No one wants to believe they'd fall for a phishing scam. Yet, according to Verizon's 2016 Data Breach Investigations Report, 30 percent of phishing emails get opened. Yes, that's right -- 30 percent. That incredible click-through rate explains why these attacks remain so popular: it just works.
Phishing works because cybercriminals take great pains to camouflage their "bait" as legitimate email communication, hoping to convince targets to reveal login and password information and/or download malware, but there are still a number of ways to identify phishing emails. Here are five of the most common elements to look for.
1. Expect the unexpected
In a 2016 report from Wombat Security, organizations reported that the most successful phishing attacks were disguised as something an employee was expecting, like an HR document, a shipping confirmation or a request to change a password that looked like it came from the IT department.
Make sure to scrutinize any such emails before you download attachments or click on any included links, and use common sense. Did you actually order anything for which you're expecting a confirmation? Did the email come from a store you don't usually order supplies from? If so, it's probably a phishing attempt.
Don't hesitate to call a company's customer service line, your HR department or IT department to confirm that any such emails are legitimate - it's better to be safe than sorry.
2. Name check
If you receive an email or even an instant message from someone you don't know directing you to sign in to a website, be wary, especially if that person is urging you to give up your password or social security number. Legitimate companies never ask for this information via instant message or email, so this is a huge red flag. Your bank doesn't need you to send your account number -- they already have that information. Ditto with sending a credit card number or the answer to a security question.
You also should double-check the "From" address of any suspicious email; some phishing attempts use a sender's email address that is similar to, but not the same as, a company's official email address.
3. Don't click on unrecognized links
Typically, phishing scams try to convince you to provide your username and password, so they can gain access to your online accounts. From there, they can empty your bank accounts, make unauthorized charges on your credit cards, steal data, read your email and lock you out of your accounts.
Often, they'll include embedded URLs that take you to a different site. At first glance, these URLs can look perfectly valid, but if you hover your cursor over the URL, you can usually see the actual hyperlink. If the hyperlinked address is different than what's displayed, it's probably a phishing attempt and you should not click through.
Sign up for CIO Asia eNewsletters.