How to Spot a Phishing Scam

What is a Phishing Scam? In its simplest sense, a phishing scam is a social engineering approach to getting a person to reveal information they wouldn't otherwise reveal to a stranger.

One of the most important aspects you need to realize about a phishing scam is that the information provided is being used as leverage against you. Any claim of information, whether it be something about you or someone you know that is true or is made up based on odds and probability is being used to make the sender appear legitimate. An example based on odds and probability I can give you would be to imagine you have a knack for choosing weak passwords and the attacker states "we now you use weak passwords and we have access to all your accounts". You're more likely to believe they have access because you know you use weak passwords. Now, I mentioned providing true information. How is that even possible? Two words: data breach. Remember the famous Target hack? Now there's too many to even list but if you've ever read up on what those meant, you know that attackers made off with actual information about accounts such as account credentials.

Attackers purchase that information from successful data breaches to learn information about you. They may also have some information about a colleague or contact because your company list names and positions on their website or even worse, perhaps that person has fallen victim to the previous phishing scam and confirmed information about you. It is very common to use one scam after another to gather bits of information at a time until the attacker knows every role and position of a company. That becomes a different but closely related attack called Spear-Phishing. But let's stay the course. The point is, information about you can and most likely is available and that is used as leverage to make a sender credible.

With all that said, just because they know a password you once used doesn't mean they know what is claimed in the email that is being used to threaten or coerce you in carrying out a task.

In the end, the most important aspect to remember is don't let the scam take root just because some information about you is provided, no matter how true it may be.

Most of the time the vector (means they choose to communicate with you) is email but keep in mind it can be text, phone call or voicemail and any of the social media platforms we all use.

Now that we've covered what and how, why do they want this? Remember the definition of a Phish is ..."getting a person to reveal information" therefore the communication will prompt you to provide something. Usually the goal is multifaceted; they want 1) to see if you'll respond 2) if you appear willing to carry out a task and 3) how far you might go.

In 1) they get the proper spelling of your name and that your email address they have on file is valid. Often times that is checkmate for them because they can turn around and sell the information as "confirmed valid". In 2) they can get a feeling for the type of person you are and where to take the scam. This part can be very harsh. They're trying to assess if you are tight with your money, an indication of how much money you have access to. In 3) it gets serious. How much did you give and how fast did you give it. This could have you end up in the hands of real serious con artists and you will want to get in touch with police and your bank immediately before things really escalated.

I often get people who will answer a phishing email but not carry out the task having realized it is a scam. This is good but what is not commonly known is that a mere response puts you at risk because your name and email are put on a list and then sold or past along to others to try more attempts. So responding but not carrying out the task doesn't mean you fully avoided the scam. You are almost surely to get a significant influx of phishing attempts in the near future as a result. The more attempts on you the more the odds you will make a mistake. So it is critical to allow yourself the time to analyze the communication thoroughly before responding to avoid this all together.

Aside from your gut feeling that something seems off, there are a few things you can check to "vet" communication as spam or legitimate.

The first and most obvious is to expand the full email address so that you don't just see the name but also the full email including the domain name and root. Anyone can go on a corporate website and copy names of CEO's and other staff to input in the From: field as long as the email address is valid (in most cases). For example Brad Smith's email is brad.smith@company.com when you get an email it will show Brad Smith in the From but when you expand it, if it was spoofed (term used when mail is not from the person it pertains to be) it would show brad.smith@company.ru for example not .com or even .com.ru. But if you don't expand the address you will never know the mail is fraudulent. Unfortunately, email software varies hugely and there is no standard for how one can expand or reveal the full address so you should endeavour to figure out what that is for you so you have that option handy when you need it; don't put off learning that and if you need help, reach out to an IT professional.

The next trick is a bit more subtle but it relies on something we all have and that's common sense. If you've ever been taken by one of these scams it doesn't mean you don't have common sense it just means you didn't listen to it. You must allow yourself the time if you feel something isn't right to go perform the step above; check the email address. 9 out of 10 times it will be a spoofed address. There is a chance the sender's email account was hacked but I can tell you from experience it is fairly rare. If you get such an email ie one that is actually from the sender it pertains but something doesn't seem right; this is even more reason to follow that feeling and check it. Best way to do that is to contact the person using a different means and call them or send a text to confirm the request.

In the end, if you do respond or carry out a task don't just abandon the issue. It's not over yet. You still have a very important role to play; you must notify your IT admin immediately. Time is a huge factor once you've fallen victim. Depending on what was provided, the actions of your IT admin will guide you back to safety and mitigate as much as possible the negative downfall.