How to Spot the Phishing Scams that Prey on Even the Brainiest of Us
Pass it along!
Maybe you already know how to avoid phishing scams, but while there are still folks unwittingly exploited, all of us should keep sharing tips like this for thwarting the bad guys:
First, a brief history. “Phishing” refers to the use of email to lure recipients into visiting a false website where they are tricked into providing personal information such as credit card or Social Security numbers. Those numbers can be used in a variety of criminal activities such as purchasing gift cards or cleaning out a bank account. The first phishing cases were recorded in the mid-1990s and were perpetrated by “phreaks,” a nickname used by early hackers, giving rise to the term “phishing.”
We had a rash of phishing emails in the office recently, furnishing us with perfect examples to demonstrate how to spot phishing emails. Here is the step-by-step process that you can pass along to your grandparents, your children, and your employees before they fall victim.
Evaluating first impressions
The first tip-off is that there was no McAfee bill due, but since we’re all so overwhelmed these days, it’s easy to second-guess yourself. While keeping good records is vital for a number of reasons, in a case such as this, it means you can quickly confirm if this is a real bill before you respond.
Second, while the email was sent to a legitimate address, it’s an old one that is no longer used much. Since hackers recirculate previously stolen information for many years, try to keep an eye on old accounts.
Third, this is written sloppily. Note especially the weird spacing in the first sentence. While even legitimate email senders make mistakes, bad guys for whom English is not the first language miss even the most obvious errors when cutting and pasting scams from each other
Looking behind the curtain
Even though it seems like the email was sent from McAfee Support as part of a DoNotReply campaign, when you hover your mouse over the email address, you can see the true address that is being hidden from view. Rather than something expected such as email@example.com, the address is firstname.lastname@example.org.
While Gmail is certainly a legitimate email provider, anyone – including criminals – can obtain a Gmail address. And every serious business will set up their email accounts using their own domain name rather than at Gmail, Yahoo!, AOL, and the like. Be very wary of replying to strange email addresses such as this. (And on the flip side, if you are a legitimate business, be sure to set up your email address with your own domain name so folks don’t think you’re a scammer!)
Resisting one more try
A similar scam was sent to a second email during the same week. This time the “billing team” was another generic Gmail address, purporting to be from Norton Security, misspelled as “Nort-One.”
They must have been disappointed if they hoped to spark a panicked response to the claimed “auto-withdrawal,” but apparently enough people do reply to make it worth their while. Again, most of us are not stupid, but we can be gullible. Companies we trust do send us email and bad folks use this familiarity to fool us.
Remember that your company’s private information could be at risk. Don’t just assume your employees know how to recognize phishing scams – take the time to remind them. Share this information with family and friends as well. They might not be as tech-savvy as you and could be vulnerable. Finally, if you don’t have a domain name email for your business yet, give us a call and let’s get that taken care of right now.
Photo by Mikhail Nilov from Pexels