We talk about phishing quite a bit here at Cyber Safe Workforce because recognizing and avoiding intentionally misleading and harmful email is a skill many of us can improve upon. Even if you think you can recognize all the “red flags” of phishing scams such as a sense of urgency, threats of consequences, or requests to re-confirm accounts and so forth, you may still be susceptible to more subtle messages. And that’s why it’s time we did a blog series on email safety.

In this several part series, we will lay out common goals of phishing messages. Then, we’ll move on to how to evaluate your emails—who sent it, was it expected, does it involve money, and verification. Finally, we’ll recap it all.

Defining Phishing

You’re likely familiar with spam: unwanted email, most frequently marketing for products or services you don’t need or want or didn’t sign up to receive.

Phishing emails are different – they are out to intentionally deceive you. Scammers will impersonate someone you know or trust, a company or brand, or an authority figure. They will have one (or more) of these three goals:

• Pry valuable information from you
• Infect your computer
• Steal your money

Pry Valuable Information From You

One goal of phishing is to gain information. It may be confidential data such as personally identifiable information that can be used for fraud, or proprietary information that puts a competitor at an advantage. Perhaps it’s your username and password, so that the scammer can access your accounts. If he gains access to the login information for your payroll app, he might update the direct deposit routing to his own bank account.

Here’s a scenario where a scammer uses a phishing message to trick you into revealing a particular app’s username and password: Let’s call the app CyberBank; we’ll pretend it’s a banking app. The scammer creates a website that looks very much like CyberBank and hosts it somewhere on the web. Next, he crafts an email that looks like it’s from CyberBank. Let’s say it appears to be a deposit alert. He will do his best to make it look authentic by using the CyberBank logo or copying formatting from a real email or the actual CyberBank website.

In this phishing email, the scammer includes a login link or button, but instead of directing you to the real CyberBank site, it goes to the scammer’s fake site. If you’re not looking too closely, you might open the email, think it’s from CyberBank, and click the link. You arrive at a login page that looks like CyberBank’s, so you enter your username and password. The page then re-routes to the actual CyberBank page so you never know you weren’t on the real site, but not before they record your login info. And, just like that, the scammer now has your CyberBank credentials and can log in to your account.

Infect Your Computer

Another goal of phishing is to invade your computer. Why might someone want to do this? Well, scammers have figured out how to monetize taking over your computer. It’s called extortion. They might lock up your files and hold your operations hostage, steal private information and threaten to release it, or spy on you through your camera and microphone. Scammers know that gaining access to computers can be lucrative. Ransomware alone, which locks up files with promises to unlock them if you pay up, was rampant in 2019. According to Emsisoft, ransomware cost organizations over $7.5 billion in 2019.

Here’s how a scammer might trick you into infecting your own computer and devices. First, she disguises malware by putting it in a normal-looking file. It could be an Office document, a spreadsheet, a PDF, an image, or video. Next, she crafts a phishing email that appears to be from someone you know or a company you trust. The malware-laden file is attached to the email, along with a message urging or tempting you to click the attachment. Once you do, your computer has the potential to become infected. And, remember, no antivirus program is 100% effective.

Part You From Your Money

In this scenario, the scammer aims to get money from you as directly as possible. For example, he may pose as an authority figure, such as the Internal Revenue Service, and claim you owe money. Or he pretends to be your boss who directs you to pay an invoice or buy gift cards. Maybe the scammer pretends to be a vendor that works with your company and needs to update their bank routing information for electronic payments.

To do this, the scammer crafts a phishing email that impersonates one of these people and directs you to take an action that results in a payment of some kind. Instead of the payment going where you expect, the money goes to the scammer. This specialized form of phishing is known as Business Email Compromise (BEC). According to the FBI, BEC cost U.S. businesses over $1.77 billion in 2019.

Conclusion

To recap, some emails are spam—just unwanted communication. And some emails are harmful. That’s where phishing comes in. We know that phishing scams are meant to intentionally deceive their target. These scams are meant to steal information, infect your computer, or just simply rip you off.

Often, the messages will contain “red flags” that should make you pause and reconsider:

• An overdue invoice
• Request to verify payment information
• Request to verify account details (such as your username and password)

But what if a phishing message has no red flags? Could you still spot it? The goal of this series is to help you become a discerning user of online communications. Stay tuned!