Beware Phishing
By Richard Rost
16 months ago
How to Spot and Prevent Email Phishing Scams
In this tutorial, I will show you how to spot and prevent email phishing attacks, understand phishing attempts, identify suspicious links, and report phishing to your email provider. Learn to protect your sensitive information and maintain cybersecurity in both personal and professional settings.
Links
Keywords
TechHelp, spotting email phishing, preventing email attacks, identifying phishing emails, avoiding phishing scams, email security tips, phishing email examples, domain name checking tips, secure passwords tips, preventing identity theft, protecting sensitive data, email verification techniques, reporting phishing emails
Transcript
Today we're going to talk about how to avoid phishing scams, how to spot and prevent email phishing attacks. So I just got back from vacation. Actually, it was the vacation from hell because I got stranded out of town for five days due to the Delta Airlines meltdown, but that's a whole different story.
When I got back, I got an email from a known client of mine, and it had a suspicious link in it. I looked at it, and wouldn't you know it, it was a phishing attack. I get these all the time, so I figured I'd put together a public service announcement to help you avoid these.
So what is phishing? Spelled with a PH. Well, phishing is a type of cyber attack where some no-good keyboard gremlin impersonates legitimate organizations or individuals to deceive people into providing sensitive information such as usernames, passwords, and credit card details. These attacks typically occur via email, sometimes social media, or fake websites designed to look trustworthy.
And yeah, phishing comes from the word phish. It's a term from the 90s. It goes back to the freaks who used to exploit telephone systems. But again, that's a whole different video. Being aware of phishing attempts is crucial for protecting both personal and professional information. Phishing attacks are designed to exploit trust and can lead to severe consequences such as identity theft, that's happened to me, financial loss, and unauthorized access to sensitive data.
Awareness also helps in maintaining the integrity of often targeted to gain access to corporate networks. Furthermore, understanding phishing can foster a culture of cybersecurity vigilance where individuals are more likely to question suspicious activities and report potential threats, thereby contributing to a safer online environment for everyone. I don't know how many times I've heard from people that were hacked, and it's usually because they clicked on a link, they gave up some information they weren't supposed to give up. The human is usually the weak link in the chain. It's not the computer system; it's someone doing something they're not supposed to do.
This just happened to me. I got back from my little vacation and I started going through my inbox and I found an email from a known student. I'm not going to put the whole email up there because I want to protect this person's identity, obviously. It looks like I received a document or a fax. I know it's the 21st century, but I do still sometimes receive legitimate faxes, especially from big companies, educational institutions, municipalities. They want to fax a purchase order, that kind of stuff. It did come from a legitimate email address. I looked up the email address, and yes, it's one of my students.
Always hover your mouse over any links in an email that you're planning on clicking on and check out the domain name where it goes to. Ignore all of it; there's lots of extra letters and numbers and stuff in there. What you want to look for is the domain name. Okay? Now this comes from forms.office.com, so it looks like a legitimate domain name. And that indeed took me to forms.office.com. It looks like an actual Microsoft site because it is on Microsoft.
Now on here is another link down here that they ask you to click on. This is where the hack begins. Now notice the domain name of the link you're supposed to click on next: R2.dev. Right? You can see there's HTTPS, all this whole thing down here. There's where the domain name is right there, and everything after the slash is just a page on that domain. All right? So look for what's right before that slash. That's the only part that matters. That's where you're going. And they try to put a sneaky little trick on the very end of it; it looks like one drive doc.html. So people who don't know better might think it's OneDrive. And they usually try little misspellings, like a zero instead of an O, that kind of stuff to try to fool people. It's also on a secure server, HTTPS. They tell you always make sure it's a secure site. Don't ever put your financial information, your credit card number, whatever, on a non-secure site. Well, anybody with 20 bucks can set up a secure site at an ISP. So that really doesn't mean much. It just means your data's encrypted when it's sent to the other side.
All right, now, I kinda know what I'm doing, so out of curiosity, I clicked on it. You shouldn't, though. Don't click on any links you're not sure of. Because an HTML page by itself can't do any harm to your system, or an ASP page. Just loading a webpage like that won't do any harm to your system, but you still should be very careful what you do next. Now, this took me to that URL, and it presented me with what looks like a legitimate Microsoft logon page. So with any webpage you can right-click on an email field and it will auto-fill your email address. If you've got auto-fill set up in your browser, which is fine, you can auto-fill your name, address, that kind of stuff. And whether it's a known or unknown page, if you're using Chrome or Edge, or I don't know if Firefox does it, it probably does, I haven't used it in years, but you can right-click and pick your email address. And I've got several email addresses so I'll be okay sure, I added my email address.
Now if you do this the hacker will get your email address, but just be aware of that. I don't personally care, but if you want to end up on more spam lists than you've used to be your email address, you're probably more spam. My spam blockers are pretty good by now. Here's the important part: if you are using a browser-based password manager, Google Password Manager, which I strongly recommend. I use Google Password Manager because then all of your passwords for all the different sites you're on can be stored in your Google browser in your Google account. So you can log on from your phone or your browser or wherever else you happen to be logged on to your Google account, you'll have all the rest of your passwords.
Now if you right-click on a password field on a known domain like Microsoft.com or Netflix.com or wherever, if the browser recognizes that's the safe domain, it will offer to fill in your password. Here it did not. I right-clicked and nothing happened because the browser looked at that domain and doesn't recognize R2.dev. So it doesn't have a password saved for R2.dev. Okay? All right. Yeah, I skipped a slide. All right. It will offer to fill in the password for you if it recognizes the site. This is how it's designed. Now at this point don't go looking up your password and typing it in manually. That's how they get your password.
And of course don't use the same password on multiple sites, especially on sites with financial data on them. I got a whole separate video on that. I'll talk about it more at the end of the video and I'll put a link down below. Use a unique separate password on every website you're on, especially sites that have your credit card number. On my website, for example, I've got a password retrieval tool where you can go and say, send me my password, I forgot it, and it will just email it to you to the address that's on file. And people have complained like, why are you sending my password through email? That's not safe. You know, if someone gets this, they can get it on my other sites. Well, you shouldn't be using your password on any other sites. Don't do that. Don't use the same password on your bank and on other websites and stuff like that. A unique password on each site. I don't save sensitive information on my website. There's no credit card data on your account on the website. I keep it in my local office database which people can't get to. But that's a whole separate video. Go watch that one there. The bottom line is don't go looking up your password and typing it in here. Otherwise, the hackers will get your password.
Now you can investigate this domain if you want to, click on that little button right there to the left of the URL, that's the site info button, and then come down to the about this page link, and lo and behold you will see any information on the Google machine about this specific domain name. You can see right here there's all kinds of reports about this particular domain.
So what can you do? Well, report these jerks to your email provider. It's real easy. Most email apps have a report phishing option, Outlook, Gmail. This will allow your email provider to improve their models to catch future emails like this one. Yeah, sure, every time you take one of these guys down, 10 more pop up. And there's always going to be new scams, but at least this helps to try to stay current and keep these guys from hurting too many people. You know, if you report it, you might save someone else from getting the same message. Also, if it's from a known contact, like the one I got was, let them know they've been hacked. Because somehow, whatever this user, this student of mine did, their email address got hacked. That's how they can, you know, other people can send these malicious emails.
So there used to be like macro viruses and stuff that used to attack Outlook, but that's been pretty much shut down. But there's still lots of ways that these hackers get in there to send malicious spoofed emails. All right, so be safe out there. I got some other information on my website. I got a page on password safety. I got a page on safety.
Alright, so that's going to do it for today. That's your TechHelp video. Your little public service announcement. I'm going to go now and try to dig myself out from the five million pieces of email that I received while I was stuck out of town. Thank you Delta. But that's your TechHelp video for today. I hope you learned something. Live long and prosper, my friends. I'll see you next time.
A special thank you and shout out to our diamond sponsor, Juan Soto with Access Experts Software Solutions. They're manufacturing experts specializing in Microsoft Access and SQL Server. Juan is a 13-time Microsoft Access MVP. Check them out at AccessExperts.com.
TOPICS:
How to avoid phishing scams
Recognizing suspicious email links
Hovering over email links to check domains
Identifying legitimate domains
Spotting fake domains and misspellings
Understanding HTTPS and secure servers
Recognizing legitimate vs illegitimate login pages
Using browser-based password managers
Auto-filling email addresses and passwords
The importance of unique passwords for each site
Investigating suspicious domains
Reporting phishing emails to providers
Notifying contacts of potential email hacks
COMMERCIAL:
In today's video from Computer Learning Zone, I'll show you how to avoid and spot phishing scams. After my recent travel nightmare, I returned to find a suspicious email from a known client. I will explain what phishing is, how it can exploit your trust, and why it's dangerous. You'll learn to identify fake links, use domain names to verify sources, and utilize browser-based password managers for added security. Plus, tips on reporting phishing emails to protect others. You'll find the complete video on my YouTube channel and on my website at the link shown. Live long and prosper my friends.
Quiz
Q1. What is phishing?
A. The act of sending bulk emails for marketing
B. A cyber attack that involves impersonating legitimate organizations to steal information
C. A method of legitimate online business promotion
D. The process of using complex algorithms to enhance cybersecurity
Q2. What should you do before clicking a link in an email?
A. Directly click if it seems from a known sender
B. Look at the images in the email
C. Hover your mouse over the link to check the domain name
D. Forward the email to someone else to check
Q3. Which of the following indicates a suspicious link in a phishing email?
A. A domain ending in .com
B. A domain with familiar terms, but altered spellings like zero instead of O
C. A domain with HTTPS
D. A domain from a known email sender
Q4. Why is it likely unsafe to rely solely on HTTPS as an indicator of a legitimate site?
A. HTTPS means the site is always safe
B. The encryption is for data in transmission only
C. HTTPS sites are managed by government agencies
D. HTTPS always indicates financial transactions
Q5. How can you recognize that a domain might be suspicious apart from the domain name itself?
A. By the color of the email text
B. By the complexity of the URL
C. By the contents after the first slash in the URL
D. By the site's certificate details
Q6. What happens when you right-click on a password field within your browser on a known, trusted site?
A. It offers calendar events
B. It offers to fill in the password if the site is recognized
C. It sends the password to the email provider
D. It automatically changes the password
Q7. Why should you avoid using the same password on multiple sites?
A. It complicates your access to websites
B. It increases the chances of remembering all passwords
C. It decreases the likelihood of having to use a password manager
D. It prevents multiple sites from being compromised if one password is stolen
Q8. What should you do if you receive a phishing email from a known contact?
A. Ignore the email completely
B. Inform the contact that their email may be hacked
C. Delete the email without reporting it
D. Save the email in an important folder
Q9. What is a helpful step you can take to protect your email account from phishing attacks?
A. Using the same password for all your accounts
B. Not using any form of password manager
C. Reporting phishing emails to your email provider
D. Only using outdated browsers
Q10. How can you investigate the legitimacy of a domain from a suspicious email?
A. Click on the link and enter your personal information
B. Directly search the domain name on search engines
C. Use the site info button next to the URL and check "About this page" information
D. Forward the email to another colleague for investigation
Answers: 1-B; 2-C; 3-B; 4-B; 5-C; 6-B; 7-D; 8-B; 9-C; 10-C
DISCLAIMER: Quiz questions are AI generated. If you find any that are wrong, don't make sense, or aren't related to the video topic at hand, then please post a comment and let me know. Thanks.
|
