You know not to click on links in sketchy emails. Everybody does by now. And yet, people fall for phishing attacks all the time. And that’s the whole point. If phishing didn’t work, attackers would have abandoned it a long time ago. Instead it’s everywhere. Coronavirus-related phishing scams cropped up quickly worldwide in January 2020 shortly after pandemic lockdowns began in China. And the technique is a perennial favorite of criminal scammers and nation state hackers alike.
Phishing scams work by tricking you into clicking on a link or attachment that either infects your machine with malware or takes you to a page that looks totally legit, but isn’t. Instead, it tries to steal your private information. According to the the Anti-Phishing Working Group, about 200,000 new phishing sites crop up each month and campaigns impersonate more than 500 different brands and entities per month. The FBI’s Internet Crime Complaint Center found that US-based phishing victims lost almost $58 million in 2019 alone.
In a recent study of more than a billion phishing and malware-related emails, researchers from Google and Stanford University found that certain factors place people at higher risk of receiving phishing emails. One is just your location. Looking at aggregate data from Gmail, the researchers found that users in the United States are the biggest target of email attacks by volume, weathering 42 percent of these assaults. But users in the far less populous Australia, for example, are twice as likely to receive a phishing attack as those in the US. The study also found that users in the 55 to 64 age range were 1.64 times as likely to experience an attack compared to those 18 to 24. The study also found that if your personal information has been exposed in a data breach you are a whopping five times more likely to experience attempted phishing and malware attacks.
But you are smart. You can increase your chances of avoiding phishing scams if you follow these four steps and, above all, remember that when it comes to your email you can’t really trust anything.
Always, Always Think Twice Before Clicking
“At the heart of phishing is a scam,” says Aaron Higbee, chief technology officer at the phishing research and defense company Cofense. “The people who are sending a phishing email have to be clever email marketers to get a user to engage.” Often they do this by preying on your emotions.
That’s why the most important thing experts recommend is to listen to your gut. When something feels off, it probably is. But since the whole point of phishing (and its more tailored and targeted counterpart, spear-phishing) is to get you to do something without raising alarm bells, you need to practice skepticism even when things seem fine. You should be generally reluctant to download attachments and click links, no matter how innocuous they seem or who appears to have sent them.
“We’re conditioned to try to help people and be nice. You don’t want to seem rude or defensive,” says Trevor Hawthorn, the chief technology officer at Wombat Security, which works on phishing and security awareness. “But one of the most important things people can do is when something is being asked of them, when there’s some sort of call to action, think about the context of what the sender is asking you to do. If there’s a sense of urgency that’s when I would be a smart skeptic and slow down.”
This takes practice. Wombat has found that when people participate in consistent anti-phishing training—say, once a month—they’re better at avoiding phishing links than when they haven’t had lesson in a few months. Your job may not offer a phishing prevention program, but you can still work to stay vigilant and skeptical. It’s easier said than done, but keeping that attitude in mind can only help.
Consider the Source
Phishers will always try to make their messages look and sound like they come from a legitimate entity, whether they’re emulating the look of a familiar Amazon account recovery email or pretending to be a new national Covid-19 testing service.