Phishing Checklist for Browsing Emails
Phishing emails often look authentic and can trick you into believing they are legitimate. It’s becoming more and more difficult to spot fraudulent emails, which may lead you into clicking on a link to a phony website or point you to a bogus login page, in order to steal your user name and password.
One of the most common methods to illicit a response from you is through an email that you likely have seen before, a shipment notification. Retail websites often promise fast shipping and offer to track your package. They send out emails confirming your purchase, letting you know your item has shipped, and will often email if there is any delay, plus a notice that the package is delivered. You may be so used to reading these notifications that you barely pay attention to the details anymore, such as the company’s email address. At least that is what the scammers are counting on.
See Infosec IQ in action
What should you be checking in your email messages to prevent an attack by a phishing email?
- See who sent you the email. Do you recognize the address and does it match previous messages from this person or company? If it does not, it could be a scam. One way to learn whether the email is safe is to call the company and ask if they sent you this email.
- Why are you getting this email? If it is not from anyone you know, you are not expecting it, or it is from a company you do not recognize for an order you did not place, it is more likely than not a phishing attempt. Take the time to report it to company or organization impersonated in the email. Provide them with the details so they can alert other customers to the email scheme.
- Does the email include an attachment? Shipment verifications usually have links to your account or the shipper’s tracking page but not file attachments. It is better not to open any file attachments but instead type the URL of the retail store in a new tab or browser window, navigate to your account, and from there track your package.
- Be suspicious of URLs in the message that do not begin with ‘https’. The ‘s’ is for ‘secure’, meaning the communications between your browser and the website are encrypted. You especially want to see this on any webpage that has personal, financial, health care, or sensitive information including your shopping orders. If you want to open a link that is included in the email message, copy and paste it into a new tab or window. However, do not enter any of your personal information into a website that is not encrypted.
Phishing scams are widespread and you’ll likely receive many attempts to access your personal information. When you receive emails from retailers confirming your order and notifying you when it is shipped, watch out for messages that include:
- The sender’s email address is not the same as the other emails you’ve received from the retailer. Or the email address doesn’t include the retailer’s name, has extra characters or numbers, or has a URL extension that doesn’t end in .com or .net. There are country extensions to show the origin of a business located in another country. Some examples are .uk (United Kingdom), .ro (Romania), or .ru (Russia). Unless you are doing business with another country, the sender’s email address and any of the emails URLs should not include such an extension.
- There may be clues in the subject line as well. Those asking if you remember the sender, or saying there’s a problem with your account, your account is deactivated, or you must update your account to receive a refund, should all be considered as suspicious emails. Rather than clicking on any of the links, open the retail website in a separate tab or window and check your account information. Or you can call the company instead and ask if there are any problems with your account or if they need any information from you.
- Links opening to a sign-in or login page where you need to enter your personal information, such as your name, address, phone number, email address. These pages were likely created by the scammers.
- Messages that require you act immediately or your account will be closed or suspended. Retailers do not send these types of requests. Customer service may ask you to call to verify information but they will not send threatening emails requesting information.
- Notices that your credit card or account has been accessed by an unauthorized person and you need to respond quickly. Or there are suspicious charges on your account and you need to go into the account and check it. There typically will be a link for you to use to take you to a bogus webpage, asking for your login information.
- Emails that contain images that seem blurry or brand logos that are do not exactly match the ones you’ve seen in previous emails. Images that are copied and pasted into phishing emails lose some of their quality. Brands use consistent color schemes and fonts in their marketing materials but a phishing attempt may not be able to exactly duplicate these.
Being aware of phishing scams and taking the time to check your emails before opening them or clicking any of the messages links will help keep your personal information from being stolen. In addition to the above steps to avoid being scammed, install antivirus software on your computer. There are many options available in a range of prices, including many free versions.
Also, keep your software, operating system, and browser up-to-date. New versions are distributed to help prevent the newest methods used by phishing emails and malicious viruses.
Phishing simulations & training
Phishing scams are very sophisticated and even with the best intentions you may fall victim to one. So even after following all these steps, if you do accidently click on phishing link and enter your personal information, you should 1) update all your login names and passwords, 2) scan your computer using your anti-virus software, and 3) request a fraud alert be added to your credit report to help protect your personal information.
In this Series
- Phishing Checklist for Browsing Emails
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
