For those of you who are just starting out in your cybersecurity endeavors or looking to learn about what phishing is, you’ve come to the right place.

What is Phishing?

Phishing is not a version of fishing following the old trend of replacing “f”s with “ph”s.

It is a cybersecurity term describing a technique that threat actors, bad people on the internet, utilize in order to steal something, usually money or credentials. It is a form of Social Engineering Attacks.

They pose as someone or something legitimate to entice you to click a link or download a file, similar to how bait on a hook lures fish.

Other related techniques include:

• Smishing: SMS-based (Text Messages) phishing

• Vishing: Voice-based phishing

• Spear Phishing: Targeted email-based phishing

General phishing campaigns play the numbers game. The threat actors send their digital “hooks,” phishing emails, to as many “fish,” users, as possible. The more users they send it to, the more likely they will get bites.

How to identify?

There are multiple clues and questions that you can ask yourself to help identify if the email you received is phishing.

Some simple questions to ask are:

1. Was this an expected email?

   1. Most general phishing attempts are unsolicited emails that come at random times to your inbox.

2. Is it an alarming or enticing subject?

   1. Some alarming phrases could be “Urgent,” “Action Required,” or “Account at Risk.”

   2. Some enticing phrase could be “Congratulations! You’ve won!,” “Mega Discounts Inside!,” or “You’ll never believe what [Celebrity/Figure] just did!”

      1. Usually these are “Too Good to Be True” attention grabbing subjects to get you to open it.

3. Are there grammatical issues and/or odd vocabulary?

   1. Things like typos tend to be pervasive throughout the email.

   2. Odd vocabulary:

      1. Common phrase: “kindly” plus a verb.

         1. Kindly update, kindly send, or kindly remit.

         2. Grammatically correct, but not used in emails.

      2. Others

         1. Henceforth, Thusly, or other fancy words.

         2. They might be properly used, but not common to have them emails.

4. Is there a sense of urgency?

   1. They will attempt to create panic or FOMO (fear of missing out).

   2. This plays on human nature to react on instincts instead of logic.

5. Is the email coming from where you expect it to come from?

   1. Verify the email domain by looking at everything after the “@” symbol.

      1. Example:

         1. Correct domain: “support@yourbank.com” the domain would be “yourbank.com”

         2. Bad domain: “support@yourbank-badperson.com” the domain would be “yourbank-badperson.com”

6. Are the links taking you to where you expect it to go?

   1. Same concept as the email domains but applies to links in the email.

   2. To identify the domain of a URL/link, look at the two parts separated by a “.” before the third “/” in the URL/link.

      1. Good domain: https://www.yourbank.com/login

         1. Domain: yourbank.com

      2. Bad domain: https://www.yourbank-badperson.com/login

         1. Domain: yourbank-badperson.com

How to protect yourself?

1. Look for the signs described above.

2. Do NOT respond or forward it.

   1. This alerts the bad people that the email account is active.

   2. If it came from a friend or someone you know, but the email seems off.

      1. Contact your them via a known good alternative like calling or texting their cellphone number.

3. Report the suspicious message.

   1. If you work at a company, use your company’s approved method to report emails.

   2. If you’re using a personal emailing system, such as Gmail, you can click the three dots next to the reply button and click “Report phishing.” Outlook and other mail systems use similar processes/locations.

4. Avoid sharing personal information.

   1. If in doubt, contact the organization/friend directly.

      1. Use a verified website or phone number that is not contained within the email as those numbers or websites could be tied back to the bad person.

5. Use strong passwords:

   1. It’s best to create unique, complex passwords for different accounts.

      1. If you have a lot of accounts, it’s easier to use a password manager.

      2. These can help generate strong passwords and keep them unique across sites.

      3. Make sure to use a good, strong, unique password that is used to login to the password manager.

6. If the website or application allows it, configure Multi-Factor Authentication (MFA). I’ll explain more about MFA in an upcoming blog post.

   1. Most sites can do it via email or text.

      1. Enabling these methods are better than not having it at all

   2. If the sites allow authenticator apps, this is considered a “phishing-resistant”, better method.

      1. There are apps like Google Authenticator, Authy, Microsoft Authenticator, and others that are free to use.

Conclusion

Phishing is a prevalent threat in the digital world, but by staying vigilant and following the tips outlined above, you can protect yourself and your sensitive information. Stay safe and always think twice before clicking on that link!

Comments are welcome! Keep them civil and on topic.