Phishing is a method used to gather sensitive information about someone, such as login credentials and credit card details. Usually, this is done via email, where the sender pretends to be a company or an authority, uses proper logotypes and email templates trying to fool the recipient into believing the message is legitimate and from the alledged sender.
In the message, you’re often told to hurry to resolve an issue, and click a link to solve it. If you click the link in the message, you will end up on a page designed to mimic the company’s/authority’s website. I.e., the scammers have copied the legitimate website making you believe you’ve ended up on the correct website. If you enter information on the website, you will send them directly to the criminal scammers.
How do I judge if I’ve received a phishing email message?
There are a few simple things you can do to judge if an email message is legitimate or not:
- Check the email address of the sender – The email address entered as sender will often use a completely different domain than what the alleged company uses. It is, however, possible to fake the sender address in a phishing message, but this will often result in the message being blocked by spam filters. Since faked sender addresses often are blocked by spam filters, and the senders want as many messages as possible to reach the recipients, a completely different email adress will be used.
- Check the link – The link/links in the message will often lead to another domain than what the alleged company uses. By hovering your mouse over the links/buttons in the message, you should be able to see where the link goes.
- Read the message carefully – The language/grammar will often be bad in phishing messages, especially if the messages are written in Swedish. You will often be able to tell that the message has been translated automatically by software. Proper companies often proof-read their messages before sending them. However, phishing messages can be well-written as well.
- Check the subject of the message – The subject line can be a clear indicator if the message is legitimate or not. Sometimes, the subject can be so strangely written that you can tell right away that the message is phishing, even without reading the rest of the message. The same reasoning about automatic translation as mentioned above also applies to subject lines.
- Do not act on inpulse – Phishing email messages often ask you log on and do something, e.g. updating your credit card details or client information. Keep this in mind and be extra careful if you’re asked to log in. If you are asked to log in, don’t click the link – visit the company’s website manually instead, so you know that you log on to the correct website.
- Are you being told to hurry? – This is related to the bullet point above. In many cases, you’re asked to do something within a tiny timeframe, such as 24 hours. This is to force you to act in a hurry, clicking the link immediatelly, and not taking time to evaluate the situation.
- Is it too good to be true? – Some phishing campaigns is all about laying hands on your personal information for future frauds. E.g., you can be told that you’ve been randomly selected as a winner of a brand new phone, and the only thing you need to do is enter your address information and phone number. Of course, you will never see that brand new phone – but your information will be used by the scammers.
- Does the alleged sender warn about phishing messages? – If a company is affected by an ongoing phishing campaign, it is common that information regarding this is being posted on the company’s website. Therefore, have a look at the company’s website for any information about fraudulent email messages. If you cannot find any notice, the phishing campaign may just have started, not giving the company enough time to add the information to their website.
If you’re not sure that the message you’ve received is legitimate or not, forward it to the support department of the company/authority and ask if they’ve sent it. They should be able to tell you if they sent similar messages and give a quick reply. If a phishing campaign is ongoing, the company/authority will probably be aware of the issue and confirm whether or not it’s a phishing message you’ve received.
I clicked a link in a phishing message and didn’t realise until I did that it wasn’t a legitimate message!
Usually, there is no danger in merely clicking a link in the email message. The real danger comes from entering sensitive information.
I clicked a link in a phishing message and entered sensitive information!
Uh-oh! You need to take action as soon as possible!
- If you entered login credentials, make sure that you log on to the company’s proper website and change the password as soon as possible. If you use the same credentials elsewhere online, make sure to change on those places as well.
- If you entered credit card information, call the card issuer (often the bank) and block the card as soon as possible. Also, monitor the account history and see if any unauthorised spendings appear.
What is spear phishing?
Using normal phishing, the scammers try to reach as many as possible, wanting to find clients to the company they’re targeting. This means that you can receive phishing messages asking you to log on to Swedbank, even if you’ve never been a customer to that bank.
Spear phishing on the other hand target specific recipients. Scammers survey a company and target their phishing attempts on specific individuals or departments on that company. They can e.g. pretend to be the CEO sending a faked email message to the economy department asking them to do a bank transfer.
When it comes to spear phishing, you’re often not asked to click a link and/or fill in credentials as with ordinary phishing; instead you’re asked to do something more specific:
- You’re asked to open an attached file – this file will contain some kind of virus, e.g. a keylogger or ransomware, or;
- You’re asked to do an urgent bank transfer to a bank account.
Phishing doesn’t only occur via email
When speaking about phishing, it’s often in the scope of email messages. However, phishing occurs via other ways as well, such as phone, text messages, and Facebook.
- Via text messages (SMS), you can receive information about a parcel delivery, or that you’ve won something.
- On Facebook, scammers may set up faked company pages, where you’re asked to enter login credentials or personal information.
- Via phone calls, the scammer can pretend to represent your bank and ask you to confirm something via BankID. This has become more common recently.