Espionage group “Pawn Storm” sends out a fake email to Gmail users with the subject line: “Your account is in danger.” The email claims there have been several unexpected sign-in attempts into the user’s account and suggests the user install the “Google Defender” app.
The email is a ruse designed to get the users to give up their special access token for their Google account. Hackers will direct victims who fall for the trap to an actual Google page, where they unknowingly authorize the “Google Defender” app to view and manage their email.
Even though the victim hasn’t given up a login password to their account, they have still handed over what’s known as an OAuth token. An OAuth token allows Gmail users to grant actual useful third-party apps access to their Google accounts. However, hackers can use this process for nefarious purposes.
This is only one of many methods con artists can use to dupe unwitting victims.
Even employees of large internet firms are not immune to phishing attacks. CNBC reports Google and Facebook were victims of an elaborate phishing attack that targeted employees at both companies. The employees were tricked into sending upwards of $100 million to overseas bank accounts.
Lithuanian bad actor Evaldas Rimasauskas allegedly impersonated Taiwanese electronics manufacturer Quanta Computer by sending phishing emails to employees at both companies, requesting payment for goods and services.
In related news, former Secretary of Homeland Security Jeh Johnson, speaking at the Financial Crimes and Cybersecurity Symposium in New York in November 2016, told his audience the threat his department fears most is the lowly phishing email.
The Dangers of Phishing Emails
“Phishing” is the term for an identity theft scam designed to target unsuspecting users of electronic communication methods, specifically email and text messages, and trick them into giving up sensitive personal or business information that hackers can use to steal their identity, raid their bank accounts and more.
Crooks use fake but authentic-looking emails and websites to convince you into supplying information the bad actors can then use to make your life a living hell.
Emails and other online communications can appear to be coming from a reputable source. These include your bank, an online payments processor such as PayPal, an auction site, a law enforcement agency, or even the IT department where you work.
Phishing puts individuals, companies, educational institutions and others at risk due to the possibility of allowing the bad guys to gain access to financial information, personal data, proprietary company information, health information, student data and much more.
In some extreme cases of being victimized by phishers, internet or financial services companies can blacklist companies and educational institutions, causing the entities and their employees to lose the ability to communicate with the outside world and pay for goods and services.
Phishing can also use the valuable time of staff members, such as those employed in the IT and HR departments, to divert their attention to fixing the damage caused by phishing, in place of their usual productive tasks.
Types of Phishing Emails
There are three main types of phishing. These are Spear Phishing, Clone Phishing and Whaling. While each type targets a different group of users, they all have one thing in common: they want to steal your personal and business information.
Spear Phishing is a phishing attempt directed at a particular individual or company.
The attack is designed to gather information about the target, raising the probability of success for the attempt. This type of phishing accounts for the vast majority of online phishing attempts today.
Clone Phishing is where hackers use a legitimate, and previously delivered, bit of online correspondence to create an almost identical or “cloned” email. The cloned communication will include malicious links or attachments, which the victim will likely trust due to the previous email communications.
Whaling is a phishing attempt directed specifically at a senior executive or another high-profile target within a business.
In a whaling attempt, the counterfeit email communication or website is crafted to fit the target’s role in the company or organization. Such content could include legal content, such as a subpoena, a customer complaint of some sort, or another issue fit for an executive to address.
What are the Common Indicators of a Phishing Attempt?
While phishing emails can be convincing, there are also a number of ways you can identify possible phishing communications with some giva-away common indicators.
As usual, the old adage, “If something seems too good to be true, it probably is,” applies to many phishing communications you might encounter. Believe it or not, African kings do not give away their vast treasure troves to complete strangers on a regular basis.
In this section, I’ll guide you through a number of ways to detect and identify phishing emails. I’ll take a look at the obvious, and sometimes not-so-obvious, common indicators of when your subject to a phishing attempt.
Look Closely at the Actual Email Address
Perhaps the most popular tactic that phishing cybercriminals use is to spoof an email address so that it appears to be coming from a reputable domain.
As an example, you may receive an email purporting to be from “Bank of America Customer Service” or the “Federal Reserve Bank.”
This email may, at first glance, appear to be legitimate. However, if you look at the actual email address, it reads something like, “federalreservebank.”@blake.ocn.ne.jp.” Believe it or not, the Federal Reserve doesn’t make use of the “lake.ocn.ne.jp” domain for their email communications.
If you receive an email from your bank, a credit card issuer, PayPal or any number of other seemingly reputable senders urging immediate action, always take a closer look at the actual sender address. It just might reveal that something is up.
Check for Spelling and Grammar Mistakes
At first blush, this may seem a bit weird, but major corporations are pretty strict about their employees using proper spelling and grammar. If an email you have supposedly received from a major banking concern or government agency contains a number of misspellings, grammar errors and awkward formatting, it’s likely a phishing email.
You would think that phishers would take the time to make sure spelling and grammar are correct in their fraudulent emails, but a couple of factors likely contribute to the mistakes.
- Just because someone is good at hacking doesn’t mean they received passing grades in English class.
- For many of these con artists, English is a second language. I even see this in communications from legitimate sources who reside in China, Russia and other non-English-speaking countries.
While bad spelling and incorrect grammar aren’t always an accurate indicator that you may be looking at a phishing email, it’s a good enough reason for you to take a closer look at things.
Review the Email’s Salutation
When reviewing an email for a possible phishing scheme, also take a closer look at how the sender of the email addresses you. Is it sent to “Dear Customer,” “My Dear,” “Dearest” or one of multiple other odd-sounding salutations?
A legitimate business that you have had dealings with before will likely use a personalized salutation, such as “Dear Jeff,” “Mr. Lebowski” or simply “Jeff Lebowski” instead of a generic “Customer” greeting.
Phishers count on you not being aware that a major company you’ve dealt with will have your information on file and will be able to access that for such a simple thing as an email greeting. It’s called mail merge, and it’s great.
Review the Email’s Signature
Another telltale sign of a phishing attempt is a lack of information included in the supposed sender’s email signature. A legitimate representative of a company will always provide contact information in their signature.
Information will usually include their full name, official title within the company, their return email address, and even their phone number and direct extension.
Also, look closely at the email address. A Chase Bank officer won’t be using a “gmail.com” email address to communicate with you.
Don’t Trust that Link!
If the body of an email contains embedded links, do not click on them.
Hover your mouse pointer over them first. Many email clients will display the full text of the link somewhere in the viewing window. Or, you can right-click the link and copy it. Then paste the link into a text file.
Once you can see the entire link, look at it carefully. If something is up, it should be apparent.
First of all, never click a link in an email that has been shortened. Shortened links make it easy to hide the link’s actual URL from prying eyes. A shortened link may appear similar to this: “http://bit.ly/D8h6TZy.” (Don’t worry, all you’ll get from clicking that link is an error message from Bitly.)
Also, be on the lookout for malformed links that may appear to be sending you to a legitimate website, but are instead forwarding you to a location where you may be tricked into giving up your login credentials or other personal information.
This attack makes use of a malformed URL, which, even when copied and pasted into a browser’s address bar, appears benign. Even Google Chrome’s built-in security doesn’t catch it.
One hazard of clicking links in phishing emails is ransomware.
A user can install ransomware by clicking a malicious link or visiting a website that installs software on the victim’s computer. The ransomware then either locks out access to the user’s files or threatens to publish the data unless they pay a ransom.
What it comes down to is this: never click on a link in an email.
If the email claims to require action on your part, find the actual website address for the company and retrieve their customer service contact information from that site. Call them. They’ll know if any action is actually required on your part for a supposed security breach or account change.
Links in emails can also lead to a rogue website, which will claim there has been a security breach, or another emergency, and ask the user to give it Open Authentication (OAuth) access to a user’s Google or another type of online account. This allows the offender to access an account as if it were their own.
OAuth is a convenient way of authorizing third-party applications to use an account for social media, gaming, and other purposes without the need to reveal your password to the requesting party. Unfortunately, it can also be used for evil, allowing miscreants to wreak havoc using your personal or company accounts.
Luckily, it’s easy to revoke OAuth access to your account for any app you’ve granted access to. Most providers offer a page that lists all of the applications you have authorized to have access to your account. For example, check out Google’s OAuth Access page. You can revoke access there.
Don’t Open that Attachment, Either!
In addition to malicious links, the bad actors of the world love to include attachments in their phishing emails. These attachments appear for all the world to be an innocent PDF or Microsoft Word document.
However, they could contain viruses and malware designed to damage files on your computer, grab administrator status so it can make changes, steal your passwords or otherwise spy on your every online move.
The attachment may be posing as an invoice for an unpaid bill or a schedule for a corporate retreat. Malware-powered documents can take many forms. You’ll particularly want to be vigilant for emails that appear to be from known sources, such as your child’s school or your bowling league, that may actually send you unsolicited attachments.
Don’t Give up Your Personal Information
A legitimate email from a bank, credit card company, college or other institution will never ask for your personal information via email. This is particularly the case for banking and credit card account numbers, login credentials for websites, or other sensitive information.
As soon as you see an email request for any of the information above, it’s time to make a call to their known, actual customer service phone number for a chat. There’s an excellent chance that customer service might be aware of this scam and can give you more information on it.
I have found credit card companies seem to keep particularly good track of schemes that affect their customers.
Don’t Be Intimidated by Threatening Language
Always beware when you see an email with a subject line that claims the email needs your immediate attention. Beware of subject lines such as, “Your account has been frozen…” or “Unauthorized login detected on your account.”
The first thing the tricksters behind any phishing email want to do is make you feel as if urgent action is needed to keep your world as you know it from falling apart. In actuality, quick, unthinking action on your part is what removes the first piece of the Jenga puzzle that is your security.
Phishing emails will often include language in the body urging you to take action to avoid your account being closed or frozen, and even supply a “helpful” link in the body of the email to make it convenient for you to take action.
How to Deal with Phishing Emails
When (definitely not if) you receive a phishing email, do not respond in any way. Do not supply any of the information the emails may ask for. Never click on any website links or call any phone numbers that hackers have listed in the email.
Do not click on, open or save any attachments that hackers may have included in the email. File attachments can contain malware, viruses or a link to a website that could facilitate the download of such malware.
Do not furnish any personal, financial or login information to the senders of the phishing email. If you want to check if the communication is actually from the company the email purports it to be, contact the company using a known, official method, such as their known email address, website URL or customer support phone number.
Be sure to review all banking and credit card statements as soon as you receive them. Make sure there are no unauthorized withdrawals or charges. If you notice suspicious account activity, contact the institution’s customer support department immediately via the contact information provided on the bank or credit card statement.
If your banking or credit card statement doesn’t show up within at least a few days of its usual date, call customer service to confirm your billing address information and check your current balances.
Smartphone and tablet users can also usually view their account information, including recent transactions and current account balances, via an app on their mobile device. The apps are available in your device’s app store. Check with your bank for more details.
This method would allow you to keep track of your transactions on a day-to-day basis, enabling you to catch suspicious activity much faster.
Immediately report phishing emails to the bank, company or organization being misrepresented as the sender of the email. Furnish as much information as possible to the company you report the email to.
If you have any reason to think your email accounts, online banking, credit card, shopping or other login credentials have been compromised, immediately change the password on all of your online logins. Be sure to use strong passwords that are at least 8 to 10 characters long and include a mix of letters, numbers and symbols.
If you have opened an email attachment from a suspected phishing email, immediately install or update the antivirus and malware scanners on your computer. Then, immediately scan your machine for viruses and malware.
You can also report the phishing email to the Anti-Phishing Working Group at [email protected]. This group includes ISPs, financial institutions, security companies and law enforcement agencies. The group was formed to fight phishing of this type.
If you reside in the United States, use the FTC Complaint Form to report a phishing scam. Canadian citizens can get support and more information from the Canadian Anti-Fraud Centre. Residents of the United Kingdom can report fraud and unsolicited phone calls.
Document all conversations and other communications you have concerning the phishing incident. Be sure to note all names and phone numbers of everyone you speak with and keep copies of all correspondence.
Uh-Oh! A Hacker Tricked Me into Supplying Information! Now What?
If a hacker tricked you into supplying personal or financial information by a phishing email, immediately contact the Federal Trade Commission. Using the commission’s website, you can report the following types of scamming activity:
- Identity Theft
- Scams and Rip-Offs
- Unwanted Telemarketing, Text or Spam
- Mobile Devices or Telephones
- Internet Services, Online Shopping or Computers
- Education, Jobs and Making Money
- Credit and Debt
If you disclosed credit or debit card information, immediately contact your bank or credit card issuer via the toll-free number on the back of your credit or debit card. This will allow you to cancel your cards and request new ones, or even close the accounts and open new ones that the phishers don’t have information about.
The maximum liability for unauthorized use of your credit card is limited to $50. However, liability for an ATM or debit card varies, depending on how quickly you report the loss or breach of your card and its information.
If you gave out checking or savings account information, immediately contact your bank via the toll-free number on your bank’s website or your monthly statement. Close your compromised bank account and open a new one.
Contact the major credit bureaus (Equifax, Experian, and TransUnion) and place an alert with them, which will signal to potential lenders that you may have been a victim of identity theft. This may make it a bit more difficult to open a new legitimate line of credit in the future, but it’s worth the hassle to keep a bad guy from opening a new account in your name.
If you gave out your eBay information, immediately attempt to log in to the auction site and change your password. Keep a close eye on your eBay account for any unauthorized activity. If you are unable to log in, immediately contact eBay via the special link they offer for suspected account theft.
If you gave out your PayPal login information, immediately attempt to log in to the payments service and change your password. Keep a close eye on your account for any unauthorized activity. If you are unable to log in, immediately contact PayPal via the special link they offer for suspected account theft.
Also, don’t forget that if you were tricked into giving OAuth account access to a rogue app, you can revoke OAuth access to that account for any app you’ve granted access to. Check with your service provider for more information on how to revoke OAuth access.
Beware of Other Types of Phishing Scams
Email phishing isn’t the only method the miscreants of the world will employ to steal your personal information. They will also make use of other methods.
Phishing Phone Calls
Always beware of any phone calls that involve a cold call from Microsoft – or any other well-known tech company, such as Apple or Google – offering to help you solve your computer problems or sell you a software license.
None of the major software or hardware companies will make an unsolicited call and charge you for helping to shore up your computer’s security or fix any issues you’re having with the machine and its operating system or applications. (No company has perfected the method of ESP support, and probably never will.)
Once a criminal has gained your trust, they might ask you for your computer’s username and password, ask you to visit a particular website to install software to allow them to remotely access your computer, or ask you for a credit card number to pay for their “services.”
Never accept any “help” that anyone offers in this manner. Again, none of the major software or hardware firms will call you out of the blue about your computer. Always treat any such calls with complete skepticism. Never provide any information about yourself, your computer, or your credit card or bank accounts.
Amazon, which is the largest online seller of goods in the world, is not immune to phishing attacks. Recent reports reveal sellers in the Amazon Marketplace have been hit with the hijacking of their accounts. The hijackers then use the account to fleece customers of their hard-earned dough.
The hijackers get an Amazon seller’s login and password the old-fashioned way – via a data breach or an email phishing attack – and then use that information to hijack the account and start the financial pain for the seller.
Once they have gained access to an Amazon seller account, the imposters then do one of two things.
- If an account is an active one, they will change the seller’s banking deposit information and start siphoning off the cash coming from sales.
- If an account is inactive, they will create a list of incredibly too-good-to-be-true items for sale and rake in the cash as long as they can.
Why hit Amazon sellers? Because there are so damn many of them, and they make so damn much money. This makes for an incredibly attractive group of potential victims.
A lawyer who represents Amazon sellers told The Wall Street Journal that over a dozen of his clients have been victims of hijacking, and many of them lost around half their monthly sales ($15,000 to $100,000) to the schemes.
Amazon advises sellers to keep a close eye on their accounts and to report any Amazon-related phishing attempts to Amazon customer service. Amazon buyers should remember that if something seems too good to be true, it most likely is. A reputable Amazon seller is not going to sell you a new MacBook Pro for $300.
When it comes to phishing emails, it’s a matter of when, not if, you’ll get one.
While phishing attempts continue to rise, you can prevent the tricksters from affecting your life by being more vigilant when opening emails or clicking links. In the future, keep up on the latest in phishing and other tools the bad guys use by becoming a regular visitor of my website.
Dangers of Phishing Emails FAQs
What Are the Risks of Opening Phishing Emails?
Unfortunately, replying to a phishing email, clicking a link, or opening any attachments in such an email can carry extreme risks. Attachments usually contain malware, while the links lead to phishing websites.
What Is a Facebook Phishing Email Example?
There are all types of Facebook phishing scams. They can range from faux security alerts, password-resetting requests, fake contest notices and much more. All of them attempt to entice the victim to click a link or open an attachment that could have a nasty payload.
How Can I Best Protect Myself and My Business from Phishing Scams?
Education, education, education. Did I stress that enough? Always educate your employees and executives on how to recognize phishing attempts and what to do when they think they've been targeted. While email spam detection software is also a good investment, spam can still get through. Uneducated employees and executives can fall for phishing scams, be they in email, over the phone, or in a text message.
What is Social Engineering?
Social engineering is when bad actors try to trick targeted victims to giving up confidential information such as banking and credit card information, or in the case of scams targeting businesses they're looking for access to computer systems so they can access information or hold the information hostage.
- The Dangers of Phishing Emails
- Types of Phishing Emails
- What are the Common Indicators of a Phishing Attempt?
- How to Deal with Phishing Emails
- Uh-Oh! A Hacker Tricked Me into Supplying Information! Now What?
- Beware of Other Types of Phishing Scams
- Dangers of Phishing Emails FAQs
- What Are the Risks of Opening Phishing Emails?
- What Is a Facebook Phishing Email Example?
- How Can I Best Protect Myself and My Business from Phishing Scams?
- What is Social Engineering?