Stay vigilant against phishing attacks

More than 90% of cyberattacks start with a single phishing email, but different modalities for phishing have been on the rise. Especially in light of recent world events, we must be prepared for both traditional scam attempts via email and attacks that attempt to leverage text messaging and phone calls.

Keep reading for tried-and-true methods to support you in identifying and avoiding all spam messages.

Be cautious when reading all emails. It’s easy to get overwhelmed by an avalanche of email communications, so it’s helpful to not rush this process. Take your time when reading emails to avoid fatigue and slow down enough to really investigate the contents of each message. It may be helpful to schedule times of the day for email review as doing so allows you to dedicate your full attention to the process of analyzing messages.

Refrain from clicking or opening attachments. Never click on a link in an email or open an attachment, especially when you do not know who sent the email to you or what the context of the message is. Seek alternative methods for gaining the information that you need, such as navigating to a website in your browser and logging into the service directly. Any real information you need pertaining to that tool will be available to you on your account.

Learn your tools. Become familiar with what real emails look like from the services you use most often. For example, if you use OneDrive frequently to collaborate on documents, take note of who the sender is and how the body of the message is designed. If you receive a OneDrive email that does not match what you are used to seeing, it should alert you that something is suspicious.

Watch out for the unexpected. It is easy to identify a phish if you get a message about something that catches you off guard, such as one claiming to send a document via OneDrive you know nothing about or information about a package that you haven’t ordered. If you aren’t sure, never click on a link in the message to find out more information. Instead, copy/paste tracking numbers into package delivery sites to see if it references a real shipment or ask for help from the Cybersecurity Team or a colleague.

Check the sender of the email. Does the email address of the sender match who the email claims to be from? For example, if the email says it’s from Microsoft yet the sender’s address is, that’s an almost guaranteed sign the message is malicious. If you’re interested in a more technical approach to reviewing email headers, you can check out a PDF handout on the subject here.

Review the design and message of the email. Consider the following questions when reviewing any type of email you get:

  • Is the message poorly designed?
  • Does it contain bad grammar or misspelled words?
  • Does it look like an official email from the supposed sender?

These issues usually are indicators of hastily crafted phishing or spam emails.

Don’t be isolated. You might feel like a lone ranger battling the sea of social engineering threats on your own. However, a coworker or the Cybersecurity Team is only a phone call, email or text message away. If you are unsure if a communication is real or phishing, reach out to someone for help. You’ll be glad you connected with a real human!

If you don’t recognize a phone number, do not pick up, respond or click. If you are receiving a real phone call or text message from someone who needs to get a hold of you (and isn’t already in your contact list), they will leave you a voicemail with information to call them back or will identify themselves in the text message. Never respond or give any information to someone on a cold call who claims to be from tech support, such as Microsoft, Apple, etc. as these are generally always scams.

Consider the information you share. If you receive a text message or phone call from a company to which you have not provided your phone number, you can automatically disregard it as a spam communication. For example, if Amazon does not have your phone number, there is no way they can contact you via that number.

Block persistent numbers. If you keep getting spam texts or calls from the same number, use the block feature in your cell phone or a scam protection application from your wireless provider to reduce notifications from these numbers.

Subscribe to the Cyber-Now email list. This list is a great way to get important information regarding cybersecurity topics, including cybersecurity incidents such as widespread phishing attempts, quickly. To subscribe, send an email to CYBER-NOW-subscribe-request@LISTSERV.FNAL.GOV (Note: Do not enter a subject. You will receive an email from Fermilab LISTSERV Server requiring you to confirm your request.)

Looking for more information about phishing and other cybersecurity resources? Check out the Cybersecurity Awareness website:, and email for general cybersecurity questions and to report phish.

A previous version of this article was published on the Cybersecurity Awareness website.

Jessie Pudelek is a computer security architect at Fermilab.