Phishing Emails and Scams: What Is It and How to Avoid It?
Phishing– a word often associated with email fraud remains a serious security threat for individuals and businesses. According to one report, over three billion spoofing messages are sent daily, accounting for 1% of all email traffic. Phishing emails and scams aren't just a nuisance in our inboxes; they put us at risk of cyber attacks, including credential theft, ransomware, and malware.
Phishing statistics paint a grim picture for individuals and business owners—of the three billion emails sent daily, roughly 1% are malicious, and around 55% of phishing sites use targeted brand names to capture sensitive information easily. Speaking of brands, the 'most impersonated ones' for phishing are Google and Amazon at 13%, WhatsApp and Facebook at 9%, and Apple and Netflix at 2%. And what's more alarming is that phishing emails and scams can happen to anyone.
Whether you like it or not, you're also a potential target. If you're always online for communication or entertainment, run an online business, or are an average 'netizen,' it pays to know what phishing emails are and discover a few tips and strategies to recognize and avoid these.
What are phishing emails?
'Phishing' is when bad actors trick their victims using emails, phone calls, or text messages. Phishing aims to make you check out a website, which may download a virus onto your PC or steal personal information and bank details.
Email phishing is arguably the most popular and one of the oldest phishing attacks. Many use emails to target individuals by pretending that the communication is from a trustworthy sender. Hackers will copy the exact email format, the logo, and other brand details of a legitimate company and include malicious links, documents, or image files that can trick the individual into 'clicking' or visiting a questionable website where they can confirm or share their personal information or banking details.
Recognizing phishing emails
Phishing emails are dangerous because of the potential harm it can cause to individuals. Scammers use emails, and many of these are professional templates and layouts, to steal your passwords, bank account numbers, addresses, or even Social Security numbers. Once they get your personal information, they can easily access your bank or other accounts. Or, scammers can sell your information to other scammers, which will be used for other dubious activities.
What's alarming about phishing emails is that the approaches and tricks used are becoming more sophisticated and convincing. Sometimes, detecting which ones are legit or fake emails is hard. Often, these phishing emails are successful because they look genuine, and it's now a challenge for many to determine which ones are genuine, or a phishing attempt. Scammers are always on top of their games, polishing their tactics, but they often resort to a few common tactics.
Often, these emails tell a story to trick you into opening an attachment or clicking a link. The email may look like it comes from an organization or company you know, like a bank or credit card company. Or maybe it comes from your service provider with whom you have a long-standing relationship. The email could be from a scammer, who might:
- Claim that there's an issue with your account, and you'll need to update your information or provide additional details (even if there aren't)
- Say that they've noticed some suspicious log-in attempts (they haven't)
- Say that there is an incoming package for you, and wants you to confirm your complete address for fast delivery (the package doesn't exist)
- Invite you to click on a payment or registration link (but it has malware)
- Includes an invoice that you don't recognize ( it's fake)
- Says that you're eligible for a refund, or you're a recipient of a subsidy (not true)
- Offers free stuff or coupon codes (these are not real)
In addition, there are a few red flags and features you may want to check in potential phishing emails.
- Use of attachments or links from unfamiliar senders
- There's a call to action for you to click on a link
- Plenty of spelling errors (but with AI, many scammers are getting polished, too)
- Poor grammar and use of messy and unprofessional graphics
- Use of generic greetings
- Requesting money or additional personal information
- Sense of urgency and use of threatening language
Here's what you can do to avoid phishing emails
Be vigilant and watch out for red flags if you're always online or use emails for personal and business transactions. If you have encountered a suspected phishing email in your inbox, follow these strategies to avoid becoming another victim of a phishing attack.
- Delete the email immediately. Many viruses activate when you click on a link or open an attachment. However, some email clients allow scripting, which means activating the virus by simply opening a suspicious email is possible. If you think it's a suspected phishing email and you're not expecting a message from that company (or you don't know the sender), ignore it and delete it.
- Block the sender. Block the sender if your email client allows manual blocking. Don't forget to note the sender's email domain and add it to the blocked list. Inform your family, friends, and co-workers so they can prepare in case they receive these messages.
- Add security software. You can improve your smartphone and PC's security by adding automatically updating software. These updates on your devices give protection against security threats.
- Use multi-factor authentication. Many accounts now promote using multi-factor authentication or extra credentials to log in to the accounts. The extra credentials fall into three categories: something you know, have, or are. The most common is using extra credentials that you know, like PIN, passcode, or answer to a security question. Some accounts require something you have or received lately, like a one-time verification code or a security key. Finally, it can be a scan of your fingerprint or your face. Using multi-factor authentication makes it different for bad actors to log in to your account even though they managed to get your username and password.
The US Federal Trade Commission recommended a few steps to take in case of a suspected phishing attack. If you received an unsolicited email that asks that you open an attachment or click on a link, you may want to ask first the following questions:
Do I have an account with the person or company who sent me the email?
If you answer 'No,' it's probably a phishing scam. You can check the common red flags for phishing emails; when these are present, you can report the email.
If your answer is 'Yes,' it's better to contact the company using the contact details published or displayed on its official website. You can verify the contents of the email or the other details of the attachments. For example, companies like banks and credit card companies will not ask for your One-Time Password or OTP.
Email phishing is a common security problem that, if unaddressed, will compromise your accounts. The best way to handle phishing online is to become informed— know the basics of phishing and its red flags, implement an extra layer of security on your accounts, and immediately delete suspected phishing emails.