With news of the Gmail phishing attack still fresh in our memory, this is a good time to review some basic precautions you can take to avoid becoming a phishing victim.
Phishing attacks have been on the rise recently because, to put it bluntly, they work. The Anti-Phishing Working Group recorded 1.22 million phishing attacks in 2016, a 65% increase over the previous year. Phishing is the most common way attackers deliver ransomware, which is the fastest-growing form of malware.
Even though phishing has been around for a long time, it’s still amazingly effective. Some attacks have been found to record click-through rates of 30% or more (marketers would kill for that!). As the Gmail attack showed, phishers are becoming sneakier and more effective.
Most phishing attacks take the form of emails disguised to look like they come from trusted sources. The subject line usually carries an urgent message intended to drive immediate action, such as notice that an account has been compromised or that a service is about to be suspended. The attacker’s goal is to alarm the recipient and prompt immediate action – usually downloading an attachment or clicking on a link – without thinking about what they’re doing. That one click can trigger a malware infection.
Here are five steps to keeping yourself safe.
- Beware of poor spelling or grammar. Many phishing attacks originate outside the U.S. from people whose first language isn’t English. Legitimate organizations attend to details like grammar, spelling and usage. If the email contains these errors, it’s probably a scam.
- Never respond to requests for information. Reputable organizations will never ask you to send passwords, credit card numbers or other personally identifiable information by email. Never.
- Check the email address. There are two parts to the “From” part of an email: the user name (or alias) and the email address. The alias can be anything the sender wants it to be, but you can’t disguise an email address. Phishers always change the alias to look legitimate, like “PayPal Customer Service.” But if the email address in that example isn’t PayPal.com, the message is a fake. Always check before clicking.
- Don’t click unless you’re sure. A favorite tactic of phishers is to entice their victims to click on a link that purports to send them to a login or payment page. The page is disguised to look legitimate, but it’s a false front intended to capture information. Before clicking any link, hover your mouse pointer over it first. The address will show up at the bottom of your browser or email client screen. If it looks suspicious, get out of there. Beware of addresses that are doctored to look legitimate, such as “Googlecom.es.”
- Use a password manager. One of the little-known benefits of a password manager is that it protects you from phishing scams. That’s because it won’t work on a login page where the URL doesn’t match the URL entered when the record was created. So even if the phisher tricks you into clicking on a link, the password manager gives you an extra layer of protection. Think of it as phishing insurance.