I checked my email recently, and amid the usual promotional messages, reader letters, PR content, and obvious phishing attempts in my inbox, there were a few emails related to my YouTube account. In the past, Google warned that hackers were sending phishing emails to YouTube creators, offering antivirus software in exchange for a review on the channel. The antivirus app was, in fact, malware designed to steal passwords and browser cookies, which can also hold login credentials.
Thankfully, I didn’t open the attachment. I deleted the email, added the address to my block list, and moved on with my life. I got lucky, because not all phishing attempts are this obvious. Keep scrolling, and I’ll tell you how to spot phishing warning signs, and how to safely interact with emails and text messages from strangers in the future.
How to Open A Cold Email in the Phishing Age
If you want to verify that an email came from someone you know and contains safe links, The US Federal Trade Commission offers tips to stay safe. Let’s break them down:
When trying to spot phishing attempts, first find out who sent you the suspicious email. If you don’t recognize the address or the sender, think twice about opening any links contained within the email. Be wary of misspelled email addresses or familiar sender names that don’t match the email address.
Another way to spot a phishing attempt in your work or personal inbox is to carefully read the content of the message. Does it start with a generic greeting? A business email usually won’t begin with a casual greeting such as, “Hi Dear.” An email from a friend usually won’t spell your name wrong or address you with an honorific like “Mr., Mrs., or Miss.” Look also at the sender’s word choices. Is the message riddled with typos? Does it reference subjects or offer products that you’ve never heard of? Yes, scammers and criminals who use LLMs like ChatGPT can whip up a credible-sounding email in seconds, but the prose often sounds impersonal, and contains generic greetings and sign-offs.
After reading the email carefully, it’s time to resist clicking any links right away. Instead, let your mouse hover over the links before you click on them. Your browser will reveal the web address for each one. If the link looks suspicious (for instance, a link purporting to be from Netflix takes you to an entirely different domain), don’t click on it! Delete the email or report it as spam and move on. In a similar vein, be wary of any emails that invite you to click on a link, whether to update your payment details, update your account information, receive a coupon for free stuff, or examine an invoice you aren’t expecting.
How to Combat Email Phishing Attempts
Even the most vigilant email user can be caught unaware by a malicious link in an email. Add extra layers of protection to your online life so you can mitigate the damage done by scammers:
-
Use security software. The best antivirus and security suites have phishing protection built right in. Set the software to update automatically and run in the background to protect you from phishing attempts.
-
Use multi-factor authentication everywhere you can online. Even if a scammer manages to get a hold of your username or password, if you set up multi-factor to be something you have (a hardware security key or an authenticator app), or something you are (a scan of your fingerprint, retina, or face), it’s harder for the bad guys to log into your accounts.
-
Back up your data. Copy your important documents and information regularly and store them on an external hard drive or with an online backup or storage service.
Phishing on Your Phone
After chatting with some of my PCMag colleagues about phishing, they noted they’ve been plagued with SMS phishing attempts recently, also known as “smishing.” Here are some examples of smishing:
If you aren’t careful, these types of messages may fool you into giving up valuable information about yourself or downloading malware onto your phone.
Both messages came from an unknown phone number. Both requested action related to a finance-related problem, and both contained suspicious links. The first message is from an unknown company about a product I’ve never purchased, and the use of the bit.ly link shortener is a common way for smishers to encourage their victims to click. The Citibank message is worrying because the link address is slightly off, featuring a dash instead of a period between “support” and “citi.”
For years, security researchers, including Andrew Conway, have noted that SMS spam could be curtailed by mobile carriers if they stopped offering unlimited texting plans. Until that happens, the best way to fight back against mobile spam in the United States is to forward the messages to short code SPAM (7726).