Phishing is big business. Learn how to protect yourself from people trying to get your personal information.
- [Instructor] Phishing emails are messages that are designed to try to get people to share their personal information without realizing it. In many cases, the goal of phishing is to try to steal someone's identity, to access their financial information to steal money or to use their information to access a restricted system. There are a few different kinds of junk email out there, and it's important to know the difference between them. The sort of email that floods inboxes, or nowadays, floods spam boxes, trying to sell dodgy products with weird formatting and spelling is generally just called spam. Phishing attempts are usually a little better looking than this, though not always.
Most phishing attempts make an effort to look somehow official, like they're from a bank, or a payment site or an email site, or some other kind of social or personal information site. In many cases, phishing attempts will emulate big brands, in order to trick people into clicking through to a fake website and giving it their real credentials. It's very common for phishing emails to pretend to be a Gmail password reset, or some other kind of notification like a shared document. Many people's Google account is a central piece of their online and offline security model, so a compromised Gmail account is very valuable to an attacker.
The same is true for Yahoo!, Microsoft and other large email providers. Sometimes phishing attempts look like invoices, requests for authorization to deliver a package, and other common business activities. It's also common for phishing attempts to pretend to be a notification from a payment site, or bank in the hopes of capturing someone's financial login information in order to steal money. And sometimes phishing attempts pose as fake confirmations that you have signed up for dating sites and other personal ad sites. Or notifications about social media activity. In some cases, phishing emails can look sloppy and a little bit off, but others look exactly like the genuine messages that they're impersonating.
And some legitimate emails can have that spammy look about them, if certain elements don't show up correctly or if the designer was having an off day. So you can't go by appearance alone, to determine whether an email is a phishing attempt. Other types of phishing you'll see are much less sophisticated, including emails with just a link, or simply asking you to reply to them with personal information. Often, these attempts say something like that you've won a lottery, or you're due an inheritance, and you need to provide a birthdate, bank account number or other information like a mailing address to receive it. For a lot of people, this kind of phishing doesn't pass the smell test, but it keeps happening so someone must be falling for it.
Even just opening a message or clicking on the link in a phishing email, can indicate to a phisher that there's someone behind the email account that's likely to click on links, so you should avoid clicking on anything in a message until you determine whether it's fake. Figuring out whether an email is a phishing attempt involves a few different approaches. First, it's important to ask yourself, whether you're expecting an email similar to it. If you get a request for a password reset or something did you recently request it? Were you expecting a message from your bank, or a package from a shipping service? If so, an email is probably legitimate, but it doesn't hurt to still be skeptical.
If the message came to your inbox unexpectedly, it's time to be a little bit more suspicious. Generally a safe way to check if a message is legitimate, is to separately log in to whatever account is associated with the service or company that a message is from. If it's a message that says it's from our bank, open up a web browser, type in your bank's web address, log in there and see if you have a notification. Generally speaking that should give you your answer. And, if an email instructs you to call a phone number for some reason, look to see if that phone number appears on the web site for the organization the email says it's from.
Something else to consider is the general tone of a message. When businesses send out automated emails, or messages about accounts, those messages have typically undergone some copy editing to make sure that the language used is correct and matches the brands style. In many cases, you'll see unprofessional grammar, misuse of terms and improper capitalization in other good looking phishing emails. I can't speak to this in other languages, but I've definitely noticed it in English. Some phishing attempts can also sound overly formal, rushed or somewhat rude, in relation to what the message is asking for.
Be sure to look at the sender too. Most organizations will send messages from a branded email address, not a personal address. And a lot of phishing messages, have mismatched or otherwise odd-looking sender names, or addresses. It's easy to spoof or fake a sender's address though. You can also dig into the message a little bit, to see if things are what they seem. If you're pretty technically inclined, it's interesting to read through the email headers, and trace it's path through the internet. And you can use other tools available in your email client, to check out a message. Some email clients will show you the address of a link in an email by hovering your mouse over it without clicking.
Usually a link or button should go to a page hosted on the domain of whoever sent the message. So, if you get a message from Google, for example, to share a document, whatever the link you're intended to click on should go to Google, and the link should look clean. What does that mean? Well, it's a little hard to describe. Basically you want to make sure the domain part of the URL is actually the domain you expect it to be. Not one that only kind of looks right. Or one that actually goes somewhere different. Some phishers will register domains, or sub-domains, that look like the site they're impersonating, so look closely at that if you're at all suspicious. And the last thing to consider, if somewhat unquantifiable.
It's the gut check. The smell test, or the vibe. If you have any doubt, pause and investigate. Ask a co-worker, a friend or a family member to take a look and see what they think. But hold off on clicking any links in the email. That's how they get you.