Email Phishing is a social engineering attack that often targets recipients, in order to steal private user data, obtain financial information (credit card or bank account numbers), login credentials or other sensitive material. It is also a growing trend.
The bad actor often sends an email out, disguising the email as a company or brand with which the recipient may trust or be familiar. For example, the phisher may send an email disguised as an ActiveCampaign password reset or a fake bank login page to trick the recipient into inputting the recipient’s login credentials or other sensitive information.
ActiveCampaign takes these matters very seriously. In this article we'll share common types of phishing attacks and what you can do to prevent them.
Common types of email phishing
Below are some descriptions and examples of the most common email phishing attack types.
Billing or account problems
This type of phishing email is designed to trick recipients into disclosing sensitive information under the guise of a request from a recognizable brand or widely known company. The email often has some sort of urgency and will ask the recipient to take some action (click link, update credit card, login, etc.), which typically leads to an imposter website in which the recipient is requested to provide credentials or other personal information.
In this type of phishing email, the sender is typically disguised as a government entity (IRS, FBI, local police department or government agency). Often the message attempts to scare the recipient into providing sensitive information or login credentials. The sender may threaten the recipient if the recipient doesn’t take the desired action (i.e., you will be arrested and charged with crime XX if you don’t click on this link).
The Friend, Family, or Co-worker Tactic
In this tactic, the sender poses as someone the recipient personally knows (either a friend, relative, co-worker, boss/executive). Usually these emails are very simple looking and in plain-text. The message requests the recipient to take some sort of action such as sending funds somewhere, clicking a link/download, or for some other reply or favor.
Virus or Compromised Account
This type of phishing email typically will have a bogus virus alert (often disguised as coming from a reputable virus protection company). The message will attempt to trick the recipient into downloading malware on the recipient’s computer or providing the recipient’s credentials.
Bank or Financial Institution
In one of the most common types of phishing emails, the sender pretends to be the recipient’s bank or financial institution. The sender attempts to get the recipient to reveal the recipient’s sensitive personal information, financial information, or login credentials so that the sender can gain access to the recipient's financial accounts.
This type of phishing email attempts to gain access to the recipient’s personal information by tricking the recipient into believing the recipient has won a contest/prize. In order to obtain the prize, the recipient is asked to take an action (such as sending a check) or click on a link which will take the recipient to an imposter website where the recipient will be asked to provide his or her personal information.
How to handle email phishing
The following is provided as a courtesy and does not constitute legal advice. To help prevent phishing attacks, the following actions are recommended.
Look for clues to identify phishing emails
- Verify the sender’s name and email address
- Make sure you look at both the name and the email address of the sender
- Keep a close eye out for any typos or intentionally misspelled words (i.e., the letter “O” is often typed as a “0”)
- Check for spelling and grammar errors
- Phishing emails typically contain faulty spelling/grammar
- Review the salutation
- Look for awkward or atypical salutations (i.e., “Dear Sir or Madame”, “Greetings Customer,” etc)
- Pay close attention to how the email begins and ends
Look, but don’t click anything
It’s alright if you’ve already opened and read the body of the email, but it’s important that you do not click on any links, buttons, downloads, or attachments within the email.
Do not provide any information
It’s important to refrain from replying or providing any information to the sender. Keep in mind that most companies do not reach out to consumers to request personal/sensitive information via email.
Be aware and stay vigilant
If you are suspicious of something, trust your instincts. Many of the bad actors will go to extreme lengths (even using a real company’s logo, colors and branding) to disguise themselves in order to commit malicious acts. If you are ever unsure about whether an email is valid, reach out to the real company directly through the company’s trusted contact information to verify if the communication is legitimate.
Additional resources about email phishing
- Federal Trade Commission: How to recognize and avoid phishing scams
- ZDNet: What is phishing? Everything you need to know to protect yourself from scam emails and more
- SecurityMetrics: Top 10 types of phishing emails
- Proofpoint: 10 tips on how to identify a phishing email