Phishing is one of the most visible and easy ways for internet bad guys – referred to in the biz as “threat actors” – to separate you from your personally identifiable information, or PII. PII is how a threat actor can compromise your business and personal accounts, steal money from you (by gaining access to your credit card(s) or bank account(s)) and even take over your identity – all in the name of fraud.
Phishing attempts – or attacks, if you will – use legitimate-looking email in the hopes that you’ll click on the link(s) in them. Once you do, you’re usually exposed to one of a small number of types of attacks (“threat vectors”).
One threat vector associated with phishing attacks is the installation of malicious software (malware) on your computer, either as an application that’s hidden from your view or as an extension in your browser. Either way, your computer now has what many people will refer to as a “virus,” but is in reality software designed to snoop on you and your activities, all the while looking for and collecting your PII. Vicious types of malware will even take over the operation of your computer, enabling threat actors to spread their malware in a way that looks like YOU are the problem!
Another – and frankly, far more common – threat vector from phishing attacks involves simply getting you to try logging in to what you think is a legitimate website. Take, for instance, PayPal, a web-based payment service used by millions of people around the world. If you get an email that looks like it’s from PayPal, say, like this one I got just this morning…
Looks legit, doesn’t it? Many people would just click on the “update your information” button and BOOM! YOU’RE COMPROMISED! Instead of insta-clicking on that button, though – or any other link in the email – stop and think. Is what the content of the email realistic?
- Do you even have a PayPal account?
- Do you actively use it?
- When is the last time you updated your information/profile/payment/address?
- Have you ever received an email like this from any company before?
- Will PayPall really restrict your account if you don’t respond within 72 hours? Have they EVER done that to ANYBODY you know before?
Now, before you click on that button (or link), there’s two other things you can check to see if you’re being phished or not. First, the reply-to address. If it’s something like “support @ paypal.com” then it just might be a legit email – but no guarantees. Continue to be suspicious and investigate the email. If it’s nothing to do with PayPal at all, then be suspicious. In the case of the actual email I received (above), this was the return email address
Does that say PayPal? NO IT DOES NOT. That’s a big-ass red flag right there. (Note: If all you see in your email program is usually “no-reply” and NOT the full email address, change that immediately in your email client preferences. If you use Apple’s Mail app, that process is Mail > Preferences > Viewing > UNCHECK Use Smart Addresses.)
In case the reply-to address checks out, you can check out a link before you actually click on it. Mac and Windows computers both use “context menus” for many things; you may not know they’re called this, but I’m betting you know how to bring them up. Hover your mouse pointer over the link (or button) and right-click on it. If you don’t have a two-button mouse or a trackpad that understands the concept of right-clicking, hold down the “CTRL” (Control) button on your keyboard and then click the button. You should get a context menu, which (on my Mac) enables copying the link, as such:
Then paste the link into a text editor (TextEdit, WordPad, etc.) and see if it looks legit.
Well that certainly doesn’t look like a PayPal address!
Here’s some alarming information about phishing that may wake you up a little.
- 1 in 12.5 million spam emails generates a successful phishing attack
- 14 billion spam emails are sent every day
- 76% of US businesses suffered phishing attacks in 2017
- The average email account receives 16 malicious emails a month
- Over 92% of malware is delivered via email
- The most common phishing attacks are emails disguised as invoices (bills), delivery failure notices, law enforcement actions, and package delivery notices
- The FBI says phishing attacks and other email-based scams cost US businesses over $676 million in 2017
By taking just a few moments before clicking on the link in that legitimate-looking email, you can save yourself from a whole lot of trouble. Be Smart: Shop S-Mart… and also protect yourself from phishing attacks!