If an email or text message is suspicious DO NOT CLICK!
Cyber criminals are sneaky, greedy scoundrels always looking for ways to get their hands on your information, and mostly, your money. Don’t take the bait when it comes to phishing. Here are some tips on how to identify a suspicious email or text message, and what to do about them.
What is phishing?
Phishing is a way that criminals pretend to be from an organisation you would generally know and trust.
They do this, to trick you into giving them your personal or financial information.
Because they want you to believe them so you’ll share your details, they usually fake being from a legitimate organisation such as a telecommunications provider, energy provider, government authority or a bank.
They also tend to send messages that are emotive, because they want to trick you, either by scaring you or enticing you with a prize or reward.
Email and text messages are the best way to reach loads of people all at once, cheaply. Cyber criminals are experts in using bulk messaging systems.
Here is the number one rule to protect yourself from become a victim of a phishing campaign. If you receive an unexpected email or text message that is not how you would expect the organisation to communicate with you, never ever click on a link or attachment or do what they’re asking of you.
We’ll give you some tips further on about what you can do if you believe you’re the recipient of a phishing message.
Don’t take the bait when it comes to phishing.
How to identify a suspicious email or text message
There are a few common mistakes that cyber criminals make that give away their deceptive methods. Here are some signs to look out for.
An email address or mobile number that doesn’t fit with the legitimate organisation
If the organisation’s public website address is ‘sugargliderflights.com.au’ you would generally expect that the email address from an employee of the legitimate organisation would be [employee name]@sugargliderflights.com.au or [department name]@sugargliderflights.com.au.
So, email@example.com or firstname.lastname@example.org is more likely to be a genuine communication from Sugar Glider Flights.
By the way, sugargliderflights.com.au is purely fictitious for the purpose of helping illustrate examples in this article.
If there is no reference to an employee name or department in the email address, and the email address appears to have little relation to the legitimate company’s website address, you have a right to be suspicious. Do not respond to the message. Do not click on any links or open any attachments.
Text messages (SMS) are a little trickier to check. This is because the originating phone number from bulk messaging services on behalf of legitimate organisations, usually come from an automated system with multiple phone number variations. If you’re in doubt, don’t call the number back, but look up the organisations public website details and call their publicly advertised customer service number.
The greeting doesn’t address you by name
Cyber criminals aren’t that smart. It is true their methods continue to get more deceptive, but that’s because they have to as the people they’re trying to deceive are smarter! They don’t necessarily know who you are or what your name is ...yet.
A phishing message is more likely to be generic in how it addresses you, because it isn’t coming from a legitimate source! The message may not address you by name because, they’re ‘phishing’ at this stage and trying to find out who you are, along with other personal and financial information.
If in doubt, do not respond in any way. Call the legitimate organisation via a publicly advertised contact number.
The quality of the communication isn’t great, there are spelling or grammatical errors
A top tier organisation is unlikely to send a poor quality communication to customers. Often a phishing message will have one or more spelling errors in it. Grammatically it may read a little rough. Based on our earlier example of fictitious company Sugar Glider Flights you may receive a message like:
Hello. To confirm your prize of free international return flight with Suger Glidr Flight click on this link so you will verify your contact details.
Be careful though. Not all cyber criminals are literacy challenged but errors and poor quality are a sign of a suspicious message.
There is a threat or a promise
To influence an otherwise intelligent person to take an action based on trickery, cyber criminals work on emotions. A phishing message will often either be a threat:
If you don’t provide payment details within 3 business days your mobile phone service will be suspended.
Or a reward or offer of something free:
You must confirm your passport number via this link in the next 5 day, to claim your free return internationla flight voucher with Sugar Glider Flights. Download the atachment to find out more.
If it sounds too good to be true, it probably isn’t!
Hover over the email link – don’t click! – to see where it is taking you
By hovering over the link provided in a message you can view the hyperlink you are being sent to. The hyperlink’s internet address gives you a good hint at where you’re being sent to. For example, if you received a legitimate message from Sugar Glider Flights, you might expect to see an internet address something like:
But, if you hover over the link and it shows something more like:
...see how there is absolutely no relationship with the legitimate company? Not even a mention of Sugar Glider Flights.
If the internet address the link is sending you to looks suspicious, do not go any further. Do not click.
What to do if you receive a suspicious message
Here are the steps you can take if you suspect a message is suspicious:
- Do not click on any links, download any attachments or respond in any way to the action being requested.
- Contact the legitimate organisation via a publicly available contact phone number or email address and enquire with them. Never rely on the contact details you’ve just received in the suspicious email. Organisations that prioritise your security may offer to report the phishing on your behalf and take action from their end.
- If you do receive a phishing email you can report it to the Australian Cybercrime Online Reporting Network (ACORN).
- Delete the message, and then block the sender. Explore the settings of your mobile phone or email to find out how to do this, it varies from device to device.
Where to go if you think you’ve been contacted by a cyber criminal
ACORN is an Australian government agency that provides advice on how to recognise and avoid different types of cybercrime, to keep you safe.
Visit the website: Australian Cybercrime Online Reporting Network
The Australian Competition and Consumer Commission runs Scamwatch and provides loads of information on types of scams, including phishing. You can also report suspected phishing campaigns to Scamwatch. You can also keepup to date with the latest scam and phishing campaigns.
Visit the website: Scamwatch