October is Cyber Security Awareness Month (CSAM), and one of the oldest tricks cyber criminals have used is phishing emails. Phishing emails have come a long way since they first appeared on the cyber scene nearly 30 years ago. Gone are the days when a phishing email’s biggest red flag was that it was from someone claiming to be a Nigerian prince. So, how to detect phishing emails? Especially when they are more targeted and more sophisticated than ever, and if you’re not careful, you might just get hooked.
Canadians have been spending more time online since the start of the pandemic, and that means we’re all facing a higher probability of dealing with a phishing attack. Statistics Canada has reported troubling trends.
- 34% of Canadians have dealt with a phishing attack since the start of the pandemic, 14% of whom reported that COVID-related news was used as bait
- 42% of Canadians have experienced at least one type of cyber security incident since the start of the pandemic
- 36% of those who reported an incident experienced some sort of loss as a result—time, data or money.
Phishing emails are always evolving. Are you keeping up? Read the following phishing guide to find out how you can catch that phish before it reels you in.
What is phishing?
Phishing is when a cyber criminal tries to trick you into giving up personal information by pretending to be someone you trust. According to Government of Canada’s Get Cyber Safe campaign, these cyber criminals pretend to be a legitimate sender like government agencies, banks, streaming services, online stores or even a friend.
Anatomy of a phish
Scammers might be getting better at what they do, but that doesn’t mean you can’t still detect a phishing email when it comes your way. Most phishing emails fall into the category of clone phishing. Clone phishing is when a scammer replicates a real email and sends it from an email address spoofed to look like a legitimate sender. These emails employ social engineering to manipulate your emotions, and they typically contain a malicious link or attachment aimed at gaining your sensitive information.
Here’s an example of what that might look like:
From: Amazon [amazoncustomerservices@amaz0n.com]
Subject: Your order has been cancelled
Dear Amazon customer,
Your recent order on Amazon.com has been cancelled due to fraudulent activity detected by our automatic systems. Your account has been suspended on a temporary basis.
To reactivate your account, please verify your email address by visiting amazon.com/verify-my-account.
Thank you,
Amazon Support Team
How to detect phishing emails
With so much of our life happening online these days, this email might not seem out of the ordinary, and if you’re too busy or stressed to give this more than a cursory glance, you may miss the signs of a phishing attack. Unfortunately, that’s what the scammer is counting on.
Let’s break down the steps you need to take to catch this phish:
1. Check the sender’s name and email address
The sender’s name may appear legitimate, but the email address will tell you whether or not this is a phishing attack. In this case, the “o” of Amazon is replaced with a zero, which is obvious upon close inspection. However, some addresses may be even harder to spot and use a character from the Cyrillic alphabet instead of the Roman alphabet. This tactic of using lookalike characters or symbols to mimic trusted names or websites is called script spoofing, and it’s on the rise.
2. Be wary of the language used
Scammers and cyber criminals prey on our emotions. In this email, they’re attempting to invoke a sense of panic by informing you that your Amazon account is locked. In other phishing emails, they may use an overly friendly tone in an attempt to gain your trust. Focus instead on the message itself: is this an email you were expecting? Is the company acting in a way you would expect? When in doubt, verify if this is a legitimate email by contacting the company through one of the official channels listed on their website.
3. Don’t click suspicious links or open unexpected attachments
Think before you click—if an email seems suspicious, don’t click any links or download any attachments. You can verify whether a link is legitimate by hovering over it before you click it. The link preview that appears in the bottom left corner of the screen should match the one shown in the email.
4. Keep your private information private
Regardless of what an email says, never divulge your personal information online. Phishing emails may attempt to get your credit card number, SIN, bank account information or employment information. If an email pressures you to give out sensitive information, it may be a phishing attempt.
5. Confirm who’s behind the screen
If you receive an email that you’re not sure is suspicious or legitimate, call the alleged sender to confirm. Disregard any contact information in the email, as it may put you in touch with the scammer. Instead, go to the organization’s official website and contact them through the phone number listed there.
What are the different types of phishing attacks?
Clone phishing is the most prevalent type of phishing attack, but it’s by no means the only one. There are plenty of phish in the sea. Here’s what else you need to watch out for.
Spear phishing
Spear phishing is a targeted phishing attack sent to a specific individual or company. These attacks may be harder to spot because the phishing email is spoofed to seem like it’s from someone you know. It can also include some seemingly legitimate information, such as your name, the company you work for and even the projects you’re working on. That’s because the scammers behind a spear phishing attack have done research to make their email seem believable, in the hopes that it will trick you into giving them what they want.
Whaling
Whaling is like spear phishing, except it’s aimed at high-profile targets like directors, executives or other high-ranking positions. The stakes for whaling attacks are much higher since people in senior positions tend to have access to more confidential information than their employees.
However, the rules for detecting a phish remain the same, no matter your job title: check the sender’s email address, watch for suspicious language and don’t click any unexpected links or attachments. Before you respond, call the sender to confirm if they did send the email, especially if they’re asking for sensitive information.
Smishing
It’s a phishing attack sent through a text message. Since people are more likely to trust a text message than an email, these attacks can have a higher success rate. If you receive an unexpected text message from a number you don’t know, stay vigilant and follow the same steps you would if it were a phishing email, especially if the message asks you to click on a link or provide your personal information.
Vishing
It’s a type of scam that takes place over a phone call instead of an email. In vishing, the scammer calls their target and tries to get them to divulge sensitive personal information, such as their SIN, credit card number or banking information. The caller typically claims to be from an official organization like your bank, the government or local law enforcement, and they tend to use urgent or threatening language to scare you into complying. The infamous CRA phone scam during tax season is a type of vishing attack, and it’s cost Canadians millions of dollars.
While there are no links to click in a vishing attack, the scammer can still convince you to divulge sensitive information, or even unknowingly download malware. If you receive a suspicious call from someone claiming to be from an official organization, hang up and call the organization directly to verify.
How to stay cyber safe
Scammers and cyber criminals have many tricks up their sleeves, but regardless of which one they try, it’s down to you to safeguard your personal information. When in doubt, always contact the alleged sender or caller yourself to verify if they’re actually trying to contact you.
Here at Alberta Blue Cross®, we’re tasked with protecting sensitive health information, and that’s a commitment we take seriously. Our IT and security teams work diligently to keep our firewalls strong, external threats minimized and our employees educated on cyber security.
Tax season sees a huge rise in phishing and phone scams. See how to protect yourself from fraud and fake CRA messages.
Nice Article! Thanks for sharing