The Internet is great isn’t it? It enables you to communicate so easily with friends and family and to do business without leaving your chair (or bed, or pool). But the downside is that it lays you open to all the con-artists around the world who also no longer need to leave their sun loungers to get their hands on your money. So let’s talk about phishing.
The methods the bad guys use are many and varied, but one of the most common routes to your door is email. They can send you a phishing email that tries to trick you into giving away info that might be useful to them, or lets them take over your computer. But how do you know that an email is fake when it’s mixed in with all the other emails that hit your inbox? One way is to play the Phishing Game and score it on five counts to decide if it’s likely to be a phish or not.
Did you know this email was coming? Did you have a chat with your old friend Mr John Garry last night when he told you all about this opportunity and said he’d send an email confirmation?
No? In that case Phish Score 1 out of 1 so far.
Note – watch out for coincidences that make you think the email is expected, such as getting one about an Amazon delivery just after you’ve ordered something from Amazon.
Is it obvious that this person knows who you are and has included some relevant information about you? Or does it look like it’s been sent to everyone and their dog? If it doesn’t make you feel special, it could be a phish.
Phish Score 2 out of 2.
Note – with personal information freely available from social media it’s getting easier to personalise phishing emails, so be careful.
Hurray! You’re going to get five million dollars. Or it could be an iPad, or a phone, or Amazon vouchers, or something else you like the sound of, but haven’t earned. In today’s world of extremes and conspiracy theories, it’s easier to believe the unusual. But let’s be honest – you’re not that lucky.
So if it seems to good to be true – that’s because it is.
That’s a 3 out of 3.
Act now! Act now! Don’t think – just do. If you have a strong FOMO Drive then you may be tempted to just click on the link, or open the interesting attachment because you don’t want to be the one that’s not in the know. Are you being rushed into taking action? Then alarm bells should be ringing in your ears.
Phish Score – 4 out of 4 so far.
Emails that just want to be read, and nothing else, are generally not a threat – that’s just spam and you can grunt and carry on with your life. But emails that need you to do something such as open an attachment, click on a link, reply with information or call a number, those are the ones to be careful of. In our example, if you email them back with the info requested (so that you can get your five million dollars before the deadline runs out) you can bet you’re going to get some follow up, either by email again or by phone. And then you’re in the con-artist’s pipeline as a potential sucker. And they will tell their friends too, so look out for a phishing frenzy.
Total Phish Score – 5 out of 5.
Conclusion? It’s a Phish! Well spotted!
If you spot a phishing email it should be either deleted straight away or forwarded as a warning to an email address your IT support maintains for such items, if they do that. Don’t send it to your friends because not everyone is as smart as you.
The people who design and send phishing emails have been getting better at it over the years since they became a thing, but recently they have been handed a golden goose in the form of freely-available artificial intelligence, like ChatGPT (other AIs are available). Although the main parts of a phishing email will still meet the counts described above (so the game is still valid), expect them to get more convincing as time goes by. For example, bad spelling and grammar will no longer be signs of a phishing email because AI can write better than most humans. The upside is that AI will also be used more effectively to spot phishing emails before they reach your inbox, so all is not lost.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.