What are 'phishing' emails?

Phishing emails are designed to look legitimate, but are sent maliciously, often with the goal of accessing sensitive information (such as credentials to your website or bank account). Ideally these emails get caught by your spam filter, but that's not always the case. When they are crafted very clever, it might even look like it was sent by a trusted vendor or colleague.

In most cases they aren't targeted; in other words, they are sent automatically by robots en masse, but the threat is no less real.  So, opening these emails - or more dangerous yet, clicking links contained within - can have serious consequences.

Most people are aware of what the word Phishing means and know these nasty emails exist - there's a ton of information available online already - but because we've seen an increase volume of phishing emails lately, we just wanted to share this post as a friendly reminder to be safe, and include some simple tips in how to protect yourself.

Something smells phishy ...

Here are a few basic ways that might help you identify a 'phishing' email yourself, particularly if it looks suspicious:

  1. Review the information in more detail. Are there mistakes/references that might not be clear at first glance? For example, perhaps it mentions an invoice that has the wrong total;
  2. Check the sender address/identity. Is it consistent with what is displayed in the email preview? There are various ways to do this, for example check out this link;
  3. Don't click the links, but hover your cursor to preview them ... do they look legitimate? Sometimes the link in the email might say "example.com" but when you hover your mouse it reveals "example.com.very.suspicious.domain...";
  4. Ask yourself: was I expecting an email from this person? For example, for our hosted web clients: you should never expect to get an email directly from our server provider. It should always come from us. We've seen a number of these cleverly crafted emails arrive at our client's inbox that are not legit.

Also keep in mind, attackers can abuse your own website contact form in an effort to phish information. This means you can't just "block" or "mark as spam" because your website form is obviously legit. Being alert is a constant endeavor!

Preventative measures

A couple simple rules of thumb you should follow to help protect yourself as well:

  1. Keep your mail client (and software in general) up to date;
  2. Limit what your mail client can do when previewing an email. For example, Outlook and Thunderbird both offer options to not automatically open/render attachments or images until you manually permit the email to do so.
When in doubt, close it out

If you ever get an email that looks suspicious - i.e. the subject looks questionable, even before reading the body - don't open it, and don't even bother trying the steps above. Check with your web agency (like ourselves), webhost, or email provider. Or, just pickup the phone and dial the person to confirm it was legit.

The reality is - as scary as it might sound - phishing attempts can happen outside of email as well. For example, on social media posts. A lot of these same principles apply, so be keen and alert and protect yourself.