As it is Cybersecurity Awareness Month, I’d like to post a perennial favorite of readers: My tips on how to spot a phishing email, text message, or call.
While there is no guaranteed way to always be 100% sure that a message is real or fake (and therefore you should reach out to whoever sent the message to find out), there are things that the majority of phishing/smsish/vishing scams and attacks do hold in common. The reason is simple, threat actors realize they have to make their attack messages seem real, urgent, and mandatory for you to follow their instructions. Because of that, you should always be on the lookout for three “calls,” and when you see them you should immediately become much more suspicious of the message.
1 – A Call to Authority
Threat actors know that people will typically show doubt in any unexpected email asking them to do something. Most people even doubt text messages and phone calls these days. In order to overcome this, threat actors will attempt to impersonate a person, company, or government organization you are less likely to question. Common examples are known executives at the company you work for, companies you do business with like Microsoft and Amazon, or government agencies you have to interact with like the Internal Revenue Service here in the USA. By making a call to authority, threat actors have a better chance that you will act on the information in the message without questioning it. This typically takes the form of the email or text appearing to be coming from the person or company in question – either by spoofing a known email address, or just flat out stating they’re from the company or org in question in a text message or phone call.
2 – Call to Urgency
We humans have a few common behaviors that threat actors like to take advantage of. One of those is that, when faced with an urgent situation, we tend to examine what is going on less often and act immediately more often. Because of this, threat actors will often try to imbue a sense of urgency into their messages to try to trick a person into performing an action as a kind of knee-jerk reaction; and not take time to question what is going on. Common examples of this are when you see messages saying your membership to an online service is locked/cancelled, or an invoice for a service must be paid immediately to avoid it going into collections. Other examples may be someone impersonating your boss demanding that you perform some action – like buying gift cards – that must be done right this minute since they’re in a critical meeting. All of these situations play upon our human nature and tendency to act quickly when we feel we’re in a significantly urgent situation.
3 – Call to Specific Action
Nearly every message you get on your phone or via email has some kind of call to action. Your spouse reminding you to pick up bananas. Your boss telling you to complete a task. Your friends asking you to choose a restaurant to meet up at. What these examples have in common with normal and legitimate requests is that they have multiple paths that can be taken to complete them. You could step out at lunch to get bananas, or get them on the way home. You can complete the task yourself, or coordinate with your co-workers. You have a selection of restaurants to choose from, or can even suggest that someone else choose this time. While there are legitimate situations where only one path of action is possible, there are far more situations where there are multiple paths that can be taken. A message that is demanding that you take a very specific path of action should raise your suspicion levels significantly. Common examples of this are when you are required to use a specific link in the email to respond, or when you are given a specific phone number for a law enforcement agency in a voicemail that you must call.
When you encounter one of these three calls by itself, there’s a good chance the message is legitimate. Your boss may call you, for example. When you see them stacking up together in a message, it is insanely likely that the message is some form of social engineering. When Apple emails you and demands you immediately call a specific phone number because your account is suspended, this is not a real email from Apple. When your boss texts you to demand you drop everything you’re doing and go buy a specific number of visa gift cards right this second, that is not a real text from your boss. When you get a phone call from the IRS demanding you immediately wire them funds via a named wire service to cover penalties or risk being arrested, that is not a legitimate call from the IRS.
In each of those cases, there is a call to authority (Apple, your boss, the IRS), there is a call to urgency (this must be done RIGHT NOW!), and a call to a specific action (call a defined phone number, buy specific gift cards, wire money through a specific method). By looking for all three of these calls whenever you get a text, email, or phone call that you can’t confirm the origin of; you can quickly determine the likelihood that this is a scam, phish, or fake. Note that this doesn’t remove the need to use good online hygiene – you still shouldn’t click on a link or open an attachment unless/until you know who sent it and why – but by taking a step back and really looking closely whenever you see all three calls you can spot the fakes quickly and accurately.
So how do you take the next step when you suspect a message may be fake, fraudulent, or phishing?
1 – Calm Down: No matter how urgent the message may seem, legitimate requests nearly always give you at least a few minutes to figure things out. The sender of that message may not want you to, but you can, and you definitely should. Take a moment to review what is going on before you take action on it.
2 – Confirm: No matter who is reaching out to you, there are other paths you can use to confirm what is happening and if it is legitimate. For companies like Apple, Amazon, Microsoft, Netflix, your bank, etc.; you can independently visit the website in question via a browser (without clicking on links in the email or text), log in, and see if there are any messages or alerts waiting for you. If the Sheriff’s Office is calling you, then you can hang up, find a known and trusted number for them through a web search, and call them directly. If your boss needs something, you can take a moment to check with HR, or call your boss directly via a phone number you know to be assigned to them. Taking a minute or so to confirm what is going on can keep you from taking an action that you’ll regret later.
3 – Continue: After you take a moment to review the situation and then confirm the details via some other method of action than the email/text/phone call is demanding; you can then decide what to do next. If you can confirm that the request/demand is actually real, you can act on that. If you can’t confirm it – or if you’re able to confirm the demand is fake – you can report it and/or ignore it. If it has anything to do with your company, you should definitely report it. If it has to do with some other company or government organization, you should still report it via the methods on their corresponding websites, but that’s up to you. Reporting the incident helps everyone else stay safer by allowing companies, your organization, and other organizations better train their users to spot these fakes in future, and to involve law enforcement when necessary.
So remember, any time you see all three calls – A Call to Authority, A Call to Urgency, and A Call to Specific Action – in one message, then Calm Down, Confirm, and then – and only then – Continue. Stay safe out there.