Phishing: What It Is and How to Avoid It
Phishing: What It Is and How to Avoid It
Cybercriminals love to perform phishing, but you don't have to fall for it. As someone who has worked in security for decades, I see daily how these attacks work and how people can protect themselves.
Phishing is when cybercriminals use emails, social media posts, or direct messages to trick you into clicking harmful links or downloading malicious files. It's a common "social engineering" attack where a hacker tries to deceive you instead of directly attacking your system.
Falling for a phishing scam can expose your personal information, such as passwords or credit card numbers, and can even result in malware being installed on your device. But with some knowledge, you can become an expert at identifying phishing attempts and not take the bait.
What Does a Phishing Email Look Like?
Scammers often disguise phishing emails as messages from trusted organizations or people, but there are clear signs that give them away. Here's what to look for.
Offers that seem too good to be true are a clear sign. Does the message promise free money, luxury items, or exclusive offers that are too good to be true? Red flag. Same case if you win a contest you don't remember entering. If it seems too good, it's probably a scam.
Urgent or threatening language is another sign. Beware of phrases like "Your account will be deleted!" or "Act now!", which are designed to make you panic. They may even say your computer has been hacked or that you're being arrested. When someone tries to create artificial urgency, be suspicious.
Requests for personal information are always suspicious. Legitimate companies will never ask for sensitive details like passwords via email. If someone asks for your password, full credit card number, or other sensitive data via email, it's a scam.
Strange business requests are also suspicious. A sudden demand for payment or personal data? An invoice you don't recognize? Stop and question its legitimacy. Don't rush to pay or provide information.
Mismatched sender addresses are an important sign. Before opening any email containing sensitive data or money, always check the sender's email address for strange domains or small spelling errors. An email that appears to be from your bank but comes from a strange domain is a scam.
Unknown hyperlinks or attachments are dangerous. Hover over links to check where they lead. If they seem suspicious, like pavpal.com instead of paypal.com, don't click. Never download an attachment from a sender you don't recognize, and even if you recognize the sender, use your email's antivirus verification on it.
Poorly written content used to be a clear sign, but this is changing. Look for bad grammar, strange phrases, or misspelled words. Professional companies rarely make these mistakes. However, the grammar of many phishing emails is improving with the rapid spread of artificial intelligence systems. So don't rely on this alone.
Generic greetings are another sign. Be alert to vague introductions like "Dear Customer" instead of your name. Legitimate companies usually use your name.
What Is a Sense of Urgency in Phishing?
Cybercriminals focus on playing with your emotions with their phishing emails. The reddest flag for phishing emails is a "sense of urgency," where you feel pressured to act quickly. Scammers want you to act quickly so you click before thinking.
In phishing messages, a sense of urgency can be negative or positive.
Examples of positive urgency include: you won a prize, you should receive money, you can get an exclusive offer. They try to make you act fast so you don't miss the opportunity.
Examples of negative urgency include: you've been hacked, the IRS is investigating you, criminals are recording you through your webcam, there's an arrest warrant against you. They try to make you panic and act without thinking.
Even though the messages are disturbing and worrying, it's important to remember that almost all messages sent to your email inbox or social media DMs about serious matters, like IRS audits, are scams. Scammers will say they have embarrassing images of you as a way to get your attention and money. Don't give it to them.
Take 5 Seconds for Each Email
Generally, you can identify the red flags of a phishing email by spending five seconds per email. Before clicking a link, sending any information, or downloading an attachment, take a deep breath and consider if the email is phishing.
Ask a coworker, friend, or family member if the message seems strange. No email needs a response in less than a minute. If someone is pressuring you to act immediately, be suspicious.
These five seconds can make all the difference between protecting your data and falling for a scam.
When Scammers Know Your Name: Spearphishing
Sometimes, cybercriminals spend time personalizing a phishing email just for you. They may know your name, your job, your address, or the names of people you know. They can obtain this data from social media or other publicly available sources.
This is called "spearphishing," meaning the scammer needs to specifically target you with their message. It's more sophisticated than common phishing, and therefore more dangerous.
Because of this, be careful with any unexpected message with a sense of urgency, even if the sender seems to know who you are. The fact that someone knows your name doesn't mean the message is legitimate.
What to Do If You Find a Phishing Message
Detected a phishing attempt? Here's how to handle it.
First, stay calm and don't click. Don't click any links or download attachments. Even the unsubscribe link can be a trap. Don't reply to the email. Any interaction can confirm that your email is valid and active.
Second, report the email. At work, immediately notify your IT department or security officer. They need to know to protect other employees. At home, many email platforms have a "Report Phishing" feature. Use it to alert them. Outlook, Gmail, and Mac Mail all have this functionality.
Third, block the sender. Take an extra step by blocking the sender in your email program. This prevents future emails from that source.
Finally, delete the email. Delete the message. Don't reply or interact with the sender. The less interaction, the better.
Protect Your Lake Before Phishing Happens
Phishing emails can get through your spam filter, so being proactive is crucial. Adopting some key cybersecurity behaviors can help protect you when phishing occurs.
Enable multi-factor authentication whenever possible to add an extra layer of security. Even if someone gets your password through phishing, MFA can prevent access.
Use strong and unique passwords and store them securely in a password manager. Each password should be at least 16 characters and unique to the account. If one password is compromised, other accounts remain secure.
Keep all software and devices updated to fix vulnerabilities that cybercriminals exploit. Security updates are crucial to protect against malware that can be installed through phishing.
Reporting Phishing Makes a Difference
By reporting phishing attempts, you protect yourself and help prevent others from falling for scams. Email providers and IT teams use your reports to block these scammers and improve security measures.
Each report helps build a database of scammers and techniques, making it easier to identify and block future attacks. It's an act of digital citizenship that benefits everyone.
Think Before You Click
You can stay one step ahead of phishing scammers. Remember: if something seems wrong, trust your instincts. You can even ask a friend for a second opinion.
Think for a few seconds before clicking and you'll be on the right path to staying safe online. These few seconds can make all the difference between security and compromise.
As a security professional, I see that most successful attacks happen because people act too quickly, without thinking. Slow down, question, verify. These are the keys to protecting yourself against phishing.
Want to discuss phishing or need guidance on how to protect your organization?
Connect with me on LinkedIn and let's exchange experiences.
Ricardo Esper is CEO of NESS Processos e Tecnologia (since 1991), CISO of IONIC Health, and CEO of forense.io. Certified CCISO and CEHIv8, he is an active member of HackerOne, OWASP, and the Privacy and Data Protection Commission of OAB SP.