Phishing is a deceptive method in which a criminal sends an email or text that mimics or claims to be from a trusted source (such as a bank, or the Internal Revenue Service, or the Better Business Bureau, or the Federal Trade Commission) in an attempt to steal personal and financial information from you – such as a social security number, credit card number, account number or password.

This scheme only works if the perpetrator convinces you to go from the email or text to a bogus website.  Below are some tips on how to spot a phishing email.  Once you spot it, delete it.

  • You’ve Got (an Unexpected) Email!  Let common sense be your guide. Legitimate companies don’t ask for personal information via email or text.
  • Act Now!  Online scammers prey on vulnerabilities. One trick is to create a sense of urgency by convincing you that something bad has happened (or will happen) and you need to act quickly or there will be dire consequences. For example, they might threaten to close your account or take other action against you if you don’t act quickly.
  • “Dear Account Holder.”  Most phishing emails have generic salutations like “Dear Account Holder” or “Our Valued Customer” or “Dear Client” or “Greetings yourname@yourbusinessaddress.net”
  • Phishing Expeditions Request Your Personal Information.  Remember, the aim of a phishing expedition is to get you to surrender your personal information. Be especially suspicious if you are asked to update your information; that’s a very common ploy.
  • Link is Forged. Don’t be duped by a web link that appears to be legitimate just because you may recognize some part of the business name in it. That doesn’t mean it links to an official website. One trick to ferret this out is to scroll over the link and see if it matches the sender’s email address.  If not, that’s your answer.
  • “S” stands for “Secure.”  Only provide personal or financial information through a website if you have personally typed in the web address directly into the browser yourself, and the site appears to be secure.  Tip:  Websites that are safe start with “https:” – where the “s” stands for secure. If you don’t see “https:” it’s probably not a legitimate website.

Spear phishing is a more sophisticated form of phishing.  In the case of spear phishing, the presumed sender of the email an individual within your company and it’s generally someone with authority like a “System Specialist” or “Network Administrator.”  Spear phishers target sensitive confidential information of the company. Frequently, the email or text will request you to either log in to a bogus web page that requires the employee’s user name and password, or to click on a link (that will initiate the download of spyware or malware on your computer or the company’s network). 

  • Tip:  If you don’t recognize or have doubts about the identity of the email Sender, you should look them up on your company’s directory or contact your supervisor.

 Takeways

  • Once you’ve spotted a phishing message, delete it.
  • If you accidentally click on the phishing link and a program downloads on your computer or network, contact your tech support department right away.
  • Add signature blocks to your emails so that you’re easily identifiable as a company employee. Include name, title and phone number so you can be contacted directly.