Recognize and Avoid Email Phishing Scams

The best protection against email phishing scams is understanding how they work and how to recognize and avoid them. Increased awareness and appropriate response are the best protection against criminals phishing for your personal information and data.

Email phishing scams are emails that you receive that pretend to be from someone else, with the intention of getting you to perform some action - often clicking on an email attachment or a link to a website that the criminal controls.

Email phishing scams often look like they are sent by someone you know (a family member, colleague or a friend), or an authority you recognize and respect (a package delivery company, government agency or your company boss).

There is no software solution that completely protects you from email phishing scams.

The best protection is education and knowledge:

  • being careful when opening and reading emails
  • being careful when clicking on email links and attachments
  • knowing what email phishing scam emails look like
  • knowing what to do when you receive one

You should, of course, have antivirus software as well. It not only helps with certain email phishing scams, it protects your computer in other ways.

What Email Phishing Scams Look Like

Email phishing criminals target everyone. Here is one example:

You get an email pretending to be from your bank asking you to click on the link to update your profile. It sounds very important, almost urgent.

When you click on the link, you web browser opens and displays what looks like your bank's login page. You type in your username and password, and get an error message saying that your username or password was wrong and to please try again.

You try again and this time log in without issues. After you log in, it is not clear what exactly you need to update. You are busy, and don't have time to investigate. You log out and carry on with your day.

This is what happened:

When you clicked on the link in the phishing email you received from "your bank" and your web browser opened a web page that looked like your bank's login page, it was actually the email phishing criminal's web page. It looked exactly like your real bank's login page, but it wasn't.

You then typed in your username and password, and the criminal's web page saved them and gave you an error message saying it could not log you in because your username or password was wrong.

Your username and/or password was not wrong. The criminal's web page told you so because although it stole them, it could not log you into your bank. After giving you the error message, it re-directed your web browser to your real bank's login page. This is why when you typed in your username and password the second time, it worked. This time you were typing it on your real bank's website.

One example of an email phishing scam:

  1. You received an email that looked like coming from your bank
  2. You clicked on the link in that email that claimed you should update something
  3. You were taken to the email scammer's web site that looked like your bank's
  4. You typed in your username and password to log in
  5. The scammer stole your username and password
  6. The scammer gave you an error message saying it could not log you in
  7. The scammer re-directed you to your real bank's log in website
  8. You typed in your username and password again
  9. You logged in, this time into your real bank's website

You just gave the bad guy your bank's username and password.

Internet criminals count on you using the same password for many online services. If they steal one of your passwords, they may be able to log into many other online services where you use the same password. You should be using a random-generated unique password for EVERY online service. A password manager can help.

Different people get different email phishing scams. You may get email phishing emails that pretend to be from your bank or credit card company, or shipping scams ("your FedEx package has arrived", or "your UPS package could not be delivered"), or "invoice due" scams.

Your Package Has ArrivedEmail Phishing Scam Example

If you click on the wrong link, or open a wrong attachment, you will either get your information stolen, or a malicious software program will be installed on your computer that will steal your data.

Corporate Email Phishing Scams

Email phishing scams often target finance and HR personnel in private companies and governments. These types of scams are looking for personal information on company or organization employees.

Email scam artist may try to trick a company staff member into giving away personal information on their employees. Even reputable companies are vulnerable to such scams.

A typical example is when a company employee, believing the phishing email he received was a legitimate internal company request, sends W-2 tax form information for current and former employees to an unauthorized third party.

The "legitimate request" may be in a form of a spoofed letter from the organization's CEO requesting all employee W-2 forms. Even if this may have been an odd request (why would a CEO make a direct request like that?), most employees will do what the boss asks.

It is difficult to defend against such email phishing attacks. There should be measures in place to prevent it from happening, but bulletproof procedures are challenging to implement and require strong leadership and constant education of the employees.

Email phishing scams are sometimes targeted at a particular company or person. Such targeted phishing scams are called spear phishing, and are even harder to defend against.

Every company should adapt email phishing best practices to their own environment, regularly review defensive processes and procedures, and continuously educate all employees on how to recognize and deal with email phishing scams.

Email phishing scams can compromise important personal information including:

  • Social Security numbers
  • Salaries
  • Phone numbers
  • Addresses
  • Internal employee numbers
  • Other personal data

Email phishing criminals can use such information to file a phony tax refund request with the Internal Revenue Service (IRS) and the states. The IRS will then send a tax refund to a criminal instead of the actual taxpayer.

Most Email Phishing Scams Don't End Up in The News

Only a small percentage of companies that experience email phishing scams end up in the news. They are often large, well-known companies we have all heard about and recognize. But many other companies get attacked just the same way.

When we read about a company losing personal information on their employees in the news, it is often because the company is regulated in some way. It may be a public company, or in the finance or health industry. There may be a whistleblower, perhaps a former employee, who contacts a news organization about it.

What percentage of companies that experienced personal data and information leaks because of email phishing scams we learn about? One percent? Two percent? Five percent?

Because we don't hear about it, does it mean email phishing scams are relatively rare?

No, just the opposite. There are already too many companies we read about in the news. Too many with the same story.

Many of them are not supposed to get scammed, at least not in relatively easy and straight forward ways. And many of them are prominent companies that make quality products or provide important services. If companies that have the resources to defend themselves fall for email phishing scams, then so do many other.

Arm Yourself with Knowledge

Email phishing scams are common. Attackers are getting better and better. Emails we receive look more and more real. Deciding what link to click on is getting harder and harder.

Having good antivirus software helps. If you receive an email attachment that is infected with a virus, antivirus will catch it and delete it before you get a chance to click on it.

Knowing how to recognize and avoid email phishing scams is critical. There is no software that detects email phishing scams. Not all email scams have an attachment.

For example, take a look at a detailed analysis of an email that claims to be from FedEx but is actually a FedEx email scam.

Your best defense is being aware of how email phishing scams work, knowing how people you interact with communicate, and having robust procedures in place that will protect you, your computer and your personal information and data.