The days of tricking people into sending money to free a Nigerian prince are largely over. Phishing scams today look real and are constantly tricking innocent victims into their trap. Looking for misspellings and bad grammar are no longer sufficient – the bad guys have learned and have started to use spell-check.
Here at GoDaddy, we get tens of thousands of reports each year from our customers ranging from fake domain status change notifications to forged password reset schemes. Like many other businesses, we also see “spear phishing” emails sent to our employees. This type of phishing thrives on a sense of familiarity — the hacker sends an email that’s often personalized and might appear to be from a person, business or institution you know or trust. But it’s not.
To protect your business and employees, it’s important to know what to look for.
What is phishing?
Phishing is a scheme where hackers get users to hand over sensitive information such as passwords and Social Security numbers. The scam usually involves sending spam email that looks like it’s coming from a trusted source, like a bank (this is the bait), that then links to a fraudulent website impersonating the trusted source (this is the trap). The unsuspecting target then enters the information the attacker’s looking for, thinking he’s actually on a site he trusts. Bummer!
Shipping-based phishing schemes
During the holiday season, you might see an uptick in shipping-based phishing schemes. Keep these things in mind before you click on a link in the email or send a reply:
Does the sender seem legit? If you are not sure about the legitimacy of the sender or target domain — i.e. FedExShipping1.com vs. fedex.com — do a quick WHOIS lookup to verify the owner.
What is that .doc attachment? We usually do not receive shipping notifications via an attachment. These are usually delivered in the body of the email or via a tracking number.
Did you even order something? Many times these scams work because of human curiosity. An important message about a package coming to me? I must look! Rule of thumb here is if you didn’t order something, it is probably a scam.
But what if I did order something? Keep in mind that shipment updates usually come from the seller of the product, not the shipment company itself. Always navigate directly to the website on which you placed the order to double-check shipment status.
Other phishing tips
No matter what these phishing emails look like, here are a few additional tips that should help while navigating your inbox:
Stay away from Junk (or Bulk) mail. Any email that lands in this folder is probably there for a good reason. Most can be purged immediately.
Test your URLs. You can perform a quick test to determine where a link will resolve. Just hover over the link (DO NOT CLICK!) with your mouse to see the real destination URL.
Be careful with attachments. It is no longer safe to only avoid attachments with .zip, .jar or .exe files, as attackers are now using more common formats such as Office documents or PDFs to harm your computer. Rule of thumb is to always be careful with any attachment that you were not expecting, especially if it comes from an external source. When is the last time your bank sent you a .doc? It hasn’t. Delete it immediately.
Last, and most important, if you are not expecting an email with an attachment or link from someone, DO NOT OPEN IT. This is the one thing that the attackers need — your curiosity is used to entice you to fall for their trap.
Sadly, phishing never really goes away and is now simply a reality of doing business online. As we approach the holiday season, the volume of targeted phishing attacks will increase. Think before you click.
For more tips to keep you safe from email phishing attempts, read this article in the GoDaddy Garage.
About the Author:
As Chief Information Security Officer at GoDaddy, Todd Redfoot makes it his mission to keep customer and company data and systems safe. In his spare time, Todd enjoys frequent trips to the beach with his wife and kids.