The Ultimate Guide for Spotting a Scam or Phishing Attack

Cybercriminals have been resorting to clever scams to steal personal information and gain access to company networks. They also use these types of social-engineered scams to distribute malware and cause other problems for organizations. We encourage you to take this blog post and share it around your office, or even print it out to help your employees and colleagues prevent dangerous threats and embarrassing mistakes from happening.

Be Skeptical About Everything, Especially the Urgent Stuff

The first step towards being safe online is to simply be skeptical. If someone or something is rushing you to do something, there’s a decent chance that the sender is attempting to brute force their way past your ability to reason.

This has been a long-time staple in marketing. Remember in the 90’s when commercials for products would encourage you to “order today to receive this one-of-a-kind platinum token!” or “if you order now, we’ll send you a second bottle of our stain remover, but only while supplies last!” These messages were designed to motivate you to act without thinking in order to get a little bit more and to feel validated for what the message is asking you to do. 

Scammers and cybercriminals use the same playbook. They try to get you excited about something using urgency, and try to get you to react without thinking. Instead of getting you to buy something, they are just trying to get you to click or download something malicious.

For example, you could get an email that looks like it is your bank, or one of your vendors, or your Facebook account, or literally anything else online. It might say something along the lines like “Uh oh, your ____ account has experienced a suspicious login, please click here to log into your account to verify your identity!”

That’s a pretty legitimate message. In fact, some organizations might use something very similar IF they detected something suspicious going on with your account. 

These days, you can’t really be certain if an unsolicited message is legitimate or not. The best thing to do is to NOT click the links or attachments in an email you didn’t expect, and instead log into the account using a bookmark you have in your browser, in your password manager, or just doing a Google search to get to the site you want to log into. That way, you don’t even have to look to see if the link is suspicious, and you can investigate the issue to see if it’s real or not.

Spotting a Phishing Attack

Phishing attacks are emails that are designed to look legitimate, but are actually cleverly disguised traps. As mentioned above, a lot of them use urgency to try to get you to let down your defenses and start clicking away. 

Before you click on any link in an email, take a quick look at the URL that the link is going to.

Now, when we say a link, we mean anything that you can hover your mouse over and click on. That means buttons, graphics, text, banners, icons, etc. If it’s clickable, it’s taking you to a link, and knowing the link’s destination can tell you whether it is legitimate or not.

To determine the link URL, you need to hover your mouse over the clickable part in the email, and look at the bottom of the screen, typically on the left for most email clients. It will show you an address that starts with http.

For our example, we’re going to use Amazon.com, and how to spot something suspicious. It’s all about looking for periods in the address, and noting where the periods are.

If there is a period AFTER the domain name of the website you want to go to, then it might be a trap.

• https://www.amazon.com/gp/help/customer/account-issues - This is safe, because there isn’t a period after the .com. 
• https://support.amazon.com/ - This is safe, because the extra period is before the company’s domain name (in this case, amazon.com)
• https://support.echo.amazon.com/customer-support/password-reset - Again, this is safe because there are no periods after amazon.com, regardless of how many subdomains (extra periods) are before it in the URL.
• https://support.amazon.ru - Time to slow down. While Amazon does legitimately have a .ru domain, not every business has every variation of domain extension (like .org, .net, .co, .co.uk, etc.). As soon as you get something you don’t expect, start to scrutinize even more.
• https://amazon.passwordservices.com/help/account-issues - This one is dangerous. This URL is technically taking you to a site called passwordservices.com. We just made that up for the example. Anyone could purchase that domain (or something similar) and spoof the URL to say Amazon before the first period. It’s tricky because it’s easy to miss.

Let’s take a look at another example, using PayPal:

• paypal.com - Safe
• paypal.com/activatecard - Safe
• business.paypal.com - Safe
• business.paypal.com/retail - Safe
• paypal.com.activatecard.net - Suspicious!
• paypal.com.activatecard.net/secure - Suspicious!
• paypal.com/activatecard/tinyurl.com/retail - Suspicious!

Keep in mind, these URLs above may or may not be real, we’re just making them up for the sake of an example!

Scams Can Be Very Personal

The most effective scams start with some research. It’s easy for cybercriminals to just build a phishing email and send it out to a million recipients, but they know they can get a more guaranteed return if they target an organization and use public information to sneak their way in.

For example, they could do a little research and find out who the CEO is and what his or her email is. Then they can spoof that email and send emails to employees requesting to authorize payment to a certain account or something along those lines.

The best defense against this is to simply call and get confirmation before you take any action on an email that has to do with giving somebody access to something or authorizing money or information transfers. 

Yes, it might be annoying, and it might seem frivolous, but building this sort of zero-trust habit pays off in the long run, and reinforcing it with everybody you work with will gradually spread this habit out and help prevent others from falling for scams.

Need Help Securing Your Business?

We’re unique compared to other IT companies, in that we strongly prioritize cybersecurity. If you suspect your business is getting fraudulent emails and phishing attacks, or you want to strengthen your security to prevent potential issues (including spam filtering, staff training, meeting compliance regulations, and more), give us a call at (774) 213-9701 to talk about how we can protect your organization from threats of all kinds.