Phishing is a cybercrime that attempts to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords through email, telephone or text message. Someone poses as a legitimate organization or individual and uses your information to gain access to important accounts and can result in identity theft and financial loss.

Phishing Techniques

There are many different types of phishing techniques that are employed to obtain personal or financial information from you including:

  • Spear Phishing - when an individual or organization is targeted in order to personalize the message to increase the likelihood of someone taking the bait.

  • Email / Spam - the most common technique used to obtain information from users by asking to click on a link to complete information or open an attachment.

  • Smishing (SMS Phishing) - messages sent via text to trick users into going to phishing websites to enter personal information.

  • Link Manipulation - links are sent to users that look like legitimate links (called website spoofing) that they visit, but it is actually a phishing website made to look real.

For additional information, please review the following links:

Phishing Techniques

Common Phishing Scams

Phishing Examples

Tips for Identifying Phishing

  1. Emails Demanding Urgent Action - Attackers often use this approach to rush recipients into an action before they have had the opportunity to study the email for potential flaws or inconsistencies.

  2. Emails with Bad Grammar or Spelling Mistakes - Another way to spot phishing is bad grammar and spelling mistakes. Many companies apply spell-checking tools to outgoing emails by default to ensure their emails are grammatically correct. Those who use browser-based email clients apply autocorrect or highlight features on web browsers.

  3. Emails with Unfamiliar Greeting or Salutation - Emails exchanged between work colleagues usually have an informal salutation. Those that start “Dear,” or contain phrases not normally used in informal conversation, are from sources unfamiliar with the style of office interaction used in your business and should arouse suspicion.

  4. Inconsistencies in Email Addresses, Links and Domain Names - Another way how to spot phishing is by finding inconsistencies in email addresses, links and domain names. Does the email originate from an organization corresponded with often? If so, check the sender´s address against previous emails from the same organization. Look to see if a link is legitimate by hovering the mouse pointer over the link to see what pops up. If an email allegedly originates from (say) Google, but the domain name reads something else, report the email as a phishing attack.

  5. Suspicious Attachments - Most work-related file sharing now takes place via collaboration tools such as SharePoint, OneDrive or Dropbox. Therefore internal emails with attachments should always be treated suspiciously – especially if they have an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.).

  6. Emails Requesting Login Credentials, Payment Information or Sensitive Data - Emails originating from an unexpected or unfamiliar sender that request login credentials, payment information or other sensitive data should always be treated with caution. Spear phishers can forge login pages to look similar to the real thing and send an email containing a link that directs the recipient to the fake page. Whenever a recipient is redirected to a login page, or told a payment is due, they should refrain from inputting information unless they are 100% certain the email is legitimate.

  7. Too Good to Be True Emails - Too good to be true emails are those which incentivize the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate the contact, the likelihood is this is a phishing email.