Welcome to Unhook the Phish, a series presented by the Fermilab Cybersecurity Team. This series offers a deep dive into common email scams (or “phishing”) by explaining the traditional features of these messages, how they try to trick you and easy ways to spot them in your inbox. If you ever suspect that you have received a malicious email, please forward it to the Cybersecurity Team at cybersecurity@fnal.gov. By doing so, you will be entered to win a collectible Fermi trading card as a token of appreciation for your efforts.
Phishing emails come in a variety of formats, including different levels of sophistication and trickery. Most phishing emails are common garden-variety scams used to directly solicit financial and personal information from you. Garden-variety scams are a little different from other phishing emails that try to steal your credentials (username and password) to get into your personal and financial accounts.
Fake debt collection scams, phony sweepstakes or lottery winning notifications, counterfeit checks or money orders, employment scams, and tech support scams are examples of garden-variety scams. These messages usually rely on elaborate, concocted stories to get your money. Typically, these scams require you to communicate with the attacker instead of clicking on a link to a malicious site.
While many of these messages will come across as ridiculous, they are prevalent because they are successful. A recent study reports that 38% of people who received tax collection scams engaged with the scammers and 12% of them lost money, 59% of people fell victim to lottery or sweepstakes scams with 15% of them losing money, and 64% of people were scammed by fake checks and money orders with 22% of them losing money. The most significant example was employment scams, with 81% of people falling for these types of scams and 25% of them losing money.
The good news about these scams is that they are easy to spot due to the outlandish stories, such as “princes” who want to donate money to you, information regarding a great inheritance from a recently deceased family member you know nothing about or a debt collection summons when you don’t have any debt. In general, any time you get an unsolicited email about something you know nothing about or seems too good to be true, that’s a great indicator that it is a malicious message. However, if you are still not sure based on context alone, there are several other common phishing indicators to watch out for, including:
- obvious spelling or grammatical errors. Legitimate emails from reputable sources will rarely have errors like this.
- unusual sender information. If the email address looks unusual, such as fcefefefeif123.abc445.com, there is a good chance this is not a real message.
- alarming or threatening language in the subject line. For example, messages with a subject line of “Urgent Reply” or “Client Complaint in Fermi National Accelerator Laboratory.” Attackers rely on social engineering to get these scams to work, and one way they accomplish this is by trying to scare you with frightening subject lines.
- asking for personal information such as your address, bank account information, social security number or credit card number. You should never transmit this type of information via email.
The following screenshots show some examples of these messages. In these examples, there are no links to click, but rather the attacker is asking for you to reply to them with information. These phishing emails are trying to get your financial data directly instead of going after login credentials.
As always, if you have any questions or concerns regarding garden variety scams, please do not hesitate to contact us at cybersecurity@fnal.gov.
Jessie Pudelek is a computer security analyst at Fermilab.