How to Spot a Phishing Attack

ERGOS Blog How to Spot a Phishing Scam
One thing that seems universal throughout history – scammers are going to scam. One of the best methods of protection is learning how to spot an attack.

Types of Attacks

The first step to learning how to spot an attack is to know that there seems to be no end to the different ways a cybercriminal will try to get your information. Here are some of the different types of scams you could encounter in your day-to-day life.

Email Scams

Email scams are the most prevalent scam people are going to run into. Different tactics of email scams are:

  • Spear phishing – These seem more authentic because they’ve done their homework on you, their target.
  • Microsoft 365 phishing – These attacks are becoming the most common as the criminal creates a very convincing email that looks like it’s coming from Microsoft, in an effort to get you to “sign in” so they can grab your credentials.
  • Whaling – When criminals directly target “big fish” users such as CEOs, this is known as whaling. These types of attacks are generally very well researched as those users typically have a lot of access within the company.

Social Media

Social media is the best place to collect data about you. It’s recommended to steer clear of filling out questionnaires that ask similar questions to the ones you’ve seen when setting up a new password. Best social media practices include:

  • Keep your profile private – Keeping strangers away from the things you share on your profile is one way to keep criminals from collecting data about you.
  • Don’t add people you don’t know – Facebook seems to be the biggest culprit of this collection method. It contains a large amount of personal information and discretion should be applied to who has access to that.
  • Don’t add new accounts from people you know – Perpetrating your friends and loved ones is just another way to try to gain your trust. Before accepting that second page request from Grandma, check to make sure it was set up by her.

Voice Phishing

Voice phishing attacks are relatively new but growing in number rapidly. The attacker can call pretending to be a support representative, some often start with silence waiting for you to speak as they’re trying to record your voice!

SMS Phishing

Also known as smishing this attack method comes to your mobile phone via text message.  As with other scams these scammers can pretend to be someone you know, or just be trying to gather information about you.

Spotting Attacks

Now that you’re aware of some of the different types of attacks out there, how do you stop yourself from being their next target?

Email Scams

Email scams often contain poor grammar, come from a strange email address, and are stressing some critical response needed from you. Can you spot the problems with this example?

Picture1

This example is very convincing. They’ve used the logo and branding guidelines to make themselves look like PayPal. Notice the email at the top says service@intl.paypal.com however that is just the mask – directly next to it is where the email actually came from service.epaypal@outlook.com.  A company as big as PayPal will always email you directly from @paypal.com. Communications will never come from another source. The links contained in the email do not go to an actual PayPal login, but one that is made to look like it. You can check where the link is going by hovering your mouse pointer over it.

Social Media

Whether they’re impersonating someone you know, or someone that you don’t know, social media scammers can be caught by a quick look at their profile. The details are generally scarce, misleading, or inconsistent.

Picture2

Voice Phishing

Answering unknown numbers and pausing without saying hello, stops the scams that are trying to capture your voice signature. If there is a human on the other end of the line, they will speak first. If it’s an auto-dialer waiting for a voice signature, it will hang up when all it receives is dead air.

No major company (like Microsoft) will ever reach out to you by phone. Anyone claiming to be with any major company you have not initiated contact with, is most likely a scam.

Keep your details to yourself, including your name unless you have verified the person calling you is really who they say they are.

SMS Phishing

Text phishing is no different than other forms of phishing, they’re trying to get information about you. They will start with a generic question and then try to get you to share even a simple detail like your name.

Picture3

This exchange went on to apologize and try to get the user to engage in conversation.

The rules for avoiding becoming a target to a phishing attack are simple:

  1. Be suspicious – Check grammar, email addresses, web link addresses, and who is contacting you
  2. Don’t share information – If they’re trying to get your name or any other personal information, keep it to yourself.
  3. If it looks wrong, it probably is – trust your gut!

Keeping your details to yourself, being suspicious of new contacts, and being alert are all good ways to keep yourself from being a target. Enabling MFA on accounts that offer it, is always a great way to keep your accounts secure as well. You can read about MFA and its importance in our other blog post.

ERGOS offers phishing training and simulations to companies. Call us or fill out the contact form on this page.

"*" indicates required fields