According to the Government of Canada’s Get Cyber Safe resource, 156 million emails are sent globally each day and 80,000 people fall for these scams by entering their personal information (https://www.getcybersafe.gc.ca/cnt/rsrcs/nfgrphcs/nfgrphcs-2012-10-11-en.aspx). How do you stay safe?
Start by hovering over the link in the email. When you hover your mouse over a link (but don’t click on it), it brings up the true destination URL. These should match. In a phishing email, they generally won’t. Beware of shortened URLs such as owl.y or bit.ly addresses, as scammer often use these to disguise the true destination. Reputable companies do not use these URL shorteners. Checking the URL is often the quickest way to decipher a phishing email.
Another important tactic in flushing out phishing emails is to ask, “Does this email make sense?” If it is about a package delivery, ask yourself if you are expecting a package? Is the company one you regularly do business with? If so, have they used your name (if they have a relationship with you, then they will have your name and not refer to you by sir/ma’am or email address).
It is critical to understand that reputable companies will never email you and ask you to click a link to enter your personal information. Banks especially, have been extremely clear when they communicate that no one will call or email you unsolicited and ask for this information. Most reputable companies recognize the danger of these scammers and instead they will simply ask you to log into your account and update your information. If you are not sure, then launch your browser and type in the URL or use a previous bookmark to navigate to their website (I do not click the URL in the email) and log in. Recently, I received an email explaining that my account had been compromised and to please change my password (a common phishing technique). I looked at the link and it matched, and so followed it just to see (I often dig deeper with these emails so I have current material when I present to clients). The link led me to their webpage, but instead of asking me to log in, it took me to a password recovery page where I just needed to enter my email address and it would email me a link to update my password. Alternatively, I could have gone directly to the website and either tried to log in, or clicked on the forgot my password link if I didn’t want to follow the original link.
Amid the COVID-19 crisis, a client contacted us with a particularly nasty phishing email. It was a targeted phishing attempt (often referred to as spear phishing) where they referred to her by name and proceeded to inform her that a colleague at her company (which they specifically named) had spread COVID-19 and to enter her information in the attached file so she could get tested. In this case, there was no link in the email, but the scammer wanted her to open the attached Excel spreadsheet. Luckily the security protocols in place disabled the macro which was embedded. While there was no link in this email, asking the question, “does this email make sense?” the answer should be no. Email isn’t a reasonable way to contact someone about possible COVID exposure, nor is the ask of entering information in a spreadsheet a way to get tested.
Unfortunately, in our busy lives, we often do not pay enough attention to emails, and we click links and open attachments without enough scrutiny. It is essential to stay vigilant and pay attention. The scammers are relying on human error to get the information they seek.