Unfortunately, it’s not just individuals that can be affected by malicious emails that appear to be coming from a legitimate source, but are traps designed to get users to provide passwords, card details and more. Businesses can also be affected, especially by cleverly branded emails supposedly from colleagues, suppliers or clients that look legitimate and are written to draw the reader in.
Common Phishing Tricks
- Most phishing emails will include the logo of a reputable or popular company in the email – and will generally imitate the colours, layout and overall visual impression of a legitimate email from that source.
- It may appear to come from a legitimate address – and may even be from one of your regular business contacts.
- The links in the email will typically land on a page that looks like what you expect to see for that business – for example, a phishing email that is trying to obtain Google account details may look like a “shared document” email, and will take you to a page that looks like the Google Drive log-in page.
The combination of these factors – that the emails look legitimate at a quick glance, and so do the pages they link to – is what the malicious senders are banking on. They are hoping, of course, that you don’t look closer.
Protecting Yourself from Phishing
The best way to protect yourself from these malicious senders is to take a closer look at any email that is requesting information from you. There are a few key points to take notice of – and if the email matches multiple points, it is very unlikely to be legitimate.
- Recipients: Was the email sent directly to you and you only, or has it been sent via BCC to a list?
- Personalisation: Does the email address you by name or by other personally identifiable and unique information? A phishing email is likely to be sent out to many people at once, and is more likely to use wording like “Dear Customer”. However, there are newer phishing scams that may provide personal details – particularly information you share on social media.
- Source: Although you may see an email address or name you recognise in the “From” box, look closer. A “spoofed” address may say “PayPal” on a quick glance, but if the email address is “[email protected]” it’s not going to be legitimate. Check the “Return Path” email address – usually, this will match the sender address in legitimate emails. However, a legitimate email address might have been compromised – even if the email address and return path do match.
- Text and Typos: Check the language – spelling and grammar – of the email. Is it consistent, professional and correct? For example, you might have text saying “User has sent you a confidential information. Please click on the “Open in Sheets” Link below to begin signing.” Although the spellings are correct, the wording is just a little off. Excessive exclamation marks, all-caps and typos can also give the email away as a fake.
- Forms: Does the email itself contain a form? These are unlikely to be secure, and it’s inadvisable ever to fill in personal details in one of these.
- Links: If you’re on a desktop, hover your mouse over any link buttons – for example, if the email shows a Google logo, is the website address you see in the bottom corner of your screen a Google address?
- HTTPS: If you do click on the link in the email, does the address in the address bar match the company – and if it’s asking for account details, does the URL start with the secure https:// or the standard http:// ?
If you have any doubts, the best solution is to avoid clicking on any links in the email itself. Type the real address of the page into your browser bar yourself – https://www.paypal.com, https://drive.google.com and so on – then log in from that page instead. This will ensure your details are not compromised.
I fell for it – what now?
Ok, so you clicked on the link in the email and landed on a legitimate-looking page with a form asking for your details, which you have helpfully provided, then realised that this wasn’t what you thought it was. First, if you’ve provided your user name and password for a service, go to that service by manually typing in the address of the page (for example, accounts.google.com) and change your password, as soon as you possibly can. This will minimise what the malicious user can do – with email accounts, this stops the malicious user from sending out more phishing emails from your account. If you use the same password for multiple accounts, now’s a good time to update them – and it helps if you do not use the same password for more than one account, just to prevent malicious users from mass-testing the password they’ve obtained from you in multiple accounts just to see what they can access. If you’ve provided bank account or card details, you’ll likely want to notify your provider immediately. Keep an eye on your statements to ensure that there have been unauthorised transactions.
If ever you’re in doubt about an email’s legitimacy, take the old-fashioned approach. Give the source a call – find the number from official correspondence and find out if the email did come from them – you may find that they were also a victim of phishing. With a bit of care, it’s possible to avoid being hooked!
Thanks for reading, stay safe!