What is Phishing?

Phishing is the sending of emails from an apparently legitimate company or individual for the purpose of fooling recipients into revealing sensitive data such as login credentials and account numbers, or installing malware that allows an external user to take control of their systems and instigate an attack. The Department of Health and Human Services (HHS) recently fined the University of Washington Medicine $750,000 for a data breach traced back to employees’ response to a phishing email.

The threat was disguised as a Starbucks gift card offer; clicking the link to download the gift card installed malware on users’ computers, which enabled the attack.

How Can You Identify a Phishing Email?

Phishing emails typically contain one or more of the following items:

  • a request for the disclosure of a password or login name
  • a link to an unfamiliar website (to find the true website, hover over a link without clicking it)
  • a subject line with exclamation points
  • an urgent request for immediate action with dire consequences for not acting promptly
  • a generic greeting message
  • spelling errors, poor grammar and/or improper use of capitalization
  • no contact information

How Should You Handle a Suspected Phishing Email?

Recent studies have shown that the majority of people who fall prey to phishing emails usually respond in the morning, likely while sorting through email at the beginning of the work day when they may be less vigilant about scrutinizing suspicious messages.

The best way users can help protect against phishing attacks is to pay attention. Be vigilant in reviewing messages and delete any that are suspicious. “If in doubt, throw it out.” If the message is legitimate, the sender is likely to contact you again. And, if the offer seems too good be true, it probably is.