Phishing is a widespread practice that can trick anyone: a senior executive at a Fortune 500 company, your grandparents, and yes, even you. The word “phishing” sounds like “fishing” for a reason. Someone is creating bait, intended to look like the real thing, and dangling it in front of you hoping you’ll bite.
At its most basic phishing involves sending messages, usually emails but also text messages or phone calls, that seem legitimate, as if they were from your bank, your email provider, your employer, a co-worker, the electric company, etc. but aren’t.
These messages are crafted to get you to log into “your account,” click a link, or share a password – but it’s not your account, the link doesn’t actually go to your bank, and that password you shared is now in the hands of someone with bad intentions. As with most scams the message in the phishing attempt is designed to make you act. It might use a sense of urgency (“Your account was compromised!! click here to reset your password!”) or it may mimic the sort of ordinary email you get dozens of every day so you take action on auto-pilot, not giving it a second thought.
You can’t count on them to appear obviously fake. Some phishing messages are easy to spot due to misspellings or obvious attempts to scam you (the infamous Nigerian Prince scams for example). But many are much more sophisticated and are extremely difficult to spot even if you know what you’re looking for. There’s a reason phishing is so widespread – it works. A recent report estimated that 30% of phishing messages are opened, and 12% of the malicious links, files, etc. were clicked or opened. So what can you do about it?
Be wary. Be suspicious. Verify before you click.
The most important thing you can do is develop a habit of being cautious. Phishing counts on your automatically clicking the link, putting in your password, or opening the attachment. If you get a message you weren’t expecting, even if it’s from someone or a company you know, don’t click the link. If it’s from a coworker or a superior asking you to “check out this document,” email them or call them directly (don’t just hit “reply,” that would go back to the phisher) and confirm that they sent it. Get an email or text from your bank saying your account is locked and you need to login to unlock it? Don’t follow the links in the message. Open a web browser, go to the bank’s homepage, and log-in there to look for the same message.
A good general rule is to verify the message externally before you take any action on what was in the message.
You can also look at sender information (though this is relatively easy to fake, so you shouldn’t count on it as your only defense) to make sure that email from your CEO is actually from them, hover over any links to see the url of the webpage they’re sending you to (www.mybank.com is not the same as phishinglure.com/mybank/login), and train yourself to spot fakes. Google recently published an online quiz to help you learn what phishing looks like and just how convincing it can be. You can take it here: https://phishingquiz.withgoogle.com/ (If you’re suspicious like us, note that you can use a fake email and name in the quiz, not your real one).
Finally you should be aware of what the most common phishing attempts look like. In 2018 the most common lures were: bills and invoices, email delivery failure messages, legal/law enforcement notices, scanned documents, and package delivery notifications. However in 2020 those had switched to notices about Coronavirus, stimulus payments, or election information. More recently, messages appearing to be from LinkedIn seem to have become the most common.
You can see that the phishing tactics and message change to match what is most popular, or on people’s mind at the time.
Which attempts work the best? It varies. In 2018 Dropbox lures were the single most common (“Your friend has shared these files with you – sign in to Dropbox to see them!”) while DocuSign requests were the most effective. Attachments that look like Microsoft Office files, pdfs, Google Drive links, and IRS documents are all common as well. There is no definitive list of what is safe and what isn’t. And phishing is not limited to just email and text messages. While they are the easiest to send in mass quantities and therefore the most common, you can be phished via physical mail, a phone call, even in person. In all cases remember to slow down and don’t take any action until you’ve verified externally – not through any links, addresses, or numbers included in the message.
After all of this you might be wondering, what about emails from BrightDime? We do send emails to our users with links occasionally. You can hover over any links to make sure they point to www.brightdime.com or a link within BrightDime (like www.brightdime.com/login). And if you’re ever unsure, let us know at firstname.lastname@example.org. That’s a direct line to us and we can tell you if we sent you that email or not.