Phishing has been around a long time, and as consumers have gotten wise to the scammers tricks the criminals are getting more sophisticated. The days of poorly crafted emails, loaded with spelling and grammar errors, are long gone. Today’s phishing emails may look much like the legitimate emails they emulate, sometimes with proper English and the logos of the companies they claim to represent. The Canadian government estimates that 156 million phishing emails are sent globally every day, resulting in 800,000 clicks on fraudulent links, and 80,000 victims falling for scams.
Phishers may target specific persons or organizations and craft phishing emails designed to fool them. This is called spearphishing.
Phishlabs reports that in the third quarter of 2017, nearly one-quarter of phishing attacks were hosted on HTTPS sites. This is nearly double the rate observed in the previous quarter. Why is this happening? According to Phishlabs, this is because scammers believe that the HTTPS designation makes a phishing site seem more legitimate to potential victims.
Many browsers (such as Google Chrome), show a green lock and the word “Secure” in the URL bar when a site uses HTTPS. In a Phishlabs poll, more than 80% of the respondents believed the green lock indicated that a website was legitimate and/or safe, neither of which is true. What the green padlock really means is that you are actually dealing with the site in the address bar. So if you are at https://www.google.com/ and have a green lock, you are dealing with the actual Google.com site. However, if you are at https://www.g00gle.com/ and have a green lock, the lock does not indicate that you are at the Google.com site, but at G00gle.com (which is not a legitimate website).
InfoSecInstitute suggests you learn to recognize the telltale signs of phishing emails by reviewing the following:
- Make sure the sender’s address matches the sender’s name. An email may claim to be from Amazon.com, but if the email address is amazon-news@email.com, it probably is not. Amazon emails will come from Amazon.com, PayPal emails will come from PayPal.com, etc.
- What does the subject line look like? Is it ALL CAPS? Are there grammar and spelling errors? Those are signs of a scam email.
- Read the body of the email. Is it personally addressed to you (not “Dear Customer”)? Does it include information specific to you and your account? Is it written in proper English?
- Look at the links. Hover over the links in the email (without clicking on them) and see where they actually go. eBay provides examples of how to recognize fake eBay URLs on this page.
- Be suspicious of any attachments. If you are not expecting an attachment, do not open it.
Although millions of random phishing emails are sent every day, some phishing emails are more personalized. Phishers may target specific persons or organizations and craft phishing emails designed to fool them. This is called spearphishing. Many of these emails are extremely convincing and have led to CEO fraud, where employees believe the CEO of their company is directing them to transfer funds or release sensitive company data. CEO fraud has cost businesses millions of dollars.
Think before you click to avoid becoming a victim of phishing scams.