TL;DR: Question everything! If you’re not sure if an email is legitimate, ask your IT provider before clicking on anything.
If you don’t already know what the word “phishing” means, then you absolutely must read on. If you do, great – this post should help you identify and avoid most, if not all, phishing attempts.
The Oxford dictionary defines phishing as “The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
These sorts of attacks are becoming more and more common, and unfortunately for most of us, they’re also becoming less obvious and more clever. Gone are the days of being asked by a complete stranger (very nicely, in a poorly formatted plain-text email riddled with spelling and grammatical errors) for your bank account details so the cousin of a deceased Nigerian prince can transfer you 5 million dollars. No, these days you’re more likely to receive an attachment from someone you know, which will require you to enter your credentials into a very convincing Google login page to access – as evidenced by a new phishing racket only last month.
So how do you identify these attempts, and separate them out from the dozens of legitimate emails you receive every day? Ask yourself the following:
Do I know the sender? If you’re being informed that someone you don’t know has just shared “Updated template.docx” with you, question it. Unfortunately, some of these phishing attempts will come from people you DO know that have already had their accounts compromised, so keep that in mind.
Does the domain (the part of the email address after the @) match the company the sender is supposedly from? If you’re receiving an email from firstname.lastname@example.org containing a link asking for your Google login details, alarm bells should be going off in your head. However, don’t just take what appears as the sender address as 100% fact, since this can be faked (though fortunately, most modern mail filtering systems will pick up on this and flag it as spam) – if something doesn’t feel right, don’t click anything and don’t enter your details.
What details am I being asked for, and what are the consequences of these being compromised? Some of these things will be obvious – if you’re being asked for credit cards details (note: never send these via email!), you’re going to lose money. Some are not so obvious – for example, if your Google account is compromised, how many other sites can the attacker gain access to with this? Could they use the details in your profiles on these sites to gain access to other, more sensitive, accounts via social engineering?
This may seem like a lot of questions to be asking yourself about every single email you receive, but if you can get into the habit of it, your information (or your company’s) will be a lot more secure. At the end of the day, security is everyone’s job.