You know not to click on links in sketchy emails. Everybody does by now. And yet, people fall for phishing attacks all the time. And that’s the whole point. If phishing didn’t work, attackers would have abandoned it a long time ago. Instead it’s everywhere. Coronavirus-related phishing scams cropped up quickly worldwide in January 2020 shortly after pandemic lockdowns began in China. And the technique is a perennial favorite of criminal scammers and nation state hackers alike.
Phishing scams work by tricking you into clicking on a link or attachment that either infects your machine with malware or takes you to a page that looks totally legit, but isn’t. Instead, it tries to steal your private information. According to the the Anti-Phishing Working Group, about 200,000 new phishing sites crop up each month and campaigns impersonate more than 500 different brands and entities per month. The FBI’s Internet Crime Complaint Center found that US-based phishing victims lost almost $58 million in 2019 alone.
In a recent study of more than a billion phishing and malware-related emails, researchers from Google and Stanford University found that certain factors place people at higher risk of receiving phishing emails. One is just your location. Looking at aggregate data from Gmail, the researchers found that users in the United States are the biggest target of email attacks by volume, weathering 42 percent of these assaults. But users in the far less populous Australia, for example, are twice as likely to receive a phishing attack as those in the US. The study also found that users in the 55 to 64 age range were 1.64 times as likely to experience an attack compared to those 18 to 24. The study also found that if your personal information has been exposed in a data breach you are a whopping five times more likely to experience attempted phishing and malware attacks.
But you are smart. You can increase your chances of avoiding phishing scams if you follow these four steps and, above all, remember that when it comes to your email you can’t really trust anything.
Always, Always Think Twice Before Clicking
“At the heart of phishing is a scam,” says Aaron Higbee, chief technology officer at the phishing research and defense company Cofense. “The people who are sending a phishing email have to be clever email marketers to get a user to engage.” Often they do this by preying on your emotions.
That’s why the most important thing experts recommend is to listen to your gut. When something feels off, it probably is. But since the whole point of phishing (and its more tailored and targeted counterpart, spear-phishing) is to get you to do something without raising alarm bells, you need to practice skepticism even when things seem fine. You should be generally reluctant to download attachments and click links, no matter how innocuous they seem or who appears to have sent them.
“We’re conditioned to try to help people and be nice. You don’t want to seem rude or defensive,” says Trevor Hawthorn, the chief technology officer at Wombat Security, which works on phishing and security awareness. “But one of the most important things people can do is when something is being asked of them, when there’s some sort of call to action, think about the context of what the sender is asking you to do. If there’s a sense of urgency that’s when I would be a smart skeptic and slow down.”
This takes practice. Wombat has found that when people participate in consistent anti-phishing training—say, once a month—they’re better at avoiding phishing links than when they haven’t had lesson in a few months. Your job may not offer a phishing prevention program, but you can still work to stay vigilant and skeptical. It’s easier said than done, but keeping that attitude in mind can only help.
Consider the Source
Phishers will always try to make their messages look and sound like they come from a legitimate entity, whether they’re emulating the look of a familiar Amazon account recovery email or pretending to be a new national Covid-19 testing service.
“Phishing emails and text messages may look like they’re from a company you know or trust,” the Federal Trade Commission warns in its phishing guidance. “They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store. Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.”
Knowing where a message came from is particularly important, and difficult, when attackers send spear-phishing emails that really look like they’re from your friend or your bank. And things get even more complicated in cases when a legitimate-looking email address is being spoofed or the messages actually are from the entity they claim, because attackers have taken over a real email account or phone number and are phishing from it.
“I’ve been told for years, don’t click emails from someone I don’t know,” Cofense’s Higbee says. “But attackers might actually start originating their phishing emails from people you know. Why wouldn’t I click an email from somebody I know? Attackers use that technique to propagate things like malware and ransomware.”
So what can you do? First, scrutinize the address an email says it came from and the text of any URLs it contains to weed out email@example.com from firstname.lastname@example.org. If the source is legit, but the text is out of character, ask yourself, “Would my Mom really send me this email?” Again, if something feels weird about a message that someone you know sends—especially if it has a request in it—there’s a real possibility that they’re being impersonated or have been hacked. Reach out to them on a different platform—or pick up the phone and call—and ask if they sent you a message.
Real Life. Real News. Real Action
Zillion Things Mobile!Read More-Visit US
Lock Your Accounts Down
You’ve probably heard about basic personal cybersecurity protections like using a password manager to keep track of strong, unique passwords for all of your accounts. As annoying as it might be to hear it, these protections really do help, especially against phishing. When it comes to password managers, if all of your passwords are unique and a phisher steals one of them, they can only get access to that one account and it’s easier to mitigate the fallout.
On many of your accounts you can do one better, though, by enabling two-factor authentication. If you need an extra code or physical key in addition to your username and password in order to successfully log in, it will be harder for phishers to simply grab your account credentials and go in the front door. This doesn’t nullify the risk of malware-based phishing attacks, and there are also phishing attacks that are specially crafted to get you to feed both your password and two-factor security code to attackers. Overall, though, two-factor significantly reduces your risk of having accounts compromised by run-of-the-mill phishing attacks.
For accounts you really want to protect from remote attacks, physical authentication tokens are a strong choice. Some companies have also started offering specialized programs, like Google’s Advanced Protection and Facebook’s “Facebook Protect” that you can enroll in if you think you’re particularly at risk of account targeting. The services walk you through two-factor setup and provide additional monitoring for your account.
“If there was a silver bullet, if there was that piece of technology, a plugin, some email filter that could actually stop phishing attacks we would be out of business,” Higbee says. “But the core of this problem is human intuition and insight.” The key to protecting yourself is to be on guard. Phishing scammers are wily, but so are you. Stay vigilant.
This story was updated on February 14, 2021.
More Great WIRED Stories
- 📩 The latest on tech, science, and more: Get our newsletters!
- Your body, your self, your surgeon, his Instagram
- Two paths for the extremely online novel
- Biden has to walk a fine line when fighting disinformation
- A new lens technology is primed to jump-start phone cameras
- What will it take to make Covid-19 vaccines variant-proof?
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe