Don’t Be Someone’s Big Catch: Tips to Avoid Phishing ScamsLaura Stone
Scam emails have been around nearly as long as email itself, and unfortunately they’re not likely to go away any time soon – or maybe ever.
WHAT EXACTLY IS PHISHING?
There are a lot of scams, and phishing is just one type. Phishing is a technique to obtain information like login credentials, credit card numbers or other sensitive data by impersonating a trustworthy business or person. One very common example is a would-be scammer impersonating your financial institution contacting you about an urgent matter requiring immediate attention. In this email would be links to a legitimate-looking login website. When you enter your information though, instead of logging into your account, it just saves your information for scammers to use or sell. This scam has always worked well for two reasons: Scammers have gotten good at making the emails and login sites look legitimate, and people tend to react rashly to financial issues.
An increasingly popular example, however, is a short email allegedly from a friend or colleague asking for a favor. Often there are no direct requests except to get back to them (though sometimes they include a vague financial transaction request, like buying e-gift cards). Once you engage, they share the details of their financial- or data-related request. This differs from the classic malicious attachment emails, in which a would-be scammer sends malware attached disguised as an innocuous document, because there’s no attachment and no usual indication of malice – just a colleague asking you a quick favor.
HOW TO AVOID GETTING HOOKED
- Does it seem weird? Do your co-workers send you vague emails about suspicious favors, or would they just call or walk to your office to talk to you? If you aren’t working with a fellow lawyer on a case, they probably aren’t actually sending you an attachment or requesting information about a case. What about the general tone? I’m pretty informal in inner-office emails, so if I suddenly started a request with “Dear Sir,” Phil would know either I’m about to say something sarcastic or it’s an obvious fake.
- Don’t trust the display name. If you think it could be real, the first thing to look at is who’s actually sending it. The display name will be legitimate looking, but if you look at the email address you’ll see it’s not quite right. If your firm’s emails are [name]@[firm name].com but the email is from someone at @[not where they say they are].com, you know it’s not really who they claim to be. If the email is coming from a person you actually know or have worked with, just start a new email and ask if they sent it.
- Don’t trust the display links. If it includes links, hover your mouse over the link until the information box pops up to show you where it’s actually going (or hold your finger on the link on your phone or tablet long enough for the info to show). Do not actually follow the link until you know exactly where it’s going. Better yet, don’t click anything and just go to the site it’s claiming in your web browser.
- Don’t trust attachments. I cannot stress this enough: Do not open or save attachments you aren’t expecting. If you aren’t expecting something, do not touch it. If you think it might be legitimate, contact the person who allegedly sent it to verify – but by no means should you forward it to them to ask. If it is malicious and you forward it, you’ve now risked their cybersecurity as well.
- Check the spelling. Is the alleged sender’s name spelled correctly? Is your name spelled correctly? What about the body of the email – is there anything weird in the grammar or spelling? Companies rarely have grammatical or spelling errors, and a friend or co-worker probably knows your name well enough to spell it correctly – and their own.
- Basically, don’t ever trust and always verify. Inspect the links, verify the email, contact the alleged sender via a fresh email or call them to be sure it was them. Scrutinize every detail and be skeptical – I’m talking Lucille Bluth-level skepticism. Trust your gut and if anything seems off or odd, don’t risk it. Also, if verifying an email via a new email to the purported sender, never forward the email. Do not send it to them and ask, “Did you send this?” If you feel you need to send them something, you can send the screenshot.
WHAT TO DO IF YOU TAKE THE BAIT
First, it may be frustrating knowing you made a mistake but there is no reason to be embarrassed. Scammers are getting more convincing every day and we’ve all received something at one point or another. Second, if you think you’ve opened, replied to or otherwise engaged with a malicious email, contact your IT professional ASAP and be specific in explaining the situation. Also remember that your OAMIC lawyers professional liability insurance includes cyber breach coverage, which covers profession forensic analysis, credit monitoring and more. Basic limits are provided at no charge, or you can contact us to increase your limits. You can learn more about your coverage, including policy language, on our Cyber Liability page. As always, we’re here to help if you need us.