Securing Our Communities: How to Identify Phishing Emails and Avoid Becoming a Victim

The NTIC Cyber Center is providing this guide to help end users easily identify phishing emails and avoid becoming infected with malware or having their account credentials or other sensitive information stolen in a phishing attack. Although phishing emails may differ in wording and design, there are some common things that end users can look for to easily identify them and avoid becoming a victim.

What is phishing?

Phishing is a type of social engineering scheme in which an attacker tries to trick victims into revealing sensitive information such as their account login credentials (usernames and passwords), their banking or credit card information, or personally identifiable information (PII) such as dates of birth and Social Security numbers. The attackers then use this information to gain unauthorized access to email, social media, and financial accounts, steal victims’ money and data, conduct financial fraud, or commit identity theft. The following is a list of different types of phishing attacks:

  • Phishing: An email campaign that sends generic emails to many unrelated recipients in the hopes that one or more recipients will fall for the scam and divulge sensitive information or infect their computers with malware. Phishing is also an umbrella term used to describe any of the following attacks.

  • Spear Phishing: A targeted email campaign that sends specially-crafted emails to a specific group of people, often within the same organization (e.g., a malicious email that is sent to employees in a company’s finance department pretending to contain an invoice that urgently needs to be paid.)

  • Whaling: A highly targeted email campaign that sends specially-crafted emails to high-level or high-profile people such as corporate leadership, politicians, and celebrities. These campaigns typically use very personalized emails designed to garner immediate attention and action from the victim.

  • Smishing (or SMS phishing): A type of phishing campaign that uses text messages, or SMS messages, to target mobile phone users. These text messages often contain links to malicious websites or apps that can infect mobile phones with malware.

  • Vishing (or voice phishing): A type of phishing campaign that uses phone calls to target and obtain personal or financial information from victims. Attackers who conduct vishing campaigns often pretend to be someone the victim knows, a representative from a well-known company, or someone from a federal or local law enforcement agency or government organization, such as the FBI or IRS.

Phishing campaigns have become increasingly sophisticated in recent years, using a variety of techniques to trick victims into divulging sensitive information. Some methods include sending emails from domains that look like they are associated with legitimate organizations (email spoofing) and using legitimate but compromised email accounts to send malicious emails (also known as Business Email Compromise). Some phishing campaigns use official company or agency logos in the email signature and may address targets by name. Despite these tricky tactics, there are still some ways to identify a phishing attack and avoid becoming a victim.

Six Ways to Identify a Phishing Email:

  1. The email creates a sense of urgency or causes an emotional response. Emails that include the words “urgent,” “important,” or any other word or phrase designed to grab your attention and encourage you to act quickly should be heavily scrutinized. Attackers want you to act quickly without thinking so they will try to manipulate your emotions through words and phrases in the subject and body of the email. If you receive an email that makes you feel as though you need to act on the request immediately, take a moment to read it carefully to see if the request makes sense. If you are still unsure, ask someone from your IT department for help to determine if the email is legitimate before responding to it, clicking on any links, or opening any attachments.

  2. The email contains some type of threat if the recipient does not act on the request. Similar to the previous example, if the email in question threatens you with some type of negative consequence, such as an impending account closure, a lawsuit, an arrest, or financial ramifications, it is likely a phishing email and you should not act on it. Again, if you are unsure, ask your IT department for a second opinion.

  3. The email asks you to provide or confirm personal or sensitive information. Any email that asks you to provide any personal or sensitive information such as a date of birth, Social Security number, financial account information, or a password, either by responding to an email or clicking on a link contained in that email, should be regarded as a phishing email and reported to your IT department. Even in the rare case that it is a legitimate request, no one should ever ask you to provide sensitive information over unencrypted, unsecure email. Also, you should never provide your password to anyone, regardless of the reason provided.

  4. The email contains a lot of misspellings or grammatical errors. This used to be a fairly easy way to identify phishing emails because many phishing campaigns originate overseas from people who do not natively speak English. However, over time, online language translation services have improved and many of these errors have been eliminated through the use of technology. It is interesting to note, though, that many authors of phishing emails – especially those from outside the US – commonly use the words “regards,” “best regards,” or “kind regards,” at the end of an email. This may be a red flag, especially if the email is from the account of a known sender who does not typically use those words in their signature line.

  5. The wording in the email is vague or unclear but includes a link or attachment. Some phishing campaigns may try to pique your curiosity by not supplying many details in the hopes that you will click on the link or open the attachment to learn more. Send emails like these to your IT department to determine legitimacy.

  6. The email asks you to change an established process or procedure. This tip is especially important for employees who are responsible for maintaining an organization’s finances. Profit-motivated attackers who target employees in an organization’s finance department may try to trick victims into changing an established procedure for conducting financial transactions. They may pretend to be a known vendor or service provider and ask for owed payments to be wired to a new bank account or sent to a different address than what the organization currently has on file. The attackers may also masquerade as a company’s CEO or CFO to try and scare employees into complying with the request quickly and discourage them from seeking additional authorization.

Important Things to Remember to Protect Yourself and Your Organization from Phishing Attacks:

  • If in doubt, have your IT department check it out. Notifying your IT department can help them determine if the phishing campaign impacted other people in your organization and prevent others from being victimized.

  • If an email makes you feel the need to urgently act, take a step back. Don’t rush to respond to an unexpected request just because an email tells you to do so. Stop and think before you act.

  • Think before you click. Links in phishing emails can lead to dangerous websites that can tempt you into entering personal information or download malware onto your computer. Attachments such as PDFs, Word documents, and Excel spreadsheets can also contain malware so never open or enable macros in them unless you are sure you can trust them.

  • Never log into an online account from a link provided in an email. Even if you think the email is legitimate, it is always safer to visit a website directly by typing the website address into your web browser. For added security, bookmark frequently visited websites to prevent accidentally typing in the wrong address or being tricked by an incorrect search result.

  • Never give your passwords to anyone – not even your IT staff. Your IT department will never need to know your password to handle your IT request or secure your account.

  • If you mess up, fess up! It’s important to remember that no one is perfect and even the most tech-savvy people among us can fall for a well-crafted phishing email. However, if you do fall for a phishing scam, alert your IT department immediately so they can quickly contain any malware infection and protect your account from further compromise. If you fall for a phishing email sent to your personal email account, be sure to scan your computer for malware using reputable antivirus software and immediately change any associated passwords.

  • Enable two-factor authentication (2FA) on every online account that offers it. 2FA is a great way to reduce your risk of account compromise, even if an attacker has your password. Without that code sent to your phone or generated on an authenticator app, the attacker won’t be able to access your account.

  • Remember, remember, phishing emails can come from a known sender. Just because you received an email containing an urgent request, link, or attachment from someone you know and trust, that doesn’t mean it’s legitimate. Enterprise email security systems have gotten much better at blocking external email threats in recent years, so attackers are increasingly using compromised employee email accounts to send phishing emails to others inside an organization. Make sure to verify that an unexpected email from a known sender is legitimate by contacting the sender another way – such as through a phone call or text message – before you act on it.

  • Implement a multi-step authorization process for any procedural changes in your organization, especially when it comes to financial transactions. Requiring two or more people to authorize and implement changes to financial or other operational procedures can help reduce the risk of financial loss resulting from a phishing scam.

Cybersecurity is a shared responsibility, so please use these tips to help keep yourself and your organization safe from phishing threats.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.