Tips for Catching a Phishing Scam Before It Catches You

For about as long as the Internet has been around, phishing attacks have been a problem. All it takes is a savvy scammer who spoofs the right email domain and targets the right person to steal personal information, hack accounts, and more.

With phishing activities still prevalent today (with over 500 million attacks being reported in 2022 alone), you need to be equipped to recognize and avoid this form of fraud at any time.

What Is Phishing, and How Does It Work?

The word "phishing" is a play on the word it sounds like: "fishing." In a phishing scam, the bad guys use deception to motivate the recipient of an email, text message, or other form of digital communication. These scammers usually employ some kind of "bait" to trick the victim.

This bait often plays on a victim's greed (such as offering a free smartphone if the recipient clicks on a link in the email), desire to help others (such as by posing as a coworker who needs help logging in remotely), or fear of getting in trouble with law enforcement (such as by claiming to be a state or federal police agent who suspects the user of a crime).

By using fonts, logos, and other features to make their email or message look legitimate, phishing scammers can imitate your bank or other financial institutions, someone in your company, your loved ones, and more. After you as the victim have become "hooked" through the deception, the scammers trick you into giving them valuable personal information or opening a link or attachment that contains malware.

The best way to defeat phishing is to avoid falling for this suspicious activity in the first place. Below are some of the best ways to catch a phishing scam before it catches you.

Check the Sender's Email Domain

A common scamming trick is to use a public email domain (such as "@gmail.com") to send a fake email. If you receive an email claiming to be from a reputable source (such as your bank, church, or an office within the local or federal government) that nevertheless uses a public email domain, you can be virtually certain that it's a scam.

Almost any operation larger than the size of a single-person shop will use its own email domain (e.g. PayPal's emails come from the domain, "@emails.paypal.com"). When you receive an email from a sender claiming to represent a larger organization, check if the email addresses come from a domain that matches the real company that the person is claiming to be a part of.

If not, you need to flag the message containing the suspicious email address and report it as a scam (email clients like Gmail have a built-in feature for doing this).

Cyber-criminals also like to buy domain names that come close to that of well-known, reputable companies. This act, a form of  "spoofing," makes it trickier to recognize a phishing attempt. For example, a scammer imitating PayPal may imitate the company's legitimate email domain by buying one like this: "@ernails.paypal.com."

If you don't look at the first part of the domain too closely, it could pass for "emails" instead of "ernails" (spelled with an "r - n" instead of an "m"). Always double-check the source of the email by checking the domain being used by an unfamiliar sender.

Watch Out for Links and Attachments

Phishing messages are a form of social engineering, a term that refers to the use of deception and manipulation to steal someone's information or take control of their finances (such as through a scam or similar illegal activity). As such, its success relies on the victim performing a certain desired action.

Apart from tricking you into supplying your valuable personal information (such as by claiming to be your bank and asking you to verify your Social Security number, your password, or other login credentials for your online account, etc.), scammers may also want to trick you into opening a link or attachment that has been laced with malicious software.

For example, a phisher may attach what appears to be a genuine invoice for services rendered to an email, but in fact, this document contains software that will infect your device with ransomware, worms, or other nefarious forms of malware.

Similarly, a phishing email may contain malicious links that purport to direct you to the sender's organization (e.g. Amazon). However, scammers can hide the actual destination address (such as to fake websites that steal personal information for identity theft purposes) within a link that appears to be genuine.

For instance, you could click on an email link that appears to take you to Amazon but will instead direct you to a spoof site; if you enter your payment information (e.g. credit card details) there, you'll actually be forking your private information over to the scammers.

To check a link in an email on a desktop computer, simply hover your mouse over the provided link. The destination address (i.e. the website where the link will actually take you) will appear at the bottom of your web browser without you having to click the link.

Likewise, you can double-check a link on a mobile device by holding down on the link without releasing it; this will display a pop-up with the destination address.

Proofread

Many suspicious emails will contain basic spelling or grammar mistakes that a native speaker wouldn't make. Phishing scammers, many of whom are located in foreign countries and don't speak English as their primary language, often spam thousands of potential victims at a time, and while they use spell checkers to catch the most egregious mistakes, many grammatical errors still slip through the cracks.

For example, a sentence in the body of the email may be missing an essential connecting word such as "be" or "the," or the word order of a sentence may strike you as unnatural.

The danger with this tip is that it's also possible for senders from legitimate companies to make a typo, so if you suspect you may have received a scam email, stop and take a moment to observe the context of the mistake.

Is the error something as common as misspelling a common word or adding an extra letter? Does it sound like the person is still learning English, or does it seem like they just jotted off the email in a hurry without reading it over?

If you're ever uncertain if you've received a genuine email or a spam message, check for other warning signs, such as the aforementioned suspicious links, attachments, and questionable domain names.

Don't Give in to the Pressure

Lastly, beware of any electronic message you receive in which the sender seeks to create a sense of urgency. Remember that social engineering is about manipulation, and making people feel like they have to act quickly rather than stop and think critically is often a vital part of that manipulation.

This pressure tactic is especially common when the phisher is imitating someone from law enforcement, other government agencies, or a loved one. The bad guy may pretend to represent a high-level federal police agency (such as the US Marshals or the DEA) and claim that you need to verify your identity or else risk being thrown in federal prison.

Or they may pretend to be a trusted individual who needs help with an urgent need, such as your church's pastor needing you to donate money through a link to a charitable site to help a starving local family.

Urgency-based scam tactics are meant to make you act now, think (and regret) later. Instead, if you receive an email pressuring you to follow one of these suspicious actions (clicking a link, handing out personal details, etc.), step away from your device and think things through.

Talk to a coworker to get a fresh pair of eyes, or contact the purported sender through other means. For instance, if you were being targeted by the phisher claiming to be your pastor, you could call his cell phone or the church office to verify that he sent the message.

By stopping and taking a bit more time, you can serve yourself a lot of hassle.

Contact a Leading Cybersecurity Provider to Schedule a Consultation

We understand that navigating the minefield of the digital world is tricky, especially if you run a small business that looks like easy pickings for scammers. Contact the cybersecurity experts at TechBldrs to learn how we can beef up your firewalls, provide you with heavy-duty security software, train your employees to avoid phishing scams, and more!