Phishing

Phishing: Be Wary of Fake Emails and Other Scams

Last edited: November 4, 2019
Reading time: 11 minutes, 25 seconds

In this article we will tell you all about phishing and how you can protect yourself against it. Seeing as phishing is probably the most common (or at least well-known) forms of cybercrime out there, it’s important to keep on your toes and be aware of the risks.

What is Phishing?

Phishing Fishhook with PasswordPhishing is a term used to describe a specific kind of cybercrime in which a person makes up a fake story in order to get something from you online. This is usually done using email, but it may as well be done using social media, chats, or other types of digital communication.

Cybercriminals usually send emails or messages pretending to be a legitimate institution in order to persuade you to send them what they want. For example, you suddenly get an email from your “bank” telling you that something went wrong with your account and that you have to send them your account details so that they can solve the problem. If you fall for the bait and send your account information, the cybercriminals will just log into your account and wire themselves a large sum of your hard-earned cash.

Apart from asking for specific information, phishing mails can also contains links or files they ask you to visit or download. The moment you download the file or click on the link your device can get infected with all kinds of nasty malware or spyware. This makes it possible for the cybercriminals to read certain personal files or gain certain information that way, to engage in identity theft. Sometimes they even use this to install bots to create a Botnet and carry out DDOS attacks.

Sometimes they even use a custom-built website that looks just like the official website of the institution they want to imitate, like a bank. But instead of your information being sent to your bank, the cybercriminals get their hands on it and use it to take your money.

Don’t feel stupid if you’ve ever fallen for one of these tricks. Cybercriminals usually find a way to make a message, email address, or website look very similar to the communication of a legitimate institution. This can make it hard to distinguish a fake message from the real deal.

How do you Recognize Phishing?

Because phishing can be difficult to spot it’s important to know what to look for when checking if a message is legitimate or not. Usually cybercriminals tend to send you messages pretending to be your bank, the government, the IRS, insurance companies, webshops, etcetera. Always check these messages and websites carefully before springing into action. Other types of phishing are the well-known email sent by a “Nigerian prince” or a distant relative pretending they have access to a large amount of money but they first need you to transfer them a smaller amount in order to send it to you. Don’t fall for these kinds of traps.

In order to help you scan websites, emails, and others messages to see if they’re potentially dangerous you can use these tips:

Tip 1: Salutation, Weird Sentences, or Spelling and Grammar Mistakes

Usually, phishing-mails are sent to a lot of people at once. This means that they don’t always personalize their salutations. You end up getting an email with a standard ‘Dear mr./mrs’ or something similar. Think to yourself whether or not it’s strange to not be addressed properly by, for example, a bank.

Apart from that you can usually tell an email is fake when it contains lot of spelling or grammar mistakes. More often than not the cybercriminals sending the mail aren’t native English speakers, and they will make obvious errors.

This isn’t always the case though. There are a lot of situations in which an email or website doesn’t contain any errors and contains some sort of personalized information. luckily there are other things you can look out for (see the other tips). If you can’t sniff out a phishing email right away, you can probably determine something is wrong when a lot of different aspects are questionable.

Tip 2: Look at who Sent you the Email

Another thing you should look out for is fraudulent email addresses. For example, if you’re a customer of Bank of America, you would probably get emails from addresses ending in @bankofamerica.com. Because cybercriminals don’t own these domains, they cannot use these email addresses. Instead they will try to send it from a very similar domain, or use a general email provider. For example, in this case they could use bankofamerica@gmail.com or something ending in @americanbank.com. Even spelling errors can be used in the email address. By adding a letter or two to the original domain, they try and trick you into scanning over the address and thinking the message is legitimate. Always take your time to check the email address when you are asked to provide personal information or passwords.

Tip 3: Watch out for Suspicious Attachments

Apart from links and content, phishing mails can also ask you to download an attachment. These attachments then contain stuff like malware and spyware such as keyloggers and Trojans. Be on the lookout for any file names that seem to be out of the ordinary or check the file extensions. Files ending in .zip or .exe files should not be trusted at face value. Even PDF files are not always safe. Only open files when you think it’s logical that they sent it to you and you trust it.

Another thing cybercriminals try to do is fool you by adding the file extension to the actual file name. They will try to make you believe that it’s a PDF file by calling it ‘InvoicePDF.exe’. It might look like you’re receiving a PDF file, but it’s actually an .exe file used to install malicious software such as bots.

Below you will find an overview of file extensions that are sometimes used in phishing emails.

.bat (Batch) .com (COM file) .cpl (Control Panel)
.docm (Microsoft Word with macros) .exe (Windows Executable file) .jar (Java)
.js (JavaScript) .pif (Program Information File) .pptm (Microsoft PowerPoint with macros)
.ps1 (Windows PowerShell) .scr (Screensaver file) .vbs (Visual Basic Script)
.wsf (Windows Script File) .xlsm (Microsoft Excel with macros) .zip (Compressed)

Tip 4: Be Careful if They ask for Tour Personal information

Never share your personal information or account information with others using email. 99.9% of all legitimate businesses will never ask for your information directly. No matter how real an email or message might look, keep your information private. If you’re uncertain whether the message is real or not, contact the actual organization through their official website or call them. Don’t reply to shady messages or click on links you don’t trust.

Do you receive a message or email with a suspicious link? Don’t click on it! You can see where the link will take you by hovering over it and looking in the bottom left corner of your browser. In general, if you’re not sure if you can trust the message, email, link or website, don’t click on any links. Especially watch out when you’re using a mobile device or your smartphone or table, because it is very easy to click on something accidentally.

Tip 6: Trust your Intuition

If you’re not exactly sure if you can trust a message, email or website then don’t! It’s better to be cautious then to be sorry. If you’re ever in doubt whether you can trust a message or not, get in touch with the actual organization and ask them about it. If that’s not possible, you can also look the email address up online. If it’s a phishing email, a lot of people will probably have gotten it and they can usually tell you if it’s safe or not.

Other Well-known Types of Scams

Apart from online phishing, scammers use a lot of different ways to get what they want. In the next few paragraphs we will briefly discuss different types of popular scams. After that you will find a quick guide of what you should do when you’ve fallen victim to either phishing or another type of scam.

“Phishing” over the Phone

Far and away the most phishing attempts are done using email. Email is the most efficient way for cybercriminals to reach out to unsuspecting victims. Still though, a lot of evildoers continue to use the telephone to get you to hand over personal information or money. While some will try to persuade you with a smooth sales pitch, others can be more aggressive.

Common types of phishing over the phone are:

  • Someone from Windows or another well-known tech company calls you and tells you that there is a problem with your computer or other device. They then talk you through a certain process in which they try to get you to install malicious software. With this software they can gain access to your files and accounts.
  • You get a call from your bank with basically the same story: there is a problem with your account and they need your information in order to fix it. If you end up giving your information they quickly transfer themselves a large sum of money while keeping you occupied.
  • Lately there have been reports of a different type of phishing over the phone. They call you from a strange, usually foreign, number and when you pick up, you hear nothing. Only later do you find out that the phone call has cost you a certain amount of money. Be aware that you don’t just pick up any call.

Fake Invoices

One of the more common scams, especially for those who have their own business, are fake invoices. Scammers send over a fake but very real looking invoice telling you to pay up quickly or suffer repercussions. Sometimes they even send you a message saying you are in debt and if you don’t transfer the money fast, they’ll send a debt collector. Usually these are false threats. If you transfer the money, it ends up in the pockets of the scammers.

If you want to check if the invoice or the payment reminder is legitimate, call the company that sent you the invoice. Don’t use the contact information listed on the invoice though, scammers are smart enough to put down fake information. Always go to the official website of the company that’s shown on the invoice and call or email them.

Emails or Social Media Messages from Friends or Relatives

When scammers get a hold of account information (for example email accounts or social media accounts) they use this to try and get money from the people in the accounts contact list. For example, I suddenly get a message from my friend David, who I haven’t seen in a long time. At first the conversation seems nothing out of the ordinary (the basic: how’s it going?), but later on in the email or chat message David tells me he’s stuck in another country, his wallet got stolen and he needs a certain amount of money in order to grab the next flight back home. David tells me he will pay me back when he gets home and we should grab some drinks when he’s back.

By using a contact in your contact list (in this case David) the scammers try and get you to trust them. After that they create a sense of urgency by saying he’s in trouble and he needs my help quickly. Usually the scammers ask for you to transfer money to a certain account or using a service like PayPal, Western Union, MoneyGram or Bitcoin.

More often than not, this is an entirely fake story, used to get me to transfer my money to someone else’s account. In fact, my friend David is not even in another country, he’s at home, still unaware his account has been hacked. If you ever receive a message like this, try to call that person in order to clear things up.

The most annoying part of this type of scam is that the scammers usually have access to the other person’s account information or social media profile. This means that they also have access to all the conversations you ever had with this person using the medium they have access to. This means that they can snoop around and use certain types of private information in order to gain your trust.

What to do When you’re a Victim of a Phishing Scheme?

It depends on what kind of scam you’ve fallen for whether you should take certain security measure or not. We’ve compiled a list of different types of scams and phishing schemes we’ve written about in this article, you can find it below. In this list we’ll tell you the best things you can do if you’ve fallen prey to one of these scams:

  • If you gave someone your bank information, block your card and call your bank.
  • If it’s an account for an online service: quickly change your password and other crucial information.
  • If you clicked on a suspicious link or downloaded malicious software: use antivirus software to scan your computer and quarantine any viruses.
  • Always contact the actual company or person and tell them what happened (they might be able to help you or at least warn others).
  • Report the phishing or scammers to the appropriate authorities (for example the police).
Main author:

More articles from the ‘Cybercrime’ section

Comments
Leave a comment
Leave a comment