How to Catch a Phish

October is Cybersecurity Awareness Month and one of the themes this year is Recognize & Report Phishing. I also just had an informative interview with Nick Oles on phishing based on his book, “How to Catch a Phish“. So let’s do a quick refresher on how to spot and handle a phishing scam.

Catch a Phish

Phishing emails are designed to trick you into giving up confidential information – usually login credentials or information that can be used to steal your identity or perhaps relieve you of large sums of money. Sometimes these emails will come with attachments that can infect your computer with malware. But in most cases, the emails are designed to lead you to malicious websites that are designed to look like some other legitimate site – like your bank, PayPal, Amazon, government sites and so on. When you enter your login credentials, these fake sites record your user name and password, giving them access to your account. Sometimes they will then redirect you to the real site to avoid suspicion.

Here are some red flags that should make you think twice:

1. The sender’s email address is suspicious. Look at it carefully – the base domain name should be correct and not just “close enough”. For example, amazonacct.noreally.com is not amazon.com. However, these addresses can be spoofed, too, so just because it appears to be correct doesn’t mean the email is legitimate.
2. Generic personal info. If they don’t address you by your name or reference your account information, that means they don’t really know you. Any legitimate email should include detailed information that only they would know.
3. Plays heavily on your emotions. The bad guys try to evoke strong emotions to push you to act. This may be threats of closing your account, legal action or fines. Sometimes they use positive emotions, too – for example they may ask you to help others in dire need, potentially even people you know.
4. Urgency. Most phishing scams require you to act right away. They don’t want you to think too much and they don’t want you to set the email aside and forget about it.
5. Poor grammar, spelling. Big companies don’t often screw up spelling and grammar. Look for bad punctuation and odd-sounding phrases, too.

What To Do

If you get an email that is obviously bogus, the simplest thing is to just delete it and move on with your life. However, there are some cases where you might want to do more.

First, you can report the phishing scam so that maybe you might prevent others from falling victim to it. You can mark the email as “junk” which might help spam filters catch it. Or you can formally report the scam to an authority who may be able to catch the bad guys. Trying forwarding the email to reportphishing@apwg.org, which is the Anti-Phishing Working Group. You can also register a complaint with the Federal Trade Commission in the US. Finally, you might report this to the organization or company that the email is impersonating.

Second, if you’re actually worried that the email may be legit, then here’s what you should do. Don’t trust anything from the email, including the reply email address or any phone numbers or links given. Also, avoid downloading and opening any attachments. If there really is a problem with your account – be it Apple, Amazon, the IRS, your bank, or whatever – then you can contact them directly and they’ll tell you. By “directly” I mean find an official, trusted source of information to find the proper phone number or website address. If you’ve already bookmarked the website in your browser, use that. When you log in, if there’s really a problem, you’ll see some sort of obvious notification there.