|Imagery Mismatch: Sometimes phishers will recreate a logo or emblem they include if they feel it will add legitimacy to the message. Typically this only occurs if they are unable to make an existing logo work within their campaign because its time consuming.|
|Tip: If something seems wrong, a quick search of Google Images for the companies logo should help|
|Always Compare the displayed link address to its actual destination: Whether in an email or on a webpage, never take the URL displayed is where the link will take you or that it belongs to the appropriate organization.|
|Tip: Take you mouse place it over this link www.bankofamerica.com | Now look in the footer of your browser window or the tool tip (depending on browser). Does it display: bankofamerica.com or hackers.xyz|
|Does the URL belong to the organization its repersents: Often attackers will register URL's that are similar to real ones to trick you.|
|Tip: If you are not sure if the link points to the intended organization, put the domain name (e.g. acme.com | not www.acme.com) into the search box at: https://www.internic.net/whois.html|
|Offers too good to be true? Often phishing emails offer impossible to obtain items, ridiculous discounts, or very short response intervals. This is designed to pressure you into clicking before you think.|
|Tip: This is the same tactics used throughout time; I have a Bridge in New York ill get you a deal on? You're far more likely to not get what you think, scammed, or phished when these types of messages arrive. If you can't resist the deal, at least use what you learned in the Links section to try to validate the sender and site. Consider calling the real organization to verify if the deal is legitimate.|
|Grammar and Spelling Errors: We all make innocent spelling and grammar errors from time to time. While less reliable than in the past, look for signs that the email may have been written by someone who is unfamiliar with the language of the message.|
|Tip: The most common mistakes tend to manifest around gender usage, verb-tense, and common regional spellings / word usage (e.g. analog .vs analogue; Interpol .vs FBI; etc...)|
|Message Requests Personal or Organizationally Sensitive Information: Email is transmitted between mail servers across the internet unencrypted. This means it can be intercepted using a technique called Man-in-the-Middle. Never send sensitive information via email; never ask someone for sensitive information over email!|
- If someone requests sensitive personal information, use a known valid phone number and call the individual or company.
- Never, never, provide your user name to a technical support person over email!
- If a technical support person asks for your password, document their name, hang-up immediately, and call you Information Security Officer!
- Never use information in the email as a source to verify the company or email sender.
|Money Transfer Tip: If you receive an email from a senior executive directing you to immediately transmit organization funds to an account; stop! This is a potential sign of what the FBI terms as Business Email Compromise. Always follow the organizational written procedure for transmission of electronic funds. If the request is to an unknown account or otherwise unusual, do not be afraid to confirm the requirement via telephone with the requestor. Its far better to do your due diligence and validate, than to explain why you transferred $50,000 to some off-short bank in Bangkok.|
|Law Enforcement doesn't take Gift Cards, Bill via Email, or use Bitcoin: The FBI doesn't take gift cards or other electronic media as a form of payment for some misdeed you are being accused!|
|Tip: If you receive an email or pop-up that appears to be from a Law Enforcement agency that requests money; its malware. Immediately initiate a malware scan both online and offline.|
|Free is Free - Scrutinize Surcharges or Fees: A service fee to process your winnings form a contest you never entered should raise a red flag. The old saying "We never get something for nothing" applies here.|
|Secrecy or Urgency Requirement: This category applies to two diverse social engineering techniques. First is secrecy; we all want to feel special and trusted. When an email requests you not share something with others, always ask would it be typical for you to receive this information in the course or my normal duties from the sender? Second, while short suspense actions occur in business far too often, they typically known requirements (reports, evaluations, etc...). Urgency is a typical tactic used to drive users to click before they think.|
|Tip: If unusual secrecy, content provided is outside your typical scope of duties, or the sender is not someone you would typically deal with, you should be suspect. Contact your Information Security Officer and seek assistance to validate the sender. If the matter is truely urgent, taking a minute to validate the requirement using a trusted number in your organizational directory wont matter one way or the other.|
|Email isn't from an Organizational Account: There are a couple of different ways phishing campaigns can spook emails. The easiest method is to get a free email account that is simular to the legitimate one (e.g. email@example.com .vs firstname.lastname@example.org). Another method is to set the information the email displays to be different than the senders (e,g, from: email@example.com ( firstname.lastname@example.org)).|
|Tip: If the email client you use doesn't show the senders full email address, hover over the sender and it should provide you a tool tip that includes the full email address.|