Can you spot the phish?
One of the main ways cybercriminals steal funds and information or spread ransomware is by gathering information through phishing emails.
Not all phishing emails are full of spelling errors and sent from people purporting to be Nigerian princes. Some are quite sophisticated, and emulate known and trusted brands.
Try this phishing quiz from Google to see if you can spot the phish.
Common signs of phishing emails
With the rise of AI, some of the signs we used to watch for in phishing emails aren’t as common. Cybercriminals can use AI to sort through large amounts of data and personalize emails, rather than using a generic greeting. AI writing tools can also reduce the grammar and spelling errors which used to be a hallmark of scam emails.
Here are some red flags that still exist in many phishing emails:
- Urgent or threatening language: Be wary of messages that try to rush you into taking action. Scammers often use pressure tactics to make you act before you think.
- Unfamiliar or mismatched email addresses: Check the sender’s email carefully. If it looks odd or doesn’t match the organization it claims to be from, it could be a scam.
- Suspicious links or attachments: Hyperlinks may look legitimate but lead to fraudulent websites, or attachments could contain malware.
- Requests for personal information: Legitimate companies and those who care about protecting your data rarely ask for sensitive info through email.
Not just email…
“Phishing” doesn’t just mean poorly written emails with bogus links – you also need to watch for phishing in other forms, such as:
- Vishing: Phishing through telephone calls
- Smishing: Phishing through texts/SMS
- Quishing: Phishing using QR codes
Warning signs for vishing and smishing are similar to those in email phishing – urgency, shortened links that you can’t verify, or requests for sensitive information. For quishing, be extra vigilant if you get a QR code in an email; using QR codes lets the bad guys bypass some of the filters in your email so they can sneak malware through.
- Make sure any QR code you scan has context and is from a legitimate and expected source, and use a QR scanner that lets you check the URL before opening it.
- If it’s a QR code in a public place, like a restaurant, check the QR code for any signs of tampering before you scan it. Cybercriminals have been known to create their own QR codes on stickers and place them over legitimate QR codes.
Four tips to protect yourself from phishing
- Verify identities: If someone asks for sensitive information, especially through an unexpected message, take a moment to verify who they are. It’s a good idea to use a different method than the one they used to contact you—just to be sure!
- Be skeptical: Be careful with urgent or unexpected messages that push for immediate action, especially when it comes to financial info. For instance, if you get a call from someone claiming to be your bank about credit card fraud, don’t share any details with the caller. Instead, hang up and call the number on the back of your card to confirm it’s legit.
- Practice email (and QR code) safety: Before clicking on any links in emails or QR codes, check where the link is actually taking you by hovering over it. Better yet, go directly to the website to verify the information—it’s a safer bet. No more scanning QR codes you see in a TV ad!
- Use good cyber hygiene: Protect your accounts with strong, unique passwords and multi-factor authentication. Make sure to keep your software up to date, and don’t forget to use anti-malware on your devices. These habits will help keep you safe, even if you accidentally click on a sketchy link or share your login by mistake.
Taken the bait?
If you think you’ve been a victim of phishing, take action as soon as you realize the problem. Change your account login credentials, scan your system for malware, and report the phishing attack to the company that was impersonated. You may also want to notify your bank and credit card companies, and be sure to closely monitor your statements for unusual activity.
Report phishing
If you get a phishing email or text, you can help fight back by reporting it!
- If you receive a phishing email, you can report it to the Anti-Phishing Working Group (APWG), which is an international team that helps tackle cybercrime. Just forward the email to [email protected]—and if possible, forward it as an attachment so they can gather more info for tracking and analysis.
- For phishing text messages, forward them to SPAM (7726). Most wireless providers support this, and it helps them block similar messages down the line. You can also report phishing texts through your messaging app on Android or report them in the iPhone Messages app.
- You can also report the phishing attempt to the FTC at ReportFraud.ftc.gov. Every report makes a difference in the fight against cybercriminals.