Phishing is the sending of fraudulent emails designed to trick a person into divulging some personal or confidential information. Cyber criminals use phishing to obtain user passwords, personal information, credit card details, and other confidential information. Phishing is also the number one delivery mechanism for malware and ransomware. Cyber criminals will send a fraudulent email that tricks the user into installing software that compromises the security of their computer. Both businesses and individuals are targeted by phishing attacks. This guide will take a closer look at phishing and the dangers that it presents. We’ll also share four techniques that can make spotting a phishing email much easier.
What does a phishing email look like?
Phishing emails are designed to look exactly like a normal email. They will use the same fonts, images, and layout as an email that you might receive from your bank or Internet Service Provider, for example. When you click a link in a phishing email, you will usually be sent to a website that also resembles a reputable website. This is where cyber criminals will ask you to provide confidential information or to download software. Phishing emails also use attachments, which often contain malware. Phishing is a form of social engineering — a cyber attack that has a psychological component and relies upon a human making a mistake. In the case of phishing emails, they will prompt a person into undertaking an action by:
- Pretending that the recipient is in trouble
A phishing email might suggest that the recipient is in trouble if they don’t immediately perform a certain action. For example, a phishing email might look like it has come from the recipient’s bank. It might claim that the recipient’s account has been compromised or locked. It will then tell them to visit a certain URL to reset their password. The recipient will be asked to provide their username and password — which will be gathered by the cyber criminal and used on the real banking website.
- Pretending that someone else is in trouble
Some phishing attacks appeal to a person’s desire to help others. A phishing email might suggest that the recipient’s friend is in trouble and requires some financial assistance. Phishing attacks also come in the form of fake charity emails, which steal credit card details or fraudulently accept donations.
- Pretending to give the recipient an unmissable opportunity
Some phishing emails appeal to a person’s greed. They might provide a special deal or free holiday to people who submit their personal details to a website. The email might say that the recipient has won some money, but needs to pay a small fee with their credit card.
Spotting phishing emails
Fortunately, there are four simple techniques that make spotting phishing emails easier! These techniques can be remembered using the handy acronym CLUE, which stands for Critical thinking, Learning to hover, URL inspection, and Emotional ploys.
Critical thinking
The most useful technique for identifying phishing emails is critical thinking. When an email arrives in your inbox, take a hard look at it before acting. Things to keep in mind when examining the email:
- Was I expecting this email?
Were you expecting the bank or IT department to email you instructions on how to change your password or did this email turn up unexpectedly? Did your friend travelling overseas say they were going to email you asking for additional funds? If the email is unusual and unexpected, it may be a phishing attack.
- Do I know the sender?
Do you know the person sending the email or is it a stranger? If you think you know the person, make sure by asking them a few questions.
- Is it plausible?
Do the contents of the email make sense? Is it possible that the IT department would contact you this way or is it highly unusual? Keep in mind that banks and IT departments should never ask you for information that they should already know in an email.
- Is the email accurate?
If the email is filled with incorrect information or spelling errors, it may be a phishing attack.
- Is the offer too good to be true?
If the email says that you have won a free £10,000 holiday but you haven’t entered any competitions recently, alarm bells should be ringing!
Learning to hover
You can hover your mouse over links and images in the email to look at the web address that they go to. If the address looks very different to what you would expect, don’t click the link or image. URL inspection To make the most of hovering over URLs, it helps to understand exactly what you are looking at.
Let’s take a URL like http://www.google.co.uk/.
The first component of the URL to check is the domain name. In this case, the domain name is google. If you receive an email that appears to be from Google but the URLs don’t go to google, that is a red flag. The next section to check is the top level domain (TLD). That is the section after the domain name. The TLD can indicate the type of organisation the domain name belongs to and its country. In this case, the TLD is .co.uk. The letters .co means it is a commercial enterprise and .uk means United Kingdom. This means you are dealing with Google’s UK business. If the TLD is different to the URL you normally see associated with the business or organisation, that is another red flag. Phishing emails pretending to be from google.co.uk might use links that are designed to look correct. For example, they might use goo.gle.co.uk, goog.le.info, gooogle.biz and so on.
Emotional ploys
The final technique for spotting a phishing email is to look out for emails that feature overly emotional language or which cause you to become emotional. If an email fills you with fear, anxiety or excitement that is a red flag. They are trying to use your emotions to compel you to click a link, open a file, or visit a certain website. Remember CLUE whenever you receive an email you are not sure about and hopefully you can avoid getting caught out! Learn how simulated phishing can help your employees to recognise and avoid phishing attacks.
Thanks for reading 'How to spot a phishing email'. For more cyber security tips, subscribe to the blog or follow us on social media. To learn more about information security training, contact Yellow Room Learning today on 0800 292 2900 or visit https://yellowroomlearning.com.
- Log in to post comments