Here is a list of identifying characteristics of a phishing scam. Any one of these characteristics can be a sign of a scam, but multiple characteristics are a strong indication.

• Is the message unsolicited?
• Does it contain misspellings or poor grammar?
• Is the scammer trying to create a heightened sense of urgency?
• Does the sender’s address or the hyperlink you hover over, contain an uncommon domain name?
• Scammers often request information that a legitimate person should already have (why would a bank who is calling me need my account number?)
• Is the offer too good (or the problem too bad) to be true
• Scammers often state their authority over you (that they’re from a collection agency, law enforcement agency, tax agency, immigration service, especially agencies that you would have a difficult time confirming)
• Scammers often refer to themselves only by their title or department name, and do not give a person’s name you can verify
• If not stating their authority, they tell you how hard they are trying to save you from some disaster you didn’t even know you had
• In this past year, there was a scam where the malicious hyperlink was the unsubscribe link! That is, by thinking you would rid yourself of the sender, you would actually fall prey to them!

If you receive a message that is suspicious because of any of these characteristics: don’t click on any of its links, don’t open any of its attachments, and don’t call any phone numbers listed in the message. If it appears to be coming from another person, you can contact that person using an address or phone number you get from a known legitimate source.

You are the target of phishing scams because either you possess valuable information or you are a link in the chain leading to valuable information (especially in your business persona).

There has been a huge increase in the number of Business Email Compromise (BEC) attempts. This type of scam asks you to do things you do in a normal business day, unlike earlier scams which asked you to do out-of-the-ordinary things like accept millions of dollars wired from a foreign prince.

To trigger your habits, the bait used by attackers is to play on your fears, your desire to help, and your compliance to policy; for example:

• Someone posing as an executive or customer might demand that you fix a fake problem
• A fake partner might ask for your assistance in selling to a fake customer
• Someone posing as an IT administrator might demand that you reset your password by first entering your current password into a fake form

New tactics are attempting to put more realistic context around these fake demands, examples are:

• A fake executive is telling you a fake secret about a fake acquisition, and asks for real information
• A fake company leader references a commonly known issue, and asks you do to something to resolve it, something that sounds logical
• An even more subtle tactic is to build confidence over multiple emails before the attacker asks for your action (aka long game or long con). This building of confidence has a long history from military spy games to Bernie Madoff’s Ponzi Scheme.

The consequences of you taking the bait is that the attacker will steal money, steal information, steal your identity, hold your information hostage for a ransom, or unleash a virus; these days though, while a virus is bad, a virus might be the least damaging consequence of you being tricked by a phishing scam.