I checked my email over the weekend and amid the usual promotional messages, reader letters, PR content, and obvious phishing attempts in my inbox, there were a few emails related to my YouTube account. Recently, Google warned that hackers were sending phishing emails to YouTube creators, offering antivirus software in exchange for a review on the channel. The antivirus was in fact malware designed to steal passwords and browser cookies, which can also hold login credentials.
Opening Cold Emails in the Phishing Age
Just to be safe, I didn’t open the messages or click on any links in the YouTube-related emails, but it occurred to me that identifying legitimate contact is difficult in the age of frequent phishing attempts. PCMag lead security analyst Neil J. Rubenking wrote about this quandary recently, after helping a friend figure out whether an email purporting to be from Facebook was a phishing lure. In the end, that email turned out to be a real marketing message from Facebook, but he had to go through through several steps to determine the message’s legitimacy.
Facebook keeps a list of verified correspondence in the account area of your profile, so it’s easy to match emails you receive in your inbox with the messages you see from Facebook in your account. But what if you want to verify that an email came from someone you know and contains safe links? The US Federal Trade Commission offers a few steps you can take to stay safe.
- Look at the From email address. If you don’t recognize the address or the sender, think twice about opening any links contained within the email.
- Spot a generic greeting. A business email usually won’t begin with a casual greeting such as, “Hi Dear.” An email from a friend usually won’t spell your name wrong or address you with an honorific like “Mr., Mrs., or Miss”.
- Look at the link URLs. Mouse over links before you click on them. Your browser will reveal the web address for each one. If the link looks suspicious (for instance, a link purporting to be from Netflix takes you to an entirely different domain), don’t click on it! Delete the email or report it as spam and move on.
- Be wary of any emails that invite you to click on a link to update your payment details, update your account information, receive a coupon for free stuff, or include an invoice you aren’t expecting.
How to Combat Email Phishing Attempts
Even the most vigilant email user can be caught unaware by a malicious link in an email. Add extra layers of protection to your online life so you can mitigate the damage done by scammers.
- Use security software. The best antivirus and security suites have phishing protection built right in. Set the software to update automatically and run in the background to protect you from phishing attempts.
- Use multi-factor authentication everywhere you can online. Even if a scammer manages to get a hold of your username or password, if you set up multi-factor to be something you have (a hardware security key or an authenticator app passcode), or something you are (a scan of your fingerprint, retina, or face), it’s harder for the bad guys to log into your accounts.
- Back up your data. Copy your important documents and information regularly and store them on an external hard drive or with an online backup or storage service.
Like what you’re reading? You’ll love it delivered to your inbox weekly. Sign up for the SecurityWatch newsletterSign up for the SecurityWatch newsletter.
Phishing on Your Phone
After chatting with some of my PCMag colleagues about phishing, they noted they’ve been plagued with SMS phishing attempts recently, also known as “smishing.” Here are some examples of smishing, one is an attempt I received last year, and another that a coworker received recently:
If you aren’t careful, these types of messages may fool you into giving up valuable information about yourself or downloading malware onto your phone.
Both messages came from an unknown phone number. Both requested action related to a finance-related problem, and both contained suspicious links. The first message is from an unknown company about a product I’ve never purchased, and the use of the bit.ly link shortener is a common way for smishers to encourage their victims to click. The Citibank message is worrying because the link address is slightly off, featuring a dash instead of a period between “support” and “citi.”
For years, security researchers, including Andrew Conway, have noted that SMS spam could be curtailed by mobile carriers if they stopped offering unlimited texting plans. Until that happens, the best way to fight back against mobile spam in the United States is to forward the messages to short code SPAM (7726).