Phishing Attack or Spam Email?
“Phishing” is a form of social engineering where cybercriminals try to fool people into revealing personal information online. The name comes from the idea of fishing: scammers send a message that acts as bait, hoping to “hook” someone.
Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization, prompting you to click on a link, which may infect your machine with malware and viruses. For example, an attacker may send an email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to their accounts. Attackers often take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g., Hurricanes)
- Pandemics, epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
- Holidays (e.g., Valentine’s Day, Independence Day)
Spam is any unsolicited email that arrives in your inbox. You didn’t request it, but through the efforts of organizations that specialize in collecting and curating email addresses, it found its way to you. Spam does not necessarily contain viruses — valid messages from legitimate sources could fall into this category.
Cybercriminals who use spam target millions of inboxes with phishing emails that look like normal spam but the links and attachments in these emails are always malicious. Responding to one could lead to identity theft, email fraud, a ransomware attack on your business, or any number of other devastating consequences.
If you suspect the spam is a phish, do not click on any links in the email, download any attachments, engage or respond, or fall for any emotional traps, like promises of rewards or threats for not acting.
Please check out the Spam Email or Phishing Attack infographic for more great tips on spotting and avoiding phishing.
Vigilance is the Best Defense
Verify the sender: Were you expecting something from them? Check the sender’s email address (URL). If the highlighted URL contains characters that aren’t in the company’s main website, it could be a fake email. It may be a URL that does not reference the legitimate company at all or alters the official URL in some way.
What is in the message? Is the tone urgent? Are there grammatical or spelling errors? If so, be suspicious.
Look for links: If the email or text tries to get you to click on links or go to a website to provide information, beware.
Confirm: Verify the request separately by phone with the office of the individual or system referenced.