What is Phishing?
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. From: https://en.wikipedia.org/wiki/Phishing
Tips for email Phishing
Tip 1: Don’t trust the display name
A common phishing tactic among cybercriminals is to spoof the display name of an email. Half of all email threats spoof the brand in the display name.
Tip 2: Look but don’t click
Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.
Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
Tip 4: Analyze the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.
Tip 5: Don’t give up personal information
Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.
Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”
Tip 7: Review the signature
Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.
Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
Tip 9: Don’t trust the header from email address
Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Return Path found that nearly 30% of more than 760,000 email threats spoofed brands somewhere in the header from email address with more than two thirds spoofing the brand in the email domain alone.
Tip 10: The message was unexpected
If you you weren't expecting a message from this company or person at this time then be suspicious.
Tip 11: The message was sent to a generic mail address
If the message was sent to info@<domain>, accounts@<domain>, marketing@<domain>, or ceo@<domain> or similar, it may be a random attempt to guess an email address.
Tip 12: Don’t believe everything you see
Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—
Tip 13: Call to action
Nearly all Phishers want you to do something. Log in to a fake site, transfer money to a fake account, or reveal secure information. If there's a call to action then always assess the risk involved if this were a phishing request.
Tip 14: Phishing is becoming advanced
Phishing is becoming increasingly advanced. Phishers are developing new techniques all the time. Be wary of even convincing messages with full branding and with some background knowledge of you and your organisation.
Tip 15: Whaling
This is a Phishing attempt targeted specifically. The Whaler may do quite some research about his target before attacking and the message or contact may be quite advanced, including supplemental phone calls, legitimate links and such-forth. If you hold an important position, or are responsible for financial transactions, you are more likely to be a target of Whaling.
What do do
If it looks even remotely suspicious, don’t open it or respond to it. Just Ignore.
Verify. Respond by creating a new message (don't click on links in the suspicious message) and sending it directly to the originator or calling them by phone (using the directory, nit the phone number in the message) to verify authenticity.
Educate. Learn about Phishing, and make sure others in your organisation are also aware of the dangers.