Why this now?
Memorize this question and ask it for each and every email you receive. Trust nothing. Be skeptical.
The protected health information we use to do our jobs is valuable, and the consequences for allowing unauthorized access can be very serious. Phishing is a technique cybercriminals use to lure people to turn over personal, financial, and/or business information to them through email and social media posts with links . Fortunately, the information security mindset can be learned, and learning to be skeptical will help keep your account secure. But, you need to know what to look for, so let’s take a look at the variety of phishing techniques these criminals use and examine some examples so you can be on the alert for them.(1)
Types of phishing vary according to the target and bait used:
- Mass Phishing – Mass, large-volume attack intended to reach as many people as possible.
- Spear Phishing – Targeted attack directed at specific individuals or companies using gathered information to personalize the message and make the scam more difficult to detect.
- Whaling – Type of spear phishing attack that targets “big fish,” including high-profile individuals or those with a great deal of authority or access. The organization’s senior management is especially vulnerable to this.
- Clone Phishing – Spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source
- Advance-Fee Scam: Requests the target to send money or bank account information to the cybercriminal
The bait will be presented in a variety of forms:
- Attachment labeled “invoice” or “shipping order”
Contains malware that can infect your computer or mobile device if opened. May contain what is known as “ransomware,” a type of malware that will delete all files unless you pay a specified sum of money.
- Notification from a help desk or system administrator
Asks you to take action to resolve an issue with your account (e.g., email account has reached its storage limit), which often includes clicking on a link and providing requested information.
- Advertisement for immediate weight loss, hair growth or fitness prowess
Serves as a ploy to get you to click on a link that will infect your computer or mobile device with malware or viruses.
- Notification from what appears to be a credit card company
Indicates someone has made an unauthorized transaction on your account. If you click the link to log in to verify the transaction, your username and password are collected by the scammer.
- Fake account on a social media site
Mimics a legitimate person, business or organization. May also appear in the form of an online game, quiz or survey designed to collect information from your account.
Can you spot a scam?
Details matter, so look closely.
Remember, this variety of scam is called phishing for a reason, and you are the fish. Scammers will bait you with lures that look remarkably “lifelike”, just as in fishing. However, armed with information and a good dose of skepticism, you should be in a better position to avoid getting caught. The question Why this now? is meant as a reminder to pay attention to details of not only who sent you a message, whether the message was expected, but also down to basic issues of grammar, sentence structure, spelling, tone, persuasive techniques, as well as matters of how graphical elements are presented, e.g., is a company logo “off” in some way?
This example email below has a number of telltale signs something is just not right:
Cybercriminals who do this scam have relatively low overhead costs when compared to other money making enterprises, and they rely on the sheer number of messages they spew out to catch enough of you to make their efforts profitable. The messages may be crafted by non-Native speakers of English who have an incomplete grasp of the small details native speakers take for granted, so this may lead them to open a message with a greeting that’s too formal or informal, to mis-use or poorly form common abbreviations, and so on. If you look at the example, your attention should be drawn to the incorrectly formed “INc” in PayPal’s name, and also to the domain @ecomm360 shown in the sender’s field. Ask yourself, “What does ecomm360 have to do with PayPal? These two little details alone are reason to pause and give the rest of the message closer examination.
The language used in the message will also provide clues to its legitimacy. Be on the alert for words an phrases that are meant to scare you or act with haste. Fear is a core human emotion that served to motivate our hominid ancestors to run away from things that evoked the response. Unfortunately, this hyperfocus on survival shuts down that part of our brain that is there to say, “Hey. Is this something we need to fear? Is this a real threat?” Cybercriminals crafting these messages rely on this core response when they use inflammatory language or that encouraging to act quickly. Shutting down careful thought on your part is what they use to trick you into taking the bait. So, pause, take a deep breath and ask, Why this now?
- Thanks to the fine people in the IT Dept. at North Dakota State University for their concise primer “Phishing: Don’t Get Hooked” (https://www.ag.ndsu.edu/agcomm/lets-communicate/phished-don2019t-get-hooked), accessed 1/16/23.