Phishing emails have come a long way since they first appeared on the cyber scene nearly 30 years ago. Gone are the days when a phishing email’s biggest red flag was that it was from someone claiming to be a Nigerian prince. Phishing emails today are more targeted and more sophisticated than ever, and if you’re not careful, you might just get hooked.
Canadians have been spending more time online since the start of the pandemic, and that means we’re all facing a higher probability of dealing with a phishing attack. According to Statistics Canada,
- 34 per cent of Canadians have dealt with a phishing attack since the start of the pandemic, 14 per cent of whom reported that COVID-related news was used as bait;
- 42 per cent of Canadians have experienced at least one type of cyber security incident since the start of the pandemic; and
- of those who reported an incident, 36 per cent experienced some sort of loss as a result, whether a loss of time, data or money.
Phishing emails are always evolving. Are you keeping up? Read the following phishing guide to find out how you can catch that phish before it reels you in.
Anatomy of a phish
Scammers might be getting better at what they do, but that doesn’t mean you can’t still spot a phishing email when it comes your way. Most phishing emails fall into the category of clone phishing, which is when a scammer replicates a real email and sends its from an email address spoofed to look like a legitimate sender. These emails employ social engineering to manipulate your emotions, and they typically contain a malicious link or attachment aimed at gaining your sensitive information.
Here’s an example of what that might look like:
From: Amazon [email@example.com]
Subject: Your order has been cancelled
Dear Amazon customer,
Your recent order on Amazon.com has been cancelled due to fraudulent activity detected by our automatic systems. Your account has been suspended on a temporary basis.
To reactivate your account, please verify your email address by visiting amazon.com/verify-my-account.
Amazon Support Team
With so much of our life happening online these days, this email might not seem out of the ordinary, and if you’re too busy or stressed to give this more than a cursory glance, you may miss the signs of a phishing attack. Unfortunately, that’s what the scammer is counting on.
Let’s break down what you need to do to catch this phish:
- Check the sender’s name and email address. The sender’s name may appear legitimate, but the email address will tell you whether or not this is a phishing attack. In this case, the “o” of Amazon is replaced with a zero, which is obvious upon close inspection. However, some addresses may be even harder to spot and use a character from the Cyrillic alphabet instead of the Roman alphabet. This tactic is called script spoofing, and it’s on the rise.
- Be wary of the language used. Scammers and cyber criminals prey on our emotions. In this email, they’re attempting to invoke a sense of panic by informing you that your Amazon account is locked. In other phishing emails, they may use an overly friendly tone in an attempt to gain your trust. Focus instead on the message itself: is this an email you were expecting? Is the company acting in a way you would expect? When in doubt, verify if this is a legitimate email by contacting the company through one of the official channels listed on their website.
- Don’t click suspicious links or open unexpected attachments. Think before you click—if an email seems suspicious, don’t click any links or download any attachments. You can verify whether a link is legitimate by hovering over it before you click it. The link preview that appears in the bottom left corner of the screen should match the one shown in the email.
- Keep your private information private. Regardless of what an email says, never divulge your personal information online. Phishing emails may attempt to get your credit card number, SIN, bank account information or employment information. If an email pressures you to give out sensitive information, it may be a phishing attempt.
- Confirm who’s behind the screen. If you receive an email that you’re not sure is suspicious or legitimate, call the alleged sender to confirm. Disregard any contact information in the email, as it may put you in touch with the scammer. Instead, go to the organization’s official website and contact them through the phone number listed there.
There are plenty of phish in the sea
Clone phishing is the most prevalent type of phishing attack, but it’s by no means the only one. Here’s what else you need to watch out for.
Spear phishing is a targeted phishing attack sent to a specific individual or company. These attacks may be harder to spot because the phishing email is spoofed to seem like it’s from someone you know. It can also include some seemingly legitimate information, such as your name, the company you work for and even the projects you’re working on. That’s because the scammers behind a spear phishing attack have done research to make their email seem believable, in the hopes that it will trick you into giving them what they want.
Whaling is like spear phishing, except it’s aimed at high-profile targets like directors, executives or other high-ranking positions. The stakes for whaling attacks are much higher since people in senior positions tend to have access to more confidential information than their employees.
However, the rules for catching a phish remain the same, no matter your job title: check the sender’s email address, watch for suspicious language and don’t click any unexpected links or attachments. Before you respond, call the sender to confirm if they did send the email, especially if they’re asking for sensitive information.
Smishing is a phishing attack sent through a text message. Since people are more likely to trust a text message than an email, these attacks can have a higher success rate. If you receive an unexpected text message from a number you don’t know, stay vigilant and follow the same steps you would if it were a phishing email, especially if the message asks you to click on a link or provide your personal information.
Vishing is a type of scam that takes place over a phone call instead of an email. In vishing, the scammer calls their target and tries to get them to divulge sensitive personal information, such as their SIN, credit card number or banking information. The caller typically claims to be from an official organization like your bank, the government or local law enforcement, and they tend to use urgent or threatening language to scare you into complying. The infamous CRA phone scam is a type of vishing attack, and it’s cost Canadians millions of dollars.
While there are no links to click in a vishing attack, the scammer can still convince you to divulge sensitive information, or even unknowingly download malware. If you receive a suspicious call from someone claiming to be from an official organization, hang up and call the organization directly to verify.
Staying cyber safe
Scammers and cyber criminals have many tricks up their sleeves, but regardless of which one they try, it’s down to you to safeguard your personal information. When in doubt, always contact the alleged sender or caller yourself to verify if they’re actually trying to contact you.
Here at Alberta Blue Cross®, we’re tasked with protecting sensitive health information, and that’s a commitment we take seriously. Our IT and security teams work diligently to keep our firewalls strong, external threats minimized and our employees educated on cyber security.
Throughout October, we’ll be sharing more posts like this for Cyber Security Awareness Month (CSAM). Check back here to learn how you can stay cyber safe in all areas of your life.