While fishing may be a favourite past-time, phishing is a little bit less fun! We’ve written up this guide to help you understand what phishing is, what signs to look for, and how to keep your device secure despite any phishing attempts that may come your way.
Okay, but what is phishing?
Phishing is an example of social engineering, where someone would fraudulently attempt to steal user data - things like login credentials, credit card numbers, and personal identity information.
Taking a step back, social engineering is when someone attempts to deceive someone else into giving them information that might be considered “sensitive” or “private”, potentially for fradulent purposes.
There are a few different kinds of phishing such as vishing (phishing over the phone), SMS phishing, and spear phishing (phishing which targets a specific person, such as the CEO of a company).
How do I know the email I received isn’t legitimate?
While there isn’t an exact science to this, there are a few things to keep in mind when you receive an email that looks suspicious.
Check the Sender
Do you know the person sending the email? Is their email address one that you’re familiar with or have received emails from before?
Phishing emails tend to be a slight variant from the original. For example, for “Google” emails could be from @int-google.au which is not a valid email address. Similarly, you may find typos in the sender’s address that vary ever so slightly from their actual address.
Check Links Before Clicking
One of the best things you can do to keep your device secure from phishing attacks is to avoid, or be very cautious, when clicking links in emails.
One thing you can do is hover your cursor over the link before clicking to see if it directs you to the right address:
Or even better, instead of clicking the link, head to your browser and navigate to the website directly to instead of clicking on the button or link in the email. This applies to all links, including links to reputable third-party storage systems like Google Drive.
Don’t Enter Credentials Through Links
If you do decide to click into the link from an email and are taken to a page where you would enter your login credentials, stop where you are and don’t enter the credentials. Just to be super sure, go to the website from your browser instead of clicking on the link.
Practice Caution When Downloading Attachments
When deciding whether or not to download an attachment, there are a couple of important questions to ask yourself:
- Is the sender a trusted source? You should feel more comfortable downloading attachments from a colleague, friend, etc. if you are confident the email address sending the attachment is legitimately theirs.
- Are you expecting to receive this attachment? If you know that the attachment was being sent to you or if it’s something you requested to have sent, this is definitely less suspicious than receiving something out of the blue.
Keep Your Eyes Peeled for Other Oddities
There are a few other things to watch out for:
- Are they addressing you by name? Most organizations that email you will mention your name, while phishing emails don’t generally do this because they tend to be sent out in batches to try and get as many people to click on links as they can.
- Are there a number of grammar/spelling mistakes in the email? Read through the email and check for any errors. While grammar and spelling mistakes aren’t specific to phishing emails, they’re more likely to be seen there than in a legitimate email from a reputable company
- A good thing to remember is that most emails sent by organizations are not asking for personal information. So if you are receiving an email that’s asking you to enter in personal sensitive information, don’t do it!
- Urgency is another oddity to watch out for. For instance, when you receive a notification from a company about your credit card expiring, they’ll usually give more advanced notice rather than urgently asking you to update your payment information.
As these hackers become more and more savvy, phishing attempts can be very tricky to spot, so be sure to remain vigilant in your inbox!
What should I do with a suspected phishing email?
While this will vary between email providers, some providers like Gmail offer the option to report an email as phishing:
If you don’t see this option, you can mark the email as spam so that the sender is less likely to be able to reach you again. Otherwise, you can just delete these kinds of emails.
Still Have Questions?
Have any questions about these recommendations or anything else related to security or privacy? Feel free to email Privacy and Security Support at firstname.lastname@example.org and we’d love to clarify anything you’re unsure on!