HFC - Phishing (Lesson)

Phishing

What is Phishing?

Why is phishing considered the largest source of malware delivery and identity theft? Let’s find out in this lesson!

Phishing is the use of bogus emails and websites to trick you into supplying confidential or personal information.

  1. You receive an email that appears to come from a reputable organization, such as a bank.​​
  2. The email includes what appears to be a link to the organization’s website.​​
  3. If you follow the link, you are connected to a replica of the real website. Any details you enter, such as account numbers, PINs, or passwords, can be stolen and used by the hackers who created the bogus site.

PhishingCartoon

Phishing is considered the largest source of malware delivery and identity theft for several key reasons:

Reasons Phishing is the Largest Source of Malware Delivery and Identity Theft

The combination of these factors makes phishing a preferred method for cybercriminals to deliver malware and conduct identity theft.

It may seem like phishing falls in the category of “stupid user,” right?  But in fact, it can be very difficult to spot a phishing email. 

Example: Advance Fee Scam Story

The Nigerian Prince Letter is probably the earliest version of the phishing scam and definitely the most prolific.  It is also known as a 419 email because that is the Section of the Nigerian Criminal Code that deals with fraud. Approximately half of these “advance-fee” scam emails come from Nigeria.

The basic story used in these emails is that there is a large sum of money held in a Nigerian bank account and the writer wants to transfer the money out BUT he needs a foreign bank account to deposit it to.  He has chosen you because you are honorable and can be trusted, plus he will give you 20% or even 30% of the money just for helping him.  All you have to do is provide your bank account number and your passport information so that he can make the transfer. Then everyone will be rich!!!  Well, at least the scammer will be if you “bite.”  

How to Spot a Phishing Email​

  1. Suspicious Sender Address: Check if the email address matches the company it claims to be from. Often, phishing emails come from addresses that resemble legitimate ones but have slight variations.
  2. Generic Greetings: Phishing emails often use generic greetings like "Dear Customer" instead of your name, indicating a mass email rather than one specifically for you.
  3. Urgency and Threats: Many phishing emails create a sense of urgency or threaten dire consequences if you don't act immediately. This is a tactic to rush you into clicking a link or providing information without thinking.
  4. Request for Personal Information: Legitimate companies rarely ask for sensitive information via email. Be wary of emails requesting passwords, credit card numbers, or other personal details.
  5. Spelling and Grammar Errors: Professional organizations usually send well-written emails. If an email contains obvious grammatical or spelling mistakes, it might be a phishing attempt.
  6. Suspicious Links or Attachments: Hover over any links without clicking to see if the URL address looks legitimate. Be cautious about opening attachments, especially from unsolicited emails.
  7. Inconsistencies in Email Design: Look for inconsistencies in email formatting, such as odd layouts, outdated logos, or mismatched fonts. These can be signs of a phishing attempt.
  8. Unsolicited Requests: Be cautious of emails that ask for information or action without prior context or communication.
  9. Too Good to Be True Offers: Be skeptical of emails offering unexpected rewards, prizes, or deals that seem too good to be true.
  10. Check the Email Signature: Legitimate business emails usually have a professional signature with contact information. Phishing emails may lack this or use a forged one.

Phishing Red Flags Video

Special Types of Phishing

Phishing Attack or Spam Email?

It is easy to confuse phishing and spam because they both are unsolicited emails that have malicious intent, like stealing your money or wasting your time.  But there are key differences in characteristics.   Most importantly, we should react to phishing as if there is a potential attack and report it.  With spam, it is enough to discard the email and mark the sender as spam.

Phishing or Spam?

Bob and the Phishing Email Video

Links to an external site.

Reflection and Wrap-up

In this lesson, you learned about phishing cybersecurity scams, their characteristics, and specialized types. You also learned how to recognize the warning signs and protect yourself from phishing attempts.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. 1st Video courtesy of Protected Trust, CC-BY; 2nd Video courtesy of Video Explainers, CC-BY