Imagine someone wanting to catch and eat fish for dinner. What would they do? They would attach bait to the end of the hook and cast it into the ocean. They would hope that a fish would mistake it for food and bite.
Similarly, if someone wanted to steal your personal information, they would distribute malware via email as “bait” and cast it into the wide ocean of internet users. This is done intentionally to trick people, posing information as legitimate, and form a genuine source.
Criminals use email to pretend as a company or service and request you to take action, usually urgently. In the email is a link that they are hoping for you to click. The link asks you to fill in your sensitive information. Once they have it, they can use it in the future to wreak havoc.
A more direct form of phishing is spear phishing. Instead of going for many victims for a small reward, they go for big rewards by targeting high-value targets (individuals, businesses, etc.). Often the information here is tied to your company or you individually which makes it easier to launch an offensive like this.
The information is acquired through a search on social media about you or your company, or elsewhere. Since links in an “official” email look similar to that of a business partner, colleague, or corporate entity (logos are used to create the feel of authenticity), you end up clicking.
The goal is to gather your credentials and install malware by accessing your system/computer. So what should you be looking at when differentiating between a phishing email and the authentic one?
The email may say that it’s from PayPal but when you take a closer look after @ symbol the sender has nothing to do with PayPal. Another way of telling is to look at the email content.
With a phishing email, you’d notice that it contains glaring grammar and spelling errors. And finally, if you hover your mouse over the login link in these emails, you’d see it doesn’t redirect to paypal.com at all.
All the signs above pinpoint the fact that the email is not from PayPal but is a phishing attempt to give away your sensitive data.
Normally the signs are relatively easy to spot when you know what to look for but can get tricky sometimes. The criminals have learned more subtle ways of phishing where things are off by a letter or two. In other cases, the information is inverted. So for instance you’d see “paypall.com”, and while, it’s darn close, it isn’t the PayPal we all know.
Only upon close inspection, you can tell that an additional “l” renders the URL as incorrect or a phishing site. The safest practice here’s to never click the link in an email but instead go directly to the site by typing the URL in your browser or performing a search for the so-called organization.
Some tips to be mindful of:
- Check who the sender is.
- Check the email for grammar and spelling mistakes.
- Mouse over the link to see where it’s taking you. When unsure, do not click the link. Perform a manual search or type the URL in your address bar for that “company”.
- Contact your IT staff/team if you’re unsure about the contents of an email. They’ll know what to do.
See how you can protect yourself with a VPN.