It seems we’re plagued by spam. It used to be just through the letter box (and we could recycle it). But now it’s a permanent addition to our email inboxes. Despite your best efforts, spam still arrives. One particularly dangerous type of spam tries to trick you into sharing personal information, like user names and passwords, and is called ‘phishing’. I’m going to show you how to spot a phishing email.
First off, some key things to be aware of:
- There are dishonest people out there in the world.
- Your email address is not a secret, particularly to those who are interested in scamming.
- Phishing is not a personal attack on you; the email you receive has been sent to thousands, if not, millions of email addresses.
- The name on the email, isn’t necessarily who sent it.
What are spam and phishing?
Spam is the term used to describe an email you receive that you didn’t ask for and weren’t expecting. Spam emails are sent to large numbers of email addresses for commercial, fraudulent or malicious intent.
A phishing email is a type of spam that pretends to be from a reputable company, in order to obtain personal information, such as passwords, payment card details and so on.
Phishing emails always have criminal intent.
They represent a form of social engineering; concerned with using deception to obtain personal or confidential information.
Is it a big problem?
Traditional junk mail (through your letter box) has a success rate of just over 4%. So for every 1000 people that receive the mail, 40 or 50 respond to it.
Spam email on the other hand has a response rate of 0.12%. For every 1000 people, 1 responds.
But here’s the thing, paper-based junk mail has a cost to sending it and it’s often geographically restricted. More people equals more cost.
Emails, on the other hand, cost the same to send to one person as to 100,000 or 10,000,000 and is global. So, although the response rate may be lower, the actual number of people responding is greater.
In 2006, the number of junk mail posted through letter boxes was 21 billion items for the year, that’s about 57.5 million per day.
In 2019 the number of phishing email sent per day was 3.4 billion.
What’s the risk of phishing?
A phishing email pretends to be from an actual business, possibly one you know and do business with, like a shop, website or bank. The email itself may suggest something is wrong with your account or an order and ask for you to log in to correct the issue. In this example there will be a link on the email. The page you link to may even look like the actual website. You maybe encouraged to enter personal data such as payment card details, or your username and password. In the phishing scam, these details are retained by the criminals and used to make purchasing in your name. Often people don’t even realise they have been scammed until they see a bank statement.
Here’s an example from the Norton Internet Security website:
The problem with phishing emails is compound. If you respond, you’re telling the spammers that one of the millions of emails addresses their system generated is active and has a viable victim. The correspondence to you gets more frequent and more demanding as they build a rapport.
This type of activity is criminal and often linked to organised crime. So it’s likely that the people instigating the phishing scam are not bound by ethics and worries about leaving you out of pocket, nor of the consequences that may follow for you, their victim.
How to spot a phishing email
I received a piece of spam earlier this year. It was quite easy to spot: the second line of the email said: ‘This is spam.’
Genius.
Increasingly, phishing emails are becoming more sophisticated and difficult to spot, and they rely on an instinctive response to an urgent problem. They depend on people clicking a link before they have had time to think about what they are doing. The principle of social engineering is about understanding and exploiting human behaviour. The best defence against social engineering is to be aware of it.
Consider my BLT of cyber protection: Breathe, Look, Think.
Here’s a example scenario:
You receive an email that says you need to complete a survey to stop your Twitter account from being deleted.
Step 1. Breathe…in with the good air, out with the bad. Don’t panic.
Step 2. Look… Does it look like a message Twitter would send?
Step 3. Think… Does it sound like one Twitter would send? I mean…delete your account…really?
What else should you look for?
There are some important things to consider which will minimise your risk of exploitation.
- Check how the email is started. If it’s ‘Dear Customer’ or just ‘Hi’, it’s probably spam and could be a phishing email. Any website, bank or business you do business with is likely you told them your name as part of the sign up process, so they will address emails to you personally.
- Next read the email, ideally aloud. Often phishing emails have spelling and/or grammatical errors. They may use weird capitalisation. The wording itself may not make sense or sound ‘off’. If it doesn’t read right, be suspicious.
- Look at the images. Do they look fuzzy, low quality or badly cropped? Often scammers will copy and paste company logos making them lower quality.
- Look at the ‘From’ field on the email. If the actual email address is visible, does it match the name of the person sending the email, or the website/business that it is supposed to be sent by. For example, if your bank’s email was customers@yourbank.co.uk, the spammer might use customers@yourbank.co (which would mean their email is registered in Colombia!)
Or as another example, they might use customers@customerservice-yourbank.co.uk.
The differences may be small, but a single full stop or extra letter is important and makes the difference.
I had a spam email where the email address, the person in the from field and the person signing off the email were all different! Definitely dodgy.
Auto spam
The spammer’s email may even be an automatically generated one, like dkjns987dfk@hotmail.co.uk (I literally hammered a bunch of keys for that one, but a half decent programmer could write a piece of code that could do the same thousands of times a second).
It’s also possible for an email to appear like it’s from someone you know, this is known as email spoofing. Check out this example I received, opened in Outlook:
Now, apart from THE Brian Adams from Robin Hood Prince of Thieves, I don’t know any Brian Adamses. (For the record, I know of THE Brian Adams…I don’t know THE Brian Adams!)
So that’s my first clue something’s wrong.
Second, the bit of the email address after the @ sign, called a domain, tells us the web site that was supposed to have sent the email, in this example, aoba-sawai.or.jp.
www.or.jp is an actual website, but not one I’ve ever had any dealings with, so it’s highly unlikely that they are legitimately going to send me an email.
It’s also a Japanese site (the .jp at the end of the domain tell us this), written in Japanese, so Brian James Adams is probably not going to be an employee. This is an assumption, but we’re erring on the side of caution, folks.
Compromised site?
So either their website or email server has been hacked or we’ve got a spoof email. Replacing the www.or.jp for aoba-sawai.or.jp throws security alerts on my computer as a suspicious website. I definitely do not recommend testing links or sites in dubious email addresses. If you know for a fact that it’s correct, then fine, otherwise, leave it alone. Please.
Third, the actual email content is a short link. There is no way to tell, by looking at it where the link is going to take you.
So, you should not trust it and you definitely shouldn’t click on it.
Curiosity killed the cat. It also emptied all of the money out of his bank account, broke his computer and sucked him up a vacuum cleaner.
Similarly, if there are links that look like regular text, do not click them.
If you’re on a PC or Mac, hover your mouse pointer over the link. The actual web address may appear in a little pop up box.
If you’re using a website for your email, like Gmail, then look in the bottom left corner of your browser when you move the mouse pointer over the link. The actual web address will show up there. Look at the web address carefully, does it look like it belongs to the company sending the email address.
If in doubt, do not click any links; sometimes, the click is enough to alert the criminals to an active email address, making you more of a target.
On a related note, if there are attachments, think before opening them. If they are fraudulent, they are not likely to be linked a phishing scam directly, but they could compromise the security of your computer, tablet or mobile.
Use the following chart to help you through the process.
Where to go for help and advice
If you think you’ve spotted a phishing email. Do not investigate it yourself. Report it.
UK banks have a page on their websites that describe different types of fraud and what they do to help you avoid them. You can find their specific page by searching for ‘fraud’ on their home pages.
If you think you have been a victim of fraud, you can report it to the Financial Conduct Authority (FCA), who regulate business in financial services in the UK.
You can also get more information on how to guard against financial fraud on the Take Five website, a government-backed national campaign led by Financial Fraud Action UK.
How to handle spam
If you think you’ve received a spam email, you should report it, either in the email software/website you are using, or report it to the business or organisation the email looks like it came from. There is nothing wrong with actually contacting them and asking if they genuinely sent it. If there’s a problem, they’ll be able to let their other contacts know to be careful. If they did send it, then you can suggest they change how they send emails, cos they look suspicious.
Remember, if it is a phishing email, you will not be the only person to have received it, but you may be the first to spot it. Just as the Fire Service say it’s better they have 10 reports of a fire than none, so it is with phishing.
Help yourself. Help others. Reduce cybercrime.
Win, Win, Win.
And remember the BLT of cyber protection.
Have you ever reported a phishing email? What’s the most obvious clue you’ve seen to suggest a phishing email?