Phishing scams are the most common threat you will face when using the internet.
This article should provide you with the skills you need to avoid being scammed by phishing.
What is Phishing?
'Phishing' refers to a scam whereby a scammer tries to get you, a user, to reveal to them personal details, such as your passwords, bank information, personal identity details, and so on. It is highly effective and the number one way that bad actors on the internet try to steal from you.
Why don't they just hack my computer?
'Hacking' is very difficult. It requires a deep understanding of computer programming; most highly skilled programmers would rather make an honest living working for legitimate companies than to risk time in jail. Most online scammers and criminals have only a passing knowledge of computer programming. They don't need to be skilled, because it is in fact quite easy to just get you to tell them your passwords and other info.
I would never tell anyone my information!
Probably not to your knowledge, no. That's why they try and trick you.
They will use email addresses that look like people you trust. They will impersonate businesses and institutions. They will use unspecific language to sound legitimate without having to know anything about you. And finally, they will use fake, mocked-up websites and links to trick you into clicking and logging into them.
It is a near certainty that you have fallen for a scam of this kind once already. But you can guard yourself against others.
If they can impersonate people and businesses, how can I tell they're fake?
Sometimes, it can be pretty obvious, if you're paying attention.
Even a cursory glance over this email reveals numerous warning signs. In addition to what is highlighted, note that it is highly unlikely that you will receive a warning about unusual purchase activity from a company like this in such a manner.
The scammer will often use direct, forceful language that carries a sense of urgency. They want you to panic, to act before thinking. Messages will be short and clipped with wording like "please give me your cell phone so I can call you" and may threaten termination, account suspension and so on.
Your supervisors and the IT department will never, ever, ask you for your password. It is highly unlikely you will be asked for your phone number.
They can impersonate web pages but usually there's a 'tell' that something is off. In the above example, the URL of the site is clearly NOT Facebook. As a rule, do not follow links in emails to log into your websites. Go to the websites by typing in their URL in the address bar and log in that way.
'Dear Netflix' indeed. Though this might look legitimate, as it uses their styling and font, note the urgent tone and that it is not addressed properly. Phishing scams will often sound unprofessional, feature grammatical and formatting errors, and other tells.
Fake email URLs, urgent and threatening tone, bad grammar, and shady links are all part of the scammer repertoire.
What if it's fake but they don't make grammatical errors or use odd URLs? What if it looks legitimate?
When in doubt, contact the sender on your own via methods you know and trust. If it appears to be from your bank, call your bank on their public 1800 number. If it seems to be from your boss, go and talk to them. If it seems to be from a relative, call them on their phone.
Be suspicious is literally any email you did not ASK to receive. No matter who it is from, no matter what it is about. Emails are free and easy to send; they are the lowest form of professional communication. When in doubt - even a little doubt - always confirm via alternate means.
How bad would it be if I do get scammed?
Scammers will steal your money and identity - if you're lucky. If they get your passwords to your work accounts, they can infiltrate the network and upload malware to our network behind our security firewalls. The worst among these malware attacks are called Ransomware. Scammers can take an entire network hostage and ransom its release, usually for large sums of money.
How much money?
Between tens of thousands to potentially millions of dollars.
Wow! That's a LOT of money!
Yes. And affected institutions often pay the ransom. It has happened to school districts and police departments in this state. It is a very real and very dangerous threat. The only thing standing between them and us... is you.
So, be wary of any email if it:
- Sounds urgent
- Asks for or demands contact information
- Requests passwords
- Requests financial, personnel, or other organizational information
- Seems to be from a trusted sender, but the email address looks wrong
- Implores you to click a link in the email
- Contains an attachment
- Has poor grammar or spelling
- Is formatted poorly or reads awkwardly.
What do I do if I suspect I'm being phished?
What you should do depends on the type of scam.
- If you are sent an obviously fraudulent email, simply mark the email as spam using the button provided in Gmail.
- If you suspect you have accidentally given your password to a scammer or logged into a shady website, immediately change your password.
- Notify the IT department by filing a ticket on this helpdesk to notify us of the phishing attempt.