What is phishing, and how to avoid common scams

Phishing scams are typically fraudulent email messages that appear to come from legitimate sources (Your bank, Amazon etc). These messages usually direct you to a fraudulent website to get you to divulge private information like your password, credit card, or other account details.

We’ve probably all heard of common phishing schemes like a Nigerian prince asking you to hold funds in exchange for financial compensation. While few would fall for such obvious attempts, and our spam filters have steadily improved, phishing has become considerably more sophisticated too. Some phishing emails can look very authentic and without the right knowledge, even savvy users can fall into a trap.

That’s why today we’d like to give you a run down on how to spot and avoid phishing attacks so your inboxes and accounts stay safe.

To get started, we’ll share a few things to look out for to identify a phishing attempt, then we’ll walk you through a few examples.

Things to look for:

Check for spelling mistakes

Brands are serious about their email. The chance of a spelling mistake from an official piece of email communication is virtually zero. So if you receive a legitimate looking email, read the message the whole way through. If you notice awkward grammatical errors or spelling mistakes, there’s a good chance the message is not authentic.

Check how you’re greeted

Phishing emails will very rarely have your personal information (like your full name). So if you receive an email addressed vaguely to “Valued Customer”, it’s probably a scam.

Take note of urgent or threatening language

This is a “social engineering” trick that targets peoples’ tendency to panic when they receive something urgent. If the subject line contains claims like “Your account has been suspended” or your account had an “Unauthorized login attempt”, read those messages very carefully. Some will panic and almost immediately click on a link and change their password – unknowingly giving their credentials to an untrusted source. If you do suspect your account has been compromised, go to the actual website of the service provider and manage your account there.

Check the “From” Address

Scammers will often have strange “From” email address. Instead of [email protected], you will see addresses such as [email protected]. Sometimes these types of emails won’t even end in the right domain. For example, a “Google” email from an address that ends in @hotmail.com.

Don’t click on attachments

Attachments can contain viruses or malware that can damage your computer or monitor your computer activity. The simple rule of thumb is to not click on any attachment from senders you don’t recognize, or was not expecting.

Common types of Phishing Emails

There are a few styles of phishing emails that are fairly common. Be wary of these when you receive one and don’t exactly recognize, or know what it’s for:

1. Corporate Communications – Receiving emails from banks, e-commerce websites or any other corporation that includes information appearing as “urgent”.

2. Personal Warnings – This could take the form of an alert of potential fraud on your credit card, bank account, or some vague “advisory” email. If it’s banking related, remember to never click on the link, navigate to the website of your banking institution and check if it requires your attention.

3. Security Alerts – A variation on personal warning, related to other Internet accounts you own that claims “unauthorized access” and need you to re-enter your password. Always go to the website in question and reset your password directly if you feel the need to do so.

4. Order Confirmations – People rarely read these carefully, and sometimes a simple prompt that seems reasonable enough will lead a user to enter their username and password on a website they are not suppose to.

Some Examples

Now, a few examples. We’ve provided 3 below, ranging from easy to spot to fairly sophisticated. We’ll walk you through each example and point out indicators of phishing.

Example 1: Google Message Alert

1. Completely wrong “From” address

2. Wrong/Non updated Google logo

3. Use of urgent language – “a message has been blocked”

This one is fairly obvious. The wrong “From” address should act as a dead giveaway. This type of messaging will usually be caught in a spam filter.

Example 2: FedEx Account Notification

1. Vague address like “Dear Customer”

2. Use of urgent messaging for a user to “avoid suspension” on an account(and a misplaced period and strange capitalization on words throughout the email)

3. A link to a website that didn’t go to FedEx (removed for this example)

4. Another use of urgent messaging, giving the user a time limit of “48 hours”

This one takes a bit of processing. First, are you expecting a package from FedEx? Second, note the general vagueness of the message. No indication of your name, tracking number or anything else.

Example 3: Apple Purchase Receipt

This phishing email is extremely sophisticated and can trick even the savviest user. The layout of the email is well done and looks extremely close to an actual Apple store purchase receipt. Many people have Netflix accounts so it’s widely applicable, and some links even click through to the official website. But there are a few things that give this email away:

1. Notice the strange email address – a random series of numbers and letters, followed by @mob.apple.com

2. A distorted Apple logo

3. Grammatically awkward sentence and an obvious spelling mistake.

4. Incorrect tax charges (“VAT” instead of “HST”)

It’s also important to note the information that’s not on this email. Note the “BILLED TO” section is extremely vague and only provides an email address, when a receipt should really provide actual proof of purchase including full name, billing address and form of payment.

We hope these tips will help you spot phishing attempts in the future. While our spam filters constantly block out a barrage of spam and low level phishing emails, keep these tips in mind and evaluate every piece of email communication that’s not personal and requires interaction.