There are many types of computer security threats that businesses need to be aware of, but one of the most serious is phishing. This is a method of duping unsuspecting users into giving up key information, such as user names, passwords, credit card numbers, and more. Phishing can be clumsy or very sophisticated, and only through awareness and education can users be armed with the skills they need to detect phishing attempts.
What is phishing?
As its homonym suggests, this is a technique akin to dropping a line with bait into the sea, waiting for something to bite. The line is an email, often sent by the million to random addresses harvested from spammers’ lists; the bait is a story, one that tries to convince the person receiving the email to perform a task. Phishing is a form of social engineering; it’s a con. It tries to get people to believe that the emails are legitimate, and that the action they direct the user to carry out – generally logging into an account – is valid.
These emails often use subtle threats to hook users. They may say that an account has been blocked, or that an expensive order has been placed on their account, or that they need to log into an account to access messages, photos, or notifications. Some may purport to be from the IRS; others may claim to be from banks. Their narrative suggests that if the user doesn’t go through with what is requested in the email – or text message, as that medium can also be used for phishing – then something bad will happen.
What are the risks of phishing attacks?
The stakes are high. Cyber-criminals want to get some of your personal details to be able to liquidate your bank accounts, access your email, or potentially steal your identity. They also may attempt to install malware on your computer; if you log into, say, a website belonging to what you think is your bank, you may be prompted to download special “security” software.
While it’s obvious that getting access to your bank account, PayPal account, or other financial service is serious, it’s much worse if phishers get your email credentials. They can then use your email to reset passwords on many of your accounts, claiming to have forgotten the password. Those emails are sent to you, but if someone else intercepts the email, they can access many of your online accounts.
How to spot phishing emails
In some cases, this is quite simple. These emails may look legitimate, using a design and logo of a company that the receiver may do business with, but with spelling or grammar errors. Here’s one example of a phishing email I received recently:
I do have a Squarespace site, so my initial reaction was that something might be wrong, but it was easy to spot this as a phishing email. The giveaway is that fact that Squarespace is not capitalized, and that the grammar is wrong (“is been suspended”).
But not all phishing emails contain spelling or grammar errors; in fact, many don’t (such as this or this). Look at the from address; in this case, it was clearly not from Squarespace. Then, hover your cursor over the links in the email, especially the link that the phishermen want you to click to log into your account (because some links may be to the real company’s website). On a Mac or PC, you’ll see the actual address this link goes to; as you can see here, this is not to squarespace.com (I’ve blurred it to not show the actual domain that was used).
On iOS or Android, you can tap and hold a link to see what the real address is. While some legitimate links may go to a company’s subdomains – for example, docs.microsoft.com is a subdomain of microsoft.com – phishing links either go to websites that have been hacked, or to numerical IP addresses (such as 192.168.237.6).