October is Cybersecurity Awareness Month. This year, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance have announced their efforts towards encouraging “individuals and organizations to own their role in protecting their part of cyberspace,” including the initiative “phight the phish,” a phishing awareness campaign designed by the Information Security Office to keep our community safe.
As a cybersecurity academy and consulting firm, we also want to help our community understand how to incorporate actions into their daily lives to reduce their cybersecurity risks. “Do Your Part. #BeCyberSmart”.
In this blog post, we tell you all about spotting a phishing email. The details you need to check on every email you open and what to do in case you receive a suspicious one.
Before we dive into the different ways to help you spot a phishing email, you need to understand what phishing is all about. This is one of the most common methods of cybercrime, and it is designed to trick you into giving the hacker personal or sensitive information. Once you have provided them with that information, they can access your email account, bank, or any other account they are targeting.
Just so you understand how serious the situation is, it is calculated that only 3% of target users report malicious emails to their managers. Also, 30% of phishing messages get opened, and 12% of those users click on the malicious link. No wonder why the FBI reported that phishing was the most prevalent threat in the US, with over 241 thousand victims during 2020.
Phight the Phish: How to Spot a Phishing Email
As hackers are getting more sophisticated with their attacks, it is very common to see a phishing email pass through detection filters from email providers. That is why you must always check these details before clicking a link or downloading a file from a suspicious email.
Usually, phishing emails come from a public email domain (such as @gmail.com or @hotmail.com), or there are inconsistencies between the organization’s name, the email address, and the links.
One way to spot these inconsistencies is to hover the mouse pointer over the link and see the URL that pops up. Please do not click on it. Just hover over it and check if the URL is related or not to the alleged sender. If it reads something different, report it as a phishing attack.
Another great way is to check the domain. Usually, it will look very similar to the organization they are trying to copy, with a typo or a misspelling. For example, if they were trying to mimic Netflix, they would have a domain similar to netfliix.com (notice that this domain has two is).
While we don’t want you to spend an enormous amount of time reviewing the grammar and spelling of an email you received, you do need to understand that phishing emails usually are filled with grammatical mistakes and poorly made translations.
Attackers are looking for you to take action as soon as possible. This is only because they don’t want you to spend too much time reviewing the content of the email or website and just grant them the necessary access to your accounts.
Always check what they are asking you to do and why.
Phishing emails rarely include your first name. They usually go with greetings such as “Dear friend” or “Hi Customer.” Most organizations do not follow a practice, as they always want to make their customers feel valued.
Phishing emails will always have either a link you need to click or an attachment to download. Always check the four steps we mentioned before taking action. Once you click a link or open an attachment, you are hacked.
As we have explained before, to check a link, hover your mouse over it and see the URL it displays. It should match the sender’s website.
Always treat with caution files .zip, .exe, .scr as they are usually associated with malware.
If you have completed all these five steps and do not think of the email as a risk, you are ready to take action and complete whatever it is asking you to do. If you do spot it as a phishing email, then you must report it.
Reporting a phishing email can help phight the phish, and it does not take much of your time. This is a two-step process that consists of:
- Forwarding the phishing email to the Anti-Phishing Working Group at [email protected]
- Report the phishing attack to the FTC at ReportFraud.ftc.gov
Be part of the solution, Phight the Phish. Be Cyber Smart.