I’m a firm believer that a true phisherman never sleeps. Now, I’m not drawing this conclusion due to their repeated instances of poor grammar choices possibly caused by sleep deprivation. I’m drawing more from the fact that “phishermen” seem to always keep up with whatever season it is. Holiday season? Expect to see some phishes with presents and snowflakes on them. Tax season? Expect to see a lot of IRS related phishes. Groundhog Day season? Yep, you guessed it. TONS of phishes with Bill Murray’s face on them.
Okay I made that last one up. (Bill Murray phishes might be too hilarious to really fool anybody.) But one thing for sure is that it’s tax season, so you can expect to see some relative phishes showing up in your inbox.
Here is one example of what an IRS related phish might look like:
At first glance the page looks legitimate. What you can’t tell from the screenshot is the links on the page actually lead to the respective information pages on IRS.gov, making the phish even more convincing. But if you take the time to look at the URL, you would notice that this page is not hosted by IRS.gov. Why would the IRS ask for your information using a non-secure, non-government affiliated webpage? Well, they wouldn’t; and this page definitely smells phishy.
So how does one ensure that one doesn’t get phished? Most people rely on their own personal network security measures, but “nothing is perfect,” as the old saying goes. Installing some form of anti-phishing security measures on your network is a great first step. However, while you gain some protection, it’s never 100 percent. The second half of the equation comes from you knowing what phishing looks like.
For what should you be looking? I thought you’d never ask!
Be cautious of unknown e-mail senders
The rub here is that if someone really knows what they’re doing, they can perform what’s called “E-mail Spoofing” and make the sender of the e-mail look like anybody they want. Regardless, it’s still a great practice. Take special care when the e-mail has a call to action, like demanding you download an attachment or click a link to fill out your personal information.
Review the URL and verify HTTPS
Always, always, always check the URL before entering any personal information. You want to be looking for any indication that the page you’re on actually belongs to the company it claims to be, and also that it’s secure. I personally will also check to see what comes directly before the TLD (i.e. .com, .net) to make sure that, for example, it’s actually something like “paypal.com” and not “paypal.notaphishipromise.com”.
Do NOT click on links, download files, or open attachments in e-mails from unknown senders
Just don’t do it. If you really feel like you need to, maybe use some other form of communication to contact the sender and ask if they actually sent the e-mail.
Beware of any hasty, “Hurry-up before it’s too late!” messages
This is a common tactic of phishers. When we’re frightened into thinking that our account my get locked, or our profiles deleted, we tend to let our guard down a bit and go into “damage control” mode. Anything to fix the problem and avoid any inconveniences, even though succumbing to the phishers wishes would cause an even greater overall inconvenience.
Be cautious of phone based phishes
If you get a phone call and there’s an automated voice on the other end of the line, it’s a great idea to double-check to see if the number matches who the caller claims to be. Most of the time you can use Google or a site like whocalled.us to look the number up and figure out who owns it. Even better, use the search engine to find the number of the organization that claims to be calling.
One last thing you can do is take this quiz to see how good you are at spotting a phish! Follow these simple steps and create a better, safer, not-losing-money-accidentally-because-you-weren’t-aware-enough, you!