Phishing 101: How Not to Take the Bait

How does phishing play a role?

One of the most effective techniques cybercriminals will use to gain access to your computer is known as phishing, which is where scammers will send you a message with a link that—if clicked on—will take you to a malicious website that will either automatically download malware to your computer or reveal your personal information.

Is it really that easy to take the bait?

The answer is: yes. Scammers use links in emails to lure users much like you would a fish (using an irresistible, tasty morsel) into sharing sensitive information.

NOTE: These messages can come in the form of a text, too, which is known as “smishing”.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

Maybe the bait is a link to an “amazing” video. Maybe it’s an urgent message telling you an account has been hacked. You can refuse the bait, as it were, by knowing how to recognize what’s real and what may be a fake. Here are some tips:

• Identify red flags. Every scam is going to have some sort of red flag that can tip you off right away that something isn’t right. Here are some telltale signs of phishing emails:
  • It uses a generic greeting. An email that starts “Dear Friend” or something similar is likely a phishing scam.
  • It’s addressed to the wrong person. If you don’t share an email address with a spouse or significant other, delete emails that are addressed to someone other than yourself or someone you know.
  • There’s a link to an unnecessary invoice. It’s not normal to receive an invoice from random agencies or companies you haven’t worked with.
  • You notice special characters or numbers are used in the middle of words. You might see words like M!crosoft or Netf1ix in phishing emails.
  • The message asks you to confirm personal information. Be wary of emails that ask you to log in to a website using a link from within an email. Even if it seems legit, it’s always better to go directly to the website to log in rather than using a suspicious link.
• Take time to think before you click. Unless you know the sender, don’t absently-mindedly click any links in emails. Even messages that appear to be sent from a store, brand, or individual you’re familiar with can be duplicated and contain malicious links. For instance, a scammer can grab a Netflix logo from a quick Google search and include it in an email to make it look like a legitimate email. Take a minute or two to look the email over and decide if it’s from someone you trust. When in doubt, don’t click the link. If you’re concerned that you need to look at the information on a website where you have an account, go directly to the site and log in rather than using the link in the message.
• Don’t click pop-ups. For a short time, it seemed that pop-up ads were going the way of the world. However, they seem to have made a resurgence on websites as a way to keep you on a website if you’re going to navigate away. While this is an effective marketing tactic, some pop-ups contain malicious links strategically located within the window. You might click buttons that say, “Cancel,” “Close,” or “No thanks,” but rather than closing the window without incident, the link can download malware to your computer or authorize access to sensitive information. The best way to avoid pop-ups is to click the “x” in the corner.
• Be skeptical of emails from unknown senders. There’s nothing wrong with being skeptical of emails. After all, the vast majority of emails we receive these days are likely promotional emails or phishing scams. Don’t feel bad if you want to scrutinize an email before responding or clicking a link. Check the details in an email by looking for misspelled words, mismatched fonts, or awkward phrasing that feels out of place. It’s always better to be safe than sorry when it comes to protecting your personal information.
• Install firewalls. Firewalls are an excellent way to protect you from visiting malicious websites and blocking incoming threats. You can install network firewall hardware and computer firewall software to work together to keep you safe from inadvertently welcoming threats by clicking unsafe links.
• Hover over the sender’s address with your mouse. It’s not uncommon to receive emails that look like they’re from a legitimate source. Let’s revisit the Netflix example. You might get an email with a Netflix banner at the top that says there’s been a login attempt somewhere in the world where you aren’t. One of the quickest and easiest ways to see that the email isn’t actually from Netflix is by looking at the email address from where the message originated. Netflix and other organizations will use an email domain that’s attached to their website. So, someone with an address like joethepirate@hagotcha.com doesn’t need you to verify a login attempt

With more than 3.4 billion phishing emails sent worldwide every day, there are bound to be some accidental bites. By using these tips, you can help ensure you’re not one of the unfortunate people who takes bait.