Our email inboxes are constantly inundated with a confusing blur of work, socializing, entertainment, advertising and unwanted communications. We continually have to sort through the noise in order to keep our lives moving forward, make a living and keep up connections with friends and family. Because of this “Grand Central Station-esque” nature of our inboxes, they are the perfect environment for criminals to prey on us.
Just like a pick-pocket in a crowded public place, phishing emails attempt to catch you in a moment of distraction to take from you without you realizing what is being taken. This can be as simple as being tricked into giving up an account password, or as intense as mistakenly downloading and installing ransomware that encrypts your hard drive and holds if for ransom.
A client of mine was recently alerted to an email sent to one of her employees, looking like it had come from her account, requesting that he go out and purchase a bunch of Amazon gift cards with his own money, take pictures of them and email them back to her. The sender of the email, masquerading as my client, promised that she would reimburse him for it all later because she was running into an important meeting and needed him to complete this task ASAP.
Luckily her employee realized something seemed off about the request and forwarded a copy of the email to her. She first thought her email had been hacked and alerted me right away, but upon a closer look at the return address on the email, I realized the email hadn't even been sent from her address. The criminal sending the email had changed the sender name on the account to her full name, hoping her employee wouldn't notice the difference. Like most companies, critical information about their business, including everyone's name and email address, is publicly accessible on their website. This phishing attack probably took no more than a few seconds to launch and almost worked. Luckily the employee forwarded it to her to double check before moving forward with the orders.
The best advice I can give for avoiding falling prey to such attacks is to deprogram yourself from clicking on links in emails and keep a healthy suspicion of all communication online, over the phone and in day to day life. For example, just yesterday I got an email from Spotify telling me that my credit card had failed to process this month’s auto-payment. In the email they provided a link I could click on in order to update my info. The email really looked legit, but it's hard to be certain. Just to be safe, I made sure to spend the three additional seconds a DID NOT click on the link. Instead I opened up a browser tab, went to my account page on the Spotify website and checked to see if my auto-pay had really failed to go through. Knowing that I was actually on Spotify’s site and not a fake phishing site, I felt comfortable updating my credit card info. So the rule is, when in doubt, navigate to the site and don’t follow a link from an email. Here are some links to two great articles about how to avoid being phished.