Email Phishing

(No time to read right now? Just want to see the list of things to check? Here you go.)

---

What is Email Phishing?

Phishing (pronounced like “fishing”) is when a hacker sends a bogus email that looks legitimate. It might look like an email from a trusted friend or from a known website, but actually contains links or attachments that do bad things if clicked.

The hacker's goal is to send the recipient to a website containing a virus or other malware, or to collect data such as usernames and passwords.

Phishing is a type of “social engineering” where hackers take advantage of common human behavior to trick people into doing things they otherwise would not do.

---

How Does it Work?

Hackers often run phishing attacks using stolen or otherwise compromised email accounts, or sometimes from “throwaway” accounts created for the purpose and then abandoned.

A phishing email may look like normal personal correspondence from a friend or co-worker, or like a notification from a company or website you've done business with.

However, it is very easy to create an authentic-looking email, even with company logos, images, fonts, and colors. It's also very easy to make an email look like it came from a legitimate email address.

Sometimes phishing emails use scare tactics, such as warning you that your email account or credit card has been stolen. Other times, they will entice you with something positive, like telling you about an unexpected bank deposit or package delivery.

  The goal is to get you to open and read the email, then take some kind of action like clicking a link.

Sometimes that link will take you to a website that does a “drive-by download”, which means as the web page loads, it installs a virus or other malware onto your computer. The page may look like a real website or could just be an error page.

Sometimes the email accounts of prior phishing victims, unaware they were infected, are used to send future phishing emails to others.

See the section below on ways to protect yourself.

In other cases, the link will go to a page that looks identical to what you'd expect based on who the email seems to be from. Often after capturing your username and password, the bogus web page may actually redirect your web browser to the real web page, and just make it seem like you had a typo in your password. (At that point, as you can guess, it's too late - the hacker already has your sensitive info.)

Another way hackers trick you with phishing emails is by attaching a file that looks interesting, like a Word document, a video, or a PDF that seems fun or useful. But these attachments can carry malware and infect your computer as soon as you open them.

---

Where do phishing emails come from?

Well, they come from hackers! But they will appear to come from someone you trust, perhaps a friend, relative, neighbor, co-worker, etc.

They also might look like they come from a business, organization, or website you've used. These could be banks, credit card companies, shipping companies, eCommerce websites, local stores, non-profits you've donated to, political campaigns, or any other entity whose name you might recognize.

Especially around tax time each year, many phishing emails are sent looking like they came from the IRS or a state's taxing authority. These can look very real and intimidating!

---

Why is phishing dangerous?

Phishing is one of the primary ways viruses and other malware gets onto computers. If you click on a link in a phishing email, or sometimes just have it appear in your email software's “preview” pane, you've done two things for the hacker who sent it…

  First, you confirmed that your email address is valid and active.

  Second, you've gone to a web page he created to install malware and/or collect data.

Phishing is also a primary way hackers steal credit card and other financial information, often without the victims being aware of it.

---

What are the different types of phishing?

Regular phishing tries to catch anyone it can by sending email to a lot of people and hoping some of them will take the bait. But there are even nastier types…

Spear phishing is targeted either at an individual or at a small group of people. For example, a target could be the owner of a particular company or the employees using that company's email server.

Whaling is when the hackers go after a “big catch”, like the CEO of a company, another top executive, or person in charge of a department.

Spear phishing and whaling emails can be made to look quite authentic by including information related to the individual or group targets.

Targets of these types of attacks are often people who have access to sensitive information or to systems the hacker would like to get into. The goal is to get more information or better access than an ordinary, more broad phishing attack would provide.

And the tactics hackers use are devious:

They will gather as much information about the particular target as possible and sometimes information about other people in the target's organization. Then, for example, they send a carefully written email to the target, claiming to be someone high up on the organization chart. They present some info that only that person and the target should be aware of, and try to get the target to click an embedded link.

That link, of course, goes to a malicious web page that infects the target with malware that can, in turn, dig into the computer and network to get even more information.

There have been cases where executives in large companies have been fooled by spear phishing or whaling that led to the release of a large amount of sensitive information.

---

Examples of phishing

Phishing emails can can take many forms. Here are just a few examples…

  An email arrives and looks like it came from your bank, telling you there was a data breach and everyone needs to change their passwords. The email directs you to a website that looks like the bank's website. Except that it's not. It's a fake web page, built by the hacker. It asks for your username and current password, then pretends to provide a password update function. Of course, as soon as the information is entered, the hacker can log into your real account and do some damage.

  A shipping company (FedEx, USPS, etc.) sends an email saying they're having trouble delivering a package. They ask you to log into their site to confirm your address. While you do this, your computer is being infected with malware.

  The VP of Finance of a company gets an urgent email from the Information Technology Director saying their computer system was hacked and he needs to immediately install some security software. He directs the VP to a website so he can provide the company's payment info for the software. However, the email didn't come from the IT Director; it came from a hacker, who had discovered the names of the VP and IT Director (and some other relevant company info). The “payment” website captures the info and the hacker goes on a spending spree.

There are many other types of phishing emails. See if you can “spot the phish” by taking the quiz in the section below!

---

What should I do if I opened or clicked a phishing email?

First, don't panic. If you clicked a link to a website and provided sensitive info, open a new browser window, go directly to the legitimate website, and try to login. If you can, change your password to a strong one (Read this for password advice). If there's an email or phone contact for a “fraud” or “phishing” department, let them know what happened.

If you can't login, perhaps because a hacker changed your password, contact the owner of the website via direct email or phone. Explain what happened, ask them to reset your password, and ask if there's any strange activity on your account.

If this happened with a financial account (bank, credit card, etc.) or with a website where you may have stored your credit card info, contact them immediately, preferably via a phone number you're sure belongs to them. You'll definitely want to change your password. In some cases, they may want to issue you a new credit card and/or account number. Keep a close eye on your financial statements looking for any unauthorized charges.

If you think you clicked a link or opened an attachment in a phishing email, but did not provide any sensitive info (and nothing else weird happened), your best bet is to run a full system virus scan. If you're able to do that on your own, great! If not, find a technically-minded family member or trusted friend who can do it for you.

Anytime you think you might have accidentally interacted with a phishing email is a good time to watch your accounts more carefully.

---

How can I protect myself from phishing emails?

  Be wary of emails you weren't expecting - If an email asks you to click a link to provide sensitive info (name, address, login username, password, etc.) it's much safer to go directly to the website, log in, review the request, and take action there if appropriate.

  If you have any suspicions about a received email, find a legitimate email address or phone number (don't trust anything in the email) and contact the sender to confirm that the email you received is valid.

  Also be careful with email attachments - they can look innocent, like Word docs or PDFs, but can infect your computer the instant you open them.

  If you get an email from someone you know, with a link to click or an attachment, call the person and confirm they actually sent it.

  But be careful with emails they simply forwarded and/or added an attachment to that they did not personally create. (Even if they are a legitimate sender, they may have been tricked by a hacker to forward emails to others or attach infected documents.)

  Periodically check your email “sent” folder for things you did not send

  Look out for emails from companies you do NOT do business with, such as other banks, credit card companies, online stores, etc.

  Watch for any other unusual and/or unexpected email activity

---

Can you spot the phish?

Not too long ago, it was relatively easy to spot a suspicious email: There were spelling or grammatical mistakes, logos and colors weren't quite right, and/or the links to click were obviously malicious. But now hackers have gotten much better at creating very authentic-looking emails. In addition to better spelling and grammar, and stealing logos and colors from legitimate websites, they can “mask” the links to appear as if they go to the “right” destination.

No one should feel stupid for getting suckered by a phishing email! It almost happened to me a few times, and I am hyper-vigilant about spotting the tiniest clue that an email is phishing me.

  Quiz Yourself!

If you are curious about what some real phishing emails look like, and want to test your ability to spot them (with no risk), check out this quiz put together by security experts at Google. Then let me know which ones almost fooled you.

---

Summary

Phishing is a way hackers attack people by sending them valid-looking emails, which can include a link or attachment that infects a computer with a virus or other malware. Phishing emails may appear to come from a person, company, or organization we know and trust.

Clicking a link, or opening an attachment, on a phishing email is one of the primary ways computers get infected.

“Spear phishing” goes after a single person or small group of people and “whaling” goes after people the hacker thinks might have access to a lot of sensitive information (or money).

Phishing emails try to scare people (“your account is past due!”) or entice them (“new deposit to your account!”), but there are steps you can take if you accidentally clicked a phishing email link or opened an attachment.

Knowing what to look for, and what to do, can help prevent you from being the victim of a phishing email. Google created a quiz to test your ability to spot phishing emails.

Hopefully this article was helpful. If you have any questions about email phishing, please get in touch...