Every so often, a family member or friend will ask me if an email they received is a phishing email. That’s part of my job as the unofficial family tech person. Email phishing and its cousins vishing (voice phishing) and smishing (text phishing), are still a serious problem for the average home computer user. While businesses are slowly implementing phishing detection tools—and, more importantly, user training—to help tackle the problem, home computer users are, for the most part, left to fend for themselves.
Our goal in this post is to provide a few tips and tricks for those oft-forgotten home computer users—your old-school neighbor, your unassuming grandma, or your friend who’s just not that tech savvy—in their effort to use their computer without losing their life savings by clicking on the wrong link.
To get straight to the tips for identifying phishing emails, scroll past the first few sections. Or, continue reading to learn more about the phishing problem, why it matters, and then finish up with the phishing tips.
Why It Matters
Phishing is the use of social engineering techniques—tactics that use psychological manipulation like impersonating someone you know—to get you to take an action that can lead to your downloading a virus or malware, having your account credentials stolen, becoming an extortion victim, or some other malicious action.
While detection and blocking technology has advanced over the years, Dark Reading, a cyber security news site, estimates that up to one percent of all emails that make it to the end user’s mailbox are phishing emails. For home users, who typically have to rely on their internet service provider (referred to as an ISP) or their browser (like Chrome or Safari) to keep them safe, the number is probably higher. Still, 1% doesn’t sound like much—until you consider that to get to that point, these phishing emails are the best of the best. Suddenly, it starts to make sense as to why up to 70% of phishing emails are opened by the recipient.
Who Owns the Phishing Problem?
My friends and family are not creators or purveyors of technology; they are primarily users. Asking them to identify phishing emails by deciphering the email raw source or header is not in their wheelhouse, nor should it be. We take planes, trains, and automobiles without knowing much about how they work. It should be possible to safely receive and interact with an email without having to understand sender authentication or bone up on RFC 5322.
Back in 2005, when most of us first heard of phishing, we had a pretty good idea which businesses and people would contact us and how they would reach us. Today, nearly every company or organization we interact with has a website, an email subscription, an app, social media, and maybe a phone number or two. The daily number of messages we receive via email, phone, text, and so on has easily increased 10-fold (100-fold?) over that time. Do you really have any idea how many accounts you’ve created in your lifetime, and if so, how each of them reaches and interacts with you?
Making matters worse is the proliferation of data collection services—legitimate, shady, and illegal—which will sell personal information to nearly anyone with a purchase order, credit card, or better yet, the latest cryptocurrency. Personal data such as your name, address, last four digits of a credit card, and much more are readily available. As a result, a phishing email can use your name and provide additional personal details along the way in an effort to make you believe it is valid ← that’s social engineering at work.
What Can You Do?
For home computer users, the phishing problem may not be of your making, but you cannot rely on technology if you want to safely function in today’s highly connected world. Phishing uses some really crafty tactics (i.e. social engineering) to get you to believe that when you receive a message from the bad guys, it is okay to do what they are asking you to do. That means you have to be at your best when the incoming message chime rings.
To that end, below we’ve provided you with a little social engineering education in the form of some easy to remember tips you can use to ferret out a phish. We’ll use email in our examples, but the techniques can apply to most inbound communications you’ll receive. In addition, you don’t have to have any special technical superpowers, just some common sense and the ability to lower your FOMO (fear of missing out) threshold.
Tip 1: No trust and not useful.
|Situation||You receive an email from a business, organization, or person. You are certain you do not know or trust the sender and you were not expecting to receive the email.|
|Example||You receive an email to lower your mortgage interest rate from a bank you do not use. Oh, and you rent.|
|Considerations||There are zero reasons to open this email. There is no upside here at all for you. Even if this is not phishing, it is most likely spam.|
|Disposition||Delete the email while crooning, “But there ain't no Coupe de Ville hiding at the bottom of a Cracker Jack box,” in the style of Meat Loaf (“Two Out of Three Ain’t Bad,” Bat Out of Hell, 1977).|
Tip 2: No trust, but you’re not sure.
Okay, tip one was pretty simple. They get a little harder now.
|Situation||You receive an email from a business, organization, or person. You might know the sender, but you really weren’t expecting an email.|
|Example||You receive an email and the sender name sounds familiar, but that’s it. Maybe you stopped by a store and provided your email to the clerk, maybe you bought a shirt from them two years ago, or maybe it’s just some advertisement you saw, but nothing is ringing a bell.|
Tip 3: Trust, but verify.
|Situation||You receive an email from a business, organization, or person. You know the sender, but you weren’t really expecting an email from them.|
|Example||You receive a promotional email from a business. You are a customer of this business and even have an online account with them. You were not expecting the email, but the email makes you an offer that is interesting to you.|
Spam or Phish?
The email described above could be just a spam email. Whether an email is spam or phishing can be confusing, but in general spam messages are just trying to sell you something and phishing emails have some harmful intent. That said, the same tips we are using for identifying a phishing email can be used to identify spam messages as well.
Tip 4: Trust, but still verify.
|Situation||You receive an email from a business, organization, or person. You know the sender and you were expecting the email.|
|Example||You receive an email on the 10th of the month from your credit card company saying your statement is ready. They always send you this email on the 10th of the month. The email says you can click on the link to sign in to your account and view the statement.|
|Disposition||Even if you think the email is legitimate, use a web browser to access your online account, or use their app to take the requested action.|
Downloading Email Attachments?
Only download an attachment that you were expecting to receive, preferably after you were notified via another email—or better yet another method such as a text message. For example, you or whomever you’re interacting with may say, “Hey Monique, I’m going to email those pictures in a minute.” Downloading unsolicited or unexpected attachments is not recommended.
Think of email, text messaging, and voicemail as read-only services, especially when it comes to your financial and health information. This is sometimes really hard with text messages that encourage you to “click this link to…” and voicemail messages saying “call us back at a specific number.” Such messages offer convenience and help move things forward—and sometimes, they are the only way to get things done. At that point, you have to trust the vendor and your instincts.
What to Do When You’re Forced to Click
There are two common situations where you are forced to click a link in an email or message in order to move forward: email newsletters and two factor (2FA) or multifactor (MFA) authentication.
Newsletters can deliver valuable information and often link to other content for additional details. The trouble is, those links are often obscured by tracking redirects used to count how many clicks the link gets—It’s a marketing thing. The average user has little hope of figuring out where the link is actually going, so they are faced with ignoring the information or clicking to the unknown. Let’s break down an example.
|Situation||You receive a newsletter from a company you do business with and have received newsletters from them before.|
|Example||Backblaze sends you a customer newsletter. There’s an article on a new feature and you want to learn more. To do so you have to click on a link, but when you rollover the link (don’t click) it reads something like:
Tell Us More…
The problem with not clicking on the links in newsletters and other similar communications is that marketing folks lose information about what is important to the recipients, but your peace of mind is more important. So, a healthy alternative is that you could send an email or post something on social media about what you like and what you don’t. Even visiting the pages and interacting with the articles the newsletter highlighted will help. Marketers get feedback, you give your opinion on good content, and you’re a little safer from phishing attacks.
2FA or MFA
More and more websites are requiring the use of two factor or multifactor authentication. Here are a couple of scenarios to help you deal with the messages you might receive.
|Situation||Your bank’s website uses text message-based two factor authentication to confirm access to your accounts.|
|Example||Using a browser, you log in to your bank's website. A couple of seconds later, you receive the text on your phone with a code that you need to enter on the website.|
|Disposition||By asking to log in to your bank, you expect to get the text which provides the authentication code. You’re good.|
|Situation||Your bank’s website uses two factor authentication to confirm access to your accounts. You believe it is text message-based authentication.|
|Example||Using a browser, you log in to your bank's website. A couple of seconds later, you receive an email asking to click a link to allow the log in to your account.|
|Disposition||If you’re not sure of the authentication method that was set up, you can abandon the sign-in, then open a new browser window and start again. If you get the same authentication method, you can be reasonably confident you're doing the right thing.|
Over the past couple of years, vendors involved with providing email, text, and voicemail services have gotten better at detecting and eliminating phishing, spam, and malware before it reaches you. That’s great. But the bad guys haven’t given up, and many would say they’ve gotten better.
These tips are a good starting point for improving your ability to stay safe using the internet, email, and your phone. There are many websites and resources where you can learn more and stay informed about phishing and other forms of malware. We listed a few below. You can click on the links, but (if you are a little paranoid at this point), you can search for “consumer phishing resources” or just “phishing resources” using your favorite search engine. Good luck, and stay safe.
Select Phishing Resources
- Knowbe4: The world’s first and largest new-school security awareness training and simulated phishing platform.
- Phishing.org: A project from KnowBe4 that is a resource for IT professionals to keep you up to date on the latest phishing threats. The Resources page has some free tools to help improve your phishing knowledge.
- Phishing info from the Federal Trade Commission.
- A phishing primer from the National Cybersecurity Alliance.