphish.com, but if you use the “hover-over” or “mouse-over” technique, we can see that the link actually leads to http://thisreallyisaphish.com, which doesn’t seem like a trustworthy site.
The “hover-over” technique doesn’t work with touchscreen devices, but you can do the “press and hold” technique. On most touchscreen devices if you press and hold a link, you are presented with options like:
- The full URL for the link’s true destination
- Open
- Add to reading list
- Share
- Copy
When using the “press and hold,” be cautious not to do a quick tap, which will automatically execute the embedded link.
Getting Personal Too Fast
Unsolicited emails that request an urgent response or sensitive information should not be trusted. Creating a sense of urgency is a way an attacker can entice or scare their victim into clicking on a malicious link or downloading an infected file. Be wary of phrases like “An arrest warrant has been issued for you—download a copy of it here,” or “Congratulations! You won a $100 gift card—click here to redeem.” These should be treated with the highest level of skepticism.
Organizations should not ask you to provide sensitive information such as a password, your social security number, or bank account details via email. If you receive an email requesting sensitive information and feel it’s a legitimate request, it’s always a good idea to call a contact number that is listed on the company website, not in the email, to verify.
Spellcheck Is Broken
Emails that are poorly written and contain numerous spelling or grammar mistakes, but claim to be from a reputable company are probably malicious. A company’s image is important to them, so they wouldn’t allow messaging that would portray them in a negative light.
There is a purpose for the poorly written phishing emails. Attackers want to go after individuals who are less observant because they tend to be easier targets.
If All Else Fails, Delete
There will be times when it is incredibly hard to determine if an email is real or if it’s an attacker attempting to catch you in their net. If there is ever a doubt, it’s best to just delete the email.
The best defense against phishing is to be aware. Double check links, read emails carefully, and verify any request for information with an organization’s official website or phone number.
Mitchell Tanaki
Mitchell has more than 10 years of experience with networking secuirty. His certifications include Offensive Security Wireless Professional (OSWP), Offensive Security Certified Professional (OSCP), SCS Symantec Data Loss Prevention 12 Administrator, Fortinet Network Security Expert 5, and Intel Security Product Specialist / McAfee ePO Certification. In his free time, Mitchell likes spending time with his family, all things Disney, and coaching his kids’ hockey teams.
