From troubling typos to urgent demands, here are our top five tips for spotting phishing scams, even the sophisticated ones.
The premise behind phishing is simple — a fraudster masquerades as a reputable company, organization or person in email or another form of communication — but spotting one in time can be challenging. Cybercriminals today are using increasingly sophisticated tactics to trick you into clicking links and giving away your personal information.
But all is not lost! You can train your eye to spot a phishing attack and protect yourself from scammers. Here are our top five tips for detecting sophisticated phishing ploys.
Take me to the quick-and-dirty tips.
There’s a sense of urgency and panic.
Creating a false sense of urgency is a common trick used in phishing attacks and by scammers of all types. Their goal is to prevent you from thinking things over or reaching out to someone you trust to discuss the situation. If you receive an email — or a text message, direct message, phone call or even a visitor to your home — pressuring you to take immediate action to avoid a penalty or win a prize, always take a moment to reflect and look for signs of fraud. Don’t hesitate to reach out to a trusted advisor, like a friend or loved one, to talk things over.
The spelling and grammar are terrible.
Typographical errors, odd phrasing and poor grammar can signal a phishing attempt. Most reputable companies and organizations would not send out an important message without a professional copyedit. In other words, if you see an email demanding your “pass word” or a text alerting you to an “emergancy,” you’re likely dealing with a scammer.
There’s something off about the domain name or greeting.
When you’re considering the sender of an email, don’t just look at the name they’ve provided; also consider their email address. Legitimate companies will write to you from their professional domain address. If a message appears to be from your bank, but they’re writing from a public domain email address such as Gmail or Hotmail, they’re likely cybercriminals. Scammers may similarly try to use misspellings of a legitimate domain name, even subtle ones switching out a letter for a number or swapping two letters (i.e., “Micros0ft” or “Mircosoft”). In looking over a suspicious message, watch out for generic and unusual greetings as well. Legitimate companies you’ve worked with or that you have an account with will almost always address you by your name, rather than as “dear sir or madam,” “user” or “valued customer.”
There’s an odd request or demand for personal information.
Any email originating from an unexpected or unfamiliar sender requesting login credentials, payment information or other sensitive data should be treated as potential fraud. However, phishing attempts can also appear alarmingly personalized. In this type of targeted attack, often called “spear phishing,” the scammer has scraped personal information available online to impersonate someone you know, a colleague from work or a service you’re using to try to convince you to do something you otherwise wouldn’t. If you receive a message that appears to be from a person or business you trust, but it’s asking you for login credentials, personal information or urgent payment, play it safe. Contact that individual or company directly to confirm the request.
The message contains a suspicious link or attachment.
Avoid clicking on suspicious links in emails, social media messages and text messages or opening attachments you weren’t expecting. Sophisticated cybercriminals may even try and send you to a fake login page to steal your account information or mask an ill-intentioned link using a button declaring something like “restore your account,” “pay now,” “update your password” or “resolve issue.” Any email that contains an attachment you weren’t expecting should also be treated with caution because opening it could plant problematic malware on your computer. When in doubt, avoid interacting in any way with a questionable link or attachment, and reach out to the individual or organization directly if you have questions.
Always report fraud
If you have been targeted in a scam or cybercrime, report it to the Canadian Anti-Fraud Centre (CAFC) online or by telephone at 1-888-495-8501 toll-free. Importantly, if you have fallen victim to fraud, always report it to your local police who can investigate.
The RCMP and CAFC are currently collaborating on a new system to report cybercrime and fraud. The new National Cybercrime and Fraud Reporting System (NCFRS) is expected to go live in 2023-2024 and is currently being tested. To that end, some visitors are being redirected to the new system each day in anticipation of the launch.
A quick recap
You like to keep things simple. We get it. Here’s a quick-and-dirty list that you can keep handy to train your eye and avoid phishing attempts.
- There’s a sense of urgency and panic. If you’re contacted – whether it’s by phone, email, text, social media or in person – and pressured to take action right away. Stop, review and reflect.
- The spelling and grammar are terrible. Legitimate companies have professional staff to review their messages to you, so be wary of anything you’re sent with typos, grammatical mistakes or weird turns of phrase.
- There’s something off about the domain name or greeting. If the domain name in the email doesn’t match the company name or the greeting sounds unusual or impersonal, you’re right to be suspicious.
- There’s an odd request or demand for personal information. Are you being asked to provide login credentials, sensitive data, personal information or payment? Play it safe. Contact that individual or company directly to confirm the request.
- The message contains a suspicious link or attachment. Watch out for links or attachments you weren’t expecting. Fraudsters may even try to fool you with a login page or filename that looks legitimate. Be wary, especially if the demand sounds urgent or threatening.