Avoiding Phishing Attacks

Detecting Phishing Emails

Phishing is a fraudulent email that is designed to fool people into providing sensitive information such as user credentials, credit card numbers and banking information. Rather than exploiting technology, phishing attacks exploit human vulnerabilities. While phishing emails vary in format and content, there are a number of signs that will help you detect them and avoid any negative outcomes.

1. Senders Name Should Match Email Address: Make sure that the sender’s name matches the email address. If the sender has a name you know but the email address doesn’t match, it’s likely a phishing message.
2. Look for Odd Spelling Mistakes or Grammatical Errors: Typos aren’t unusual, but if you get an email claiming to be from a large company like Microsoft, Google, DocuSign, etc, grammatical errors are removed by professionals before sending. A lot of phishing attacks originate outside of the United States where English is often a second language and errors often indicate phishing.
3. Do Not Give Out your Username or Password: No legitimate company will email you requesting your username and password. If you get an email asking you to send your username and password, it’s a phishing attack.
4. Verify Website Before Clicking Link: Prior to clicking on a link, hover your mouse pointer over the link in the questionable email to view the actual destination address. An email may include a link that indicates a company like Microsoft, but if it’s a phishing attack, the link will take you to a website that has a web address that doesn’t match the organization.
5. When in Doubt, Navigate to Website Manually: Be cautious when an email leads you to a website requesting your username and password. When in doubt, navigate to the website by manually entering the URL into your browser  (do NOT click on the email link) on your own and then log in.
6. Don’t Rush to Take Action: Be cautious of messages expressing a sense of urgency. This is used a tactic to trick the reader into acting quickly without spending time to consider the validity of the request.
7. Take Time to Consider Message Requests: Be cautious of messages where an authority figure (the owner of the company or management) is making an unusual request such as a wire transfer or the purchase of a gift card. These type of messages often indicate phishing.
8. If You Aren’t Expecting It, Question It: If you aren’t expecting an encrypted or secured document from someone, call them on the phone to verify that they sent it. The hardest attack to detect is one that comes from an already compromised email account belonging to an associate or coworker. In the case of targeted phishing attacks, attackers may review recent emails in the compromised account to create a highly customized attack. Points 6-8 are all very important when detecting these kinds of attacks, as unusual requests are typically the best indicator.

Taking Action

Mark as Spam & Delete: If you’re certain that the email is phishing, click on “Click here to mark this message as spam” at the bottom of the message to report it to the DHS SecureMail Anti-Spam service. After you’ve marked it as spam, simply delete it.

If Unsure, Forward to DHS: If you’re unsure if the message you have received is phishing, forward it to [email protected] and we’ll advise you on the validity of the email. Your office and patient security is always a top priority at DHS and we’re here to help!