Technology is fantastic, but it also opens the doors for malicious actors to improve their wrong-doings. The amount of phishing attacks in almost every form possible is also increasing: Emails, phone calls, SMS, Instant Messaging app communications... And now with Generative AI, there will be an upscale in the quality of the malicious content, so it is best to be prepared for it.
One remark before anything else: It is not that difficult to get lured in some phishings (at least in their initial step), so don't feel bad if it happens to you. Occasionally, we're tired, other times the timing works against us, and at times, it is a really well-crafted attempt. Just try to detect its nature before it is too late (before any monetary damage is done). Some personal examples:
- I almost fell to a phone phishing attempt because of its timing: Supposedly, my gas provider had an issue with performing a change, when I had very recently asked them for a contract modification.
- A close relative almost fell to an SMS + website scam, because the timing again was good: Waiting for an international package, an SMS impersonated the correct delivery company, and it was about an issue with customs.
- At work, we use a service that sends "fake phishing" emails to train us in spotting them. Although I have a very high score, I've fallen twice for them (falling meaning clicking any link in the initial email). Some are so well designed and tailored for the company that if you are in a hurry might not even notice the fine details of the forgery.
I thereby present you with this small but hopefully useful guide to detect and prevent phishing attempts.
Meaning of the symbols/emojis:
- âšī¸: Information/Tips. Actions that you can/should do.
- â ī¸: Things that should put you on alert. Multiple ones in the same message, really bad sign.
- đ: Stoppers. If you see one of these, do not click/open/reply any message.
General
â ī¸ Is there a sense of urgency in the message?
One of the most common tactics, put pressure on you and often urge you to act quickly, so you don't stop and think slowly and carefully.
â ī¸ Is the topic about a problem or issue?
Another common tactic, either asking for help (the classic rich Nigerian prince asking for help moving money) or luring you into thinking there is a problem with some operation or service (e.g. a package is being held in the distributor, a bank transaction failed...).
â ī¸ Is the topic unexpected?
If you didn't buy anything or are not expecting any package, but you receive some "order issue" message, if you don't own a car but receive a message of a pending fine đ, or any similar unforeseen and unusual event, be on your guard.
â ī¸ Is any URL in the message weird-looking, or similar to a shortened URL?
Although sometimes tracking links can mess up this heuristic, in general, do not trust any URL that does not contain the proper host domain (e.g. starts with www.amazon.com if it is about an Amazon order). Most companies do not use URL-shorteners, and those that do use them, have a single one and still should look similar to the main host domain (never, ever, like a generic service anyone can use).
In case of doubt, never click/open any link. Below, in the Tips & Tricks section, you have a few actions you can perform instead.
đ Is there any CTA (call to action) related with payment information?
Is the message directly asking you to provide any payment details (bank or credit card details)? If so, stop immediately. Nobody will ask you to update/fix your payment details directly without login first in the corresponding website.
The same applies if the message has a link, and that link takes you to a website that directly asks for payment information without an official login first.
Another hint that things might be wrong is if you're being asked to pay in a different currency than it should (e.g. pay in USD for a service inside the European Union).
â ī¸ Does the message contain typos, badly written sentences or strange characters?
Although I've seen typos in 100% legit emails, in general messages are proofread before added to any official and proper automated messaging system. e.g. something Google-translated might be written in Spanish, but not with the correct sentence structure.
The same happens with homoglyphs, Greek, Cyrillic, and the like: visually similar letters with different "character codes" are sometimes used to disguise fake domains in URLs and email addresses.
đ Is it from a country you lived in the past, but no longer live in?
This is the easy mode. e.g. If you lived in the past in Italy but not any more, and you get a message in Italian of a package being held at customs, clearly is not real đ. This often happens when you keep the foreign phone number.
â ī¸ Carefully check every link, button, and clickable item
Emails can only contain very basic HTML, everything else is styling. There are no real buttons, everything that is clickable is really a hypertext link, which you can inspect where it points to by hovering the mouse and looking at the bottom of your web browser (from a computer). As mentioned in the general advice, do not click on anything that looks suspicious or does not use the official company/website domain.
â ī¸ Is the sender someone you know, but the content is weird or unlikely to come from them?
Senders can be faked, but most importantly, stealing email accounts, or installing trojans in computers is not just for movies. Sadly, you can't simply trust your contacts' emails just because they apparently come from them.
If a French friend has suddenly written you an English email asking for monetary help, be very wary. At minimum, write them a separate email asking for more details, but ideally call them or send them an instant message from an app, considering their email address compromised and unsafe.
SMS
đ Does the service usually send "named" SMS, but now is an unknown number?
Most companies that send SMS with order statuses and similar are officially registered, so you will receive messages from "DHL" and not from a random number. If you always receive named SMS and suddenly there's one from an unknown, normal phone number, consider a phishing.
đ Is the sender from a different country than the correct one?
If I live in Sweden (prefix +64), I will never receive any official SMS from a Philippines-based (+63) number. Wrong country prefix equals scam.
This is also important to check even if the message is in the correct language.
â ī¸ Is the SMS offering you SMS "commands" to ask for help or cancel?
Although there are still a few SMS-based workflows to cease "legit" marketing communications, do not trust and do not reply to any unknown number with anything. Apply the Tips & Tricks alternatives to act on the supposed issue.
Phone
â ī¸ Does the call take some time to connect, and the sound is bad or noisy?
Phone scammers don't use high-tech, and often work in crowded spaces with crappy headphones. If when you pick the phone takes a few seconds to connect with the other end, and then whoever speaks sounds with background noise, that's your first signal to distrust the call.
â ī¸ Are they calling from a normal number?
This is challenging to apply in practice, as many companies don't have special numbers as frequently as they did in the past. But I keep my contacts' agenda up to date, and I raise my alert level when receiving a call from a number not present in my address book.
đ Are they eager for you to take some action, willing to call you again later or to switch to WhatsApp?
While a real service agent might indeed call you back, they will never offer you to switch to an instant messaging application (e.g. to "send you proof of the issue you have"). Plus it is effortless to ask another scammer to assist them, by giving you their number, you call and they "confirm", suggest you take action or something similar.
Remember the golden rule of in case of doubt, stop and use an official channel. Nothing that feels out of place or easy to fake.
â ī¸ Voice can be faked
As of 2024, you can get a decent fake voice of someone by training a model with very few hours of real speech. But you can simply try to find a similar voice, simulate bad sound conditions and record a fake message to try to lure someone.
Do not trust urgency messages from unknown numbers, even if they come as a known person or family member, until they have confirmed you some relevant personal information or detail that a simple impostor wouldn't know.
đ The caller won't give you details such as your customer number or contract number
A trick that often causes scammers to directly hang the phone is to request them to provide you with some detail that only the real company can know. For example, your electricity provider not only knows your bank details or ID (easily obtainable from any invoice), but you usually have a "contract identifier" or "contract number" and it is not always reflected in invoices. You can ask the caller to provide you with your contract number, and if they dodge the question (offering other details like your bank account ending digits or your phone number), insist. They will almost always end up ending the call in frustration.
â ī¸ Have they properly ensured that you are who you should be?
You must thread carefully here, as you can be providing scammers with personal details, but is still a good a warning sign. You receive a call, they ask you if you're "xxxx yyyy", maybe if your service relates to the address "aaaa bbbb", and... that's all. Then you begin discussing an issue with your contract/service, but they really haven't properly ensured your identity (e.g. by asking your ID, and postal code if it is an address). Sloppy security could mean scammer. But I've also faced legit services asking me for few and easily obtainable personal details, although not for any sensitive operation.
Websites
đ Is the website hosted in a strange domain?
If your company is hosted at www.xxxxx.com but you are browsing something that looks like the official page, but has a domain like somethingsomething.cloudfront.net, close the page. Same if the domain is similar, but not exactly equal (www.xxxxy.com, or www.xxxxxx.com continuing with our example).
đ Is the website not fully working?
Does the website look legit, but some sections or actions don't work (e.g. switching the language)? Does Google Translate do nothing if you try to translate it to another language (sometimes, scammers use images instead of text and HTML markup)?
Have you logged in in another tab, but this page still shows the "login" button/call-to-action?
Official websites sometimes break, but it is usually an all-or-nothing scenario: Either they work, or they are down with an error/maintenance message.
WhatsApp (applicable to other instant messaging platforms)
đ Never trust any WhatsApp message from an unknown sender
No matter the name they show, and even if they appear as a commercial account, distrust anybody you are not expecting a message from.
Tips & Tricks
âšī¸ Always fallback to the official communication channels
Go to the official service website, check their official communication channels and use one of them. Initiate yourself the full communication flow, instead of following the potential phishing one.
âšī¸ Manually go to the service website
Login, and check if you have there any message, pending order, or similar. If not, either write/call them, or discard everything as a phishing attempt.
âšī¸ Use official apps
Nowadays, almost every service has a companion app, from the postal service and every last mile delivery service, to banks, stores, and home facilities' provider. If there's a potential issue with "your postal service package", check in the app; if you have no pending order, it was a scam attempt.
âšī¸ An old-school call always works
Calling a support number of any official service is more time-consuming, but highly effective. They can check if there's some issue, and if you explain the phishing attempt to you, often also give you tips about how they work (e.g. "We will never call you to ask for any payment details by phone, SMS, or email").
âšī¸ Activate Two-Factor Authentication everywhere you can
2FA is an excellent second line of defense. Even if you fall for a phishing attack, if the service has 2FA, the attacker won't be able to impersonate you.
âšī¸ Some web browsers are more secure than others
In the past, Internet Explorer was the main browser, and thus the main target for all kinds of attacks and phishings. As of 2024, Google Chrome took the lead, and its security measures are not always that high.
My favourite browser, Firefox, shows these crystal clear messages when you accidentally click on a phishing link and their security measures detect it as phishing:
âšī¸ Tools to protect your identity are starting to appear
I personally think and expect identity management to become a critical point to address in the upcoming years. We've been for too long giving away too much information, and the security of most services and systems is not on par with how easy it is to act when you know certain personal details.
But there are some things that you can already do, like protecting your email address by hiding it (e.g. via Firefox Relay), or virtual debit cards (specially if they are disposable) if your bank provides the service. For example, if you use PayPal for paying instead of a credit/debit card, the merchant will never ever see any associated card number or bank account, just a PayPal-enabled email. So, if its data gets stolen, your cards and accounts are safe.
In some countries, you can have an official digital inbox: Based on your national ID number, you receive (often as PDFs) relevant mail from government entities, payslips, bills, ... Not perfect, but better than physical mail as long as the platform is secure.
âšī¸ Never open an attachment until you have verified that the email is legit
Microsoft Word documents, PDF files and many others can contain malicious code and infect your computer.
Tags: Resources Security Social
Guide to detect and prevent phishing attempts article, written by Kartones
. Published on