Three years ago, my grandma asked me to check her inbox and tell me if her emails were legit. A quick glance revealed an inbox chock-full of crazy phishing schemes. From ransom threats to sketchy requests to wire millions of dollars, the scams seemed pretty obvious.
Recently, my parents clicked a link from “AT&T” to confirm their account information, which allowed a hacker to break into their account, change the password, and buy $3,000 worth of devices. Luckily, they were able to recover the account, but that was close … way too close.
A lot has changed in the years between Nigerian princes sliding into my grandma’s DMs and the sophisticated customer service ploy that nabbed my parents.
Phishing attempts to trick a person into revealing personal information (such as credit card, bank account, and social security numbers) or taking a harmful action (like installing malware or sending a payment). Don’t worry; it isn’t just you that’s getting bamboozled: cybersecurity training firm Wombat Security confirms that, in 2017, 76% of organizations were targeted by phishers.
Why Phishing Scams Are Convincing
Cybercriminals try to fool you by sending an email that looks like it is coming from a recognizable name, such as Apple or Spotify. Avanan, a leading cloud-based enterprise email security platform, reports that phishers’ two favorite companies to pose as are Amazon and Microsoft, which account for 80% of attacks. Also common are scammers posing as colleges or potential employers specifically targeting students, whom the FBI notes are at particular risk.
Phishing emails spoof the actual company's branding to make it look like an official communication; e.g., account updates, password expiration notices, purchase confirmations, overdue invoices, and job or internship opportunities. They include common links, like "activate account" buttons, “more information” tabs, and “is this you” security confirmations. Many malicious sites even use “https” domains, which are supposed to be more secure.
How to Identify Phishing Scams
Use these helpful tips to determine whether you are encountering a phishing scam:
- Without clicking, hold your cursor over links in the email. The URL address it connects to will appear in a small pop-up bubble. If the domain doesn't match the sender, it’s probably a scam. For example, an Amazon email usually links to an "amazon.com" site.
- Hover over the “from” address; it should also match the supposed sender. If the email address does not end with "pitt.edu", it is not an email from Pitt.
- Review the tone of the email. If the language attempts to create a sense of urgency and invokes strong emotions like excitement or fear, this is a red flag.
- Beware of any email that requests sensitive data or insists that you send money in order to take advantage of an opportunity (especially if the opportunity is something that’s supposed to earn you money).
Still not sure if it’s fake? You can independently look up the contact information for the supposed sender (do not use the contact information in the email). Then, ask them if they sent you the email. Got an email saying your financial aid will be discontinued if you don’t do something? Contact the Office of Financial Aid to see if it’s real.
What to Do When You Spot a Scam
When you’re pretty sure you’ve caught a phishing scam, do not click on any imbedded links, open any attachments, or reply to it. But don’t just delete it, either. A phishing email isn’t just spam. It is an attempt to commit a crime, and you should report it.
No, you don’t need to call the police. Instead, report it to Pitt IT by sending an email to firstname.lastname@example.org, with the suspicious email included as an attachment. Most people can do this by opening a new message and dragging the other email into the body, but detailed instructions on how to attach an email are listed here. Then delete it. That way, not only do you protect yourself, but you also make sure Pitt IT blocks that email from going to anyone else, so no one becomes a victim.
Keep your guard up and be on the look-out for phishing scams, so you don’t get hooked!
-- By Tabitha Barnes, Pitt Student IT Blogger
You tell me: Have you ever spotted a phishy email in your inbox? How did you spot the fake?