One of the most common methods that cybercriminals use to gain sensitive information is known as ‘phishing’. Phishing occurs when you receive a message requesting personal information (social security number, email address, birthday, etc.) that appears to come from a reputable source (your bank, business, etc.). Phishing attacks come in different types (spear phishing, whaling, clone phishing, etc.), but the general premise remains the same.

While most phishers are primarily looking to steal your personal information, phishing is also a method used by hackers to install malware onto your computer.

Phishing attacks have become very sophisticated, but they are still vulnerable to a watchful eye and a little common sense. Since your personal data and security are at stake, it is extremely important to know how to identify phishing, and to know what steps to take if you think you are the target of a phishing attack.

How to Identify a Phishing Attack

Inconsistent Email Address

Here’s a typical example of what a phishing email might look like. Take a close look at the sender’s information and email address. In the above example, note that the sender is S-tandard Bank. Also, the email domain “alert-std.co.za” does not match the format at the bottom of the message, “standardbank.co.za.”

False Sense of Urgency

Note that the email from “Amazon,” states “***DON’T WAIT! The Link Above Expires on 12/28!” Scammers try to create a false sense of urgency to get you to react quickly and emotionally. Always take a couple extra seconds to really examine what you are reading before clicking any links.

Note again how the email address does not end in “amazon.com.”

Questionable Information Requests

Phishing attacks will frequently ask for information that they either don’t need or should already have. As a rule, reputable businesses will never ask for your account name, account number, password, Social Security number, etc. There was a recent phishing scam that appeared to come from the IRS, asking for account information from the victim’s financial institutions. If there’s anyone that doesn’t send emails like this, it’s the IRS.

If You Suspect Phishing

There are a number of steps that you can take if you suspect that a message you have received is a phishing attack.

1. Verify the identity of the sender. For example, if you receive an email that looks like it’s from PNC Bank, call or email their customer support team to confirm. It’s important not to reply to the email itself, as any links in the message will not point back to a legitimate business entity. If it looks like a friend or coworker sent the message, follow up with them in a separate email (again, do not reply to the original message).
2. Change any relevant passwords. Changing your password is almost never a bad idea, and having unique passwords for each site/service that you use is a best practice.
3. Go back to the official source. Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks. As mentioned, avoid links in the original message, as they will most likely redirect to a fraudulent site.
4. Trust your instincts and err on the side of caution. If an email or website doesn’t look or “feel” right, there’s probably a reason.

If you think that your work email has been targeted by a phishing attack, please contact FIS via our Support Portal, or call us at 4-FIS1. If your personal email address has been targeted, please report it to any of the following agencies:

• Federal Trade Commission
• US Computer Emergency Readiness Team
• FBI Internet Crime Complaint Center
• Anti-Phishing Working Group
• PhishKillers Blacklist

For More Information

For additional background and tips, check out the articles in the FIS Knowledge Base, or read any of the following:

• The ABCs of Detecting and Preventing Phishing
• Spear Phishing: Scam, Not Sport
• What is Spear Phishing? – Definition
• Identity Protection Tips