Merriam-Webster defines “phishing” as “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly.” So, basically, there are bad guys out there fishing for your personal and professional data. It’s up to you not to get hooked.
How do you identify a phishing email?
There are ways to identify emails that are designed to bait you into unnecessarily providing your confidential information. These “tests” are not hard and fast rules but can help you to determine when you should be particularly cautious.
The FROM test:
Take a look at the email address of the sender. If you receive an email regarding the status of your UGA email account, as an example, from whom would it come? In this case, be suspicious if the address does not end with “@uga.edu”. A common tactic of the bad guys is to send an email from an address that might, with only a cursory glance, appear legitimate. Don’t fall for emails from “@ugamail.com” or “@yahoo-inc.com”. Please note that this test should be used to dismiss emails — not to validate them. Email addresses can be spoofed.
The link test:
If an email asks you to click a link embedded inside that email, perform this simple test. Without clicking on the link, carefully move your mouse pointer over the link and take a look at the web address that shows up in the popup tooltip. Is it different from where you were expecting the link to take you? If so, you probably do not want to know what will infect your computer when you go there. It is also a good policy to avoid links that begin with an IP address (ex: http://127.0.0.1/…) rather than a domain name (ex: http://www.uga.edu/…)
The urgency test:
Be suspicious if, without previous warning, you get an email prompting you to immediately provide information to avoid some unpleasant situation such as an account being closed, a fee being imposed, or an opportunity lost. The intent is to create such a sense of urgency that you will feel compelled to act without questioning the validity of the situation. Don’t bite. In the real world these situations are relatively uncommon and, when they do occur, you would typically recognize it as legitimate.
The greeting test:
If someone knows you are about to miss out on $10,000 or that your email account is about to be closed down because you are using too much space on the server, wouldn’t that person know your name? Be wary of email messages that begin with generic greetings such as “Account holder” or “Dear email user.” If the sender cannot address you by name, they should probably not be privy to information specific to you.
The vocabulary test:
Read the email message thoroughly. An email warning you of some official action will normally be the digital equivalent of a form letter. You would expect such a letter to be professionally composed and contain few if any errors. If an “official” message contains spelling errors, poor grammar, pixelated graphics or other composition errors it is probably not legitimate.
The sensitivity test:
Please remember that, under no circumstances, should you ever transmit personal, private or otherwise sensitive information via email. At the same time, you should never submit such information to a website unless you are confident of the site’s authenticity, its security and that there is a valid need for the data requested. No legitimate organization will ask you to provide a password via email. Ask yourself if each request for information that you receive is reasonable.
Beyond these tests, always be cautious when interacting with emails from unknown or suspicious sources and, particularly, those with attachments. Your local IT support representative and the OIT helpdesk are at your disposal should you have questions or concerns. Do not attempt to open an attachment if you are not expecting it and have not verified it with the sender, especially when dealing with an EXE or ZIP.
Hopefully, the tests presented here will help you sniff out those phishy emails before their authors can get their hooks into you.