Newsletter Phishing Social Engineering

How to use your source-checking skills to stay safe from phishing

By Harrison Stites

According to IC3, an FBI subsidiary, 241,342 Americans were victims of successful phishing attacks in 2020. The tactics used in phishing continue to evolve with the intent of getting you to divulge sensitive information or download malicious attachments. However, you already possess the skills to prevent phishing attacks and stay safe online. As a member of the WashU community, you are familiar with the process of checking sources. Whether you are more comfortable verifying political sources or checking the credibility of a journal, you can use those same skills to identify phishing and other malicious correspondence, keeping yourself and your data safe.  

Like vetting a source, the first thing you should do when you receive an unexpected email is verify the identity of the sender. A telltale sign of a phishing email is an address that attempts to imitate a WashU email address, such as “…wustl.edu@yahoo.com.” These email addresses also attempt to emulate official addresses from other universities and companies. Just as you would verify the author’s identity or credentials when checking a source, a quick Google search to confirm the identity of the sender and their email address can make the difference in detecting a phishing scam. Secondly, a quick scan for grammatical or spelling errors is beneficial. The absence of grammatical errors doesn’t always mean that an email is safe, but having significant grammatical errors is a sign that the email should not be trusted. (Sort of like a job candidate who claims, “I have a strrong atttention to detale”.)

When you check a source, you often need to evaluate the source for bias. This same skill can be applied to detecting phishing attacks and social engineering. These attacks often attempt to evoke emotion from you (highjack your amygdala) to get you to click a link, respond with sensitive information, or download malicious software. Biased sources attempt to skew the readers’ judgment to the views of the author. Similarly, phishing emails prey on the recipients’ emotions and a sense of urgency. When you read an email from an unknown or unexpected source, read it to detect the ulterior motive of social engineering. If the email attempts to play to your emotions, especially fear or uncertainty, it is likely malicious in intent. Additionally, utilizing urgency is a common tactic for phishers. When you receive an unexpected email claiming to be urgent or needing an immediate response, take extra care in ensuring that it is legitimate. 

Finally, your skills in determining the main point or goal of an article can be applied to keep you safe from phishing. All phishing scams have the goal of getting you to click on a link, download an attachment, or respond with sensitive information. If an email is working toward one of those outcomes, proceed with caution. Instead of clicking a link or downloading an attachment from the email, go directly to the purported source of the message (e.g., the official company website or their app) and check for details about the request. Typically, you will find that a legitimate request for action will also be reflected in official channels. If you are still uncertain, reach out to the sender using official contact information (e.g., your bank’s phone number, the phone number on the back of a card). In short, don’t trust the contact information provided in a possible phishing message. Verify the request using known and trusted communication channels. Don’t be tricked into interacting with a demanding phishing message. Stay calm and verify the request using official channels. 

If you believe that you have detected phishing in your inbox, forward the email to infosec@wustl.edu. To stay up to date on the latest phishing scams and protective measures, visit our blog or see the Scam of the Month in our newsletter.