Spot phishing attacks like a pro

Is it the sense of familiarity, the intriguing subject line or just being in auto-pilot that compels you to click?

Phishing is a method often used by hackers and cyber attackers to steal your credentials and sensitive personal information, or to infect your system with undetectable malicious software. A phishing email claims to be from a reputable source – however it's designed, it's job is to convince you to click on a link within the email, or to open an included attachment.  Often the email will use emotions – such as urgency, a deadline, curiosity, fear, or greed to convince you to open the malicious attachment or click on the link.

Examples of these include scenarios where the emails claims you’ve got a speeding ticket, an ATO taxation fine or refund, that you've received an unexpected invoice or resume, or have missed a parcel delivery. Curious? That’s exactly the emotional trigger they try to use to make you click on the link or open the attachment!

If you do fall for it, you may end up with malicious software installed on your device (including your Mac). This is very bad news, as the malicious software lurks in the background doing something evil. It could be software that enables the attackers to covertly connect directly to your system, to encrypt all of your files and hold them to ransom, or steal your credentials which they then use as part of a bigger scam or attack.

The fake messages with the call-to-action that lure you use clever psychological tricks.

That’s what makes it so difficult to protect yourself against phishing. You know not to click links in shady emails. You know to think twice before clicking any link in any email. (Right?)

The same goes for downloading attachments and putting your personal information or login credentials into any form that you have any reason not to trust. And yet, phishers can just needle you forever, waiting for that one moment when you finally slip up. If you do, you instantly subject yourself to any number of unfortunate consequences, whether it’s identity theft, fraud, or malware that runs rampant on your device.

Three rules

Follow these three rules to keep from getting hooked.








Spot the Obvious

There are some obvious signs that an email might be a phishing attack:

  • Does the email use emotions to convince you to click on a link or open an attachment?
  • Are there some spelling mistakes or grammatical errors?
  • Is the text in the email not addressed directly to you, or use impersonal text such as “FirstName”?
  • Does the email have a strange “From:” address or a “Reply to:” address that is different to the “From:” address?
  • Does the mail have attachments or a link you didn’t ask for, or weren’t expecting?
  • Does the link look strange? Hover your cursor over the link without clicking –  does the address look unusual?
  • Is there an urgent call to action or deadline given?
Remember the basics

There’s a big difference between unwanted marketing & advertising emails (Spam) and phishing emails. If you suspect an email to be a possible phishing attempt you should contact iHelp IT immediately. We can quickly identify a email as phishing, and protect you and your employees from the same attack.

Following standard digital defense advice will help with phishing as well:

  • Keep an up-to-date backup of your data
  • Enable multifactor authentication to services if available
  • Close accounts you no longer use
  • Use unique, robust passwords for each online service
  • Use a password manager to keep track of these passwords

These steps make you a tougher target, but more importantly, they’ll help contain damage if you ever do get phished.

Listen to your gut

Your gut has a great sense for phishing scams, and you should look out for:

  • Unexpected emails (even from friends)
  • Emails with a link to click on
  • Emails asking you to check or update information
  • Emails which seem rushed or have a strange tone
  • A Facebook message when you'd expect a text message

If anything seems a little off, check with the sender on another platform to confirm the request. Also, consider why you might be receiving a message and whether it makes sense.

  • Most online services won’t asking you to make changes via email
  • Always log into sites via your browser, not an email link
  • Treat unexpected attachments with high suspicion and avoid opening them

Easily exposed

Look at the apparently authentic email below, and see how easy it is to tell that it’s a simple phishing attack, designed to get you to click on a nefarious link.

An apparently legitimate email, from ASIC.

Hover over the link to see the link doesn’t point to ASIC.

Real-life examples

Below are some real-life examples of phishing scams.


A man received an SMS from his wife, claiming she'd forgotten her PIN, and asking him to send it to her.

The man promptly did, and shortly thereafter received a call from another number. It was his wife. She told him that her handbag, with her wallet and mobile phone had been stolen.

After successfully obtaining the wife's PIN via SMS, thieves helped themselves to over $2,000 in withdrawals from ATMs, before dumping the handbag and all contents.

  • Don't immediately reply to odd requests for information
  • Always confirm the request is real
The urgent transfer request

The head of accounts for a large organisation was at an airport lounge ready to fly overseas on vacation, when she received an email request from her boss, asking her to urgently transfer $7,000 to a bank account.

Without considering if the email was legitimate, she transferred the money immediately, as requested.

It was only at the end of her 8-hour flight that her thoughts turned to how odd the request was, and a call to her boss confirmed she had been duped.

  • Emails can be faked
  • Consider if the request is typical of the sender
Identity theft

Unlocked mailboxes are a great source of information for phishing. In this case all it took was a stolen mobile phone bill, which gave thieves the account holder's name, address, and account numbers, and Facebook revealed the account holder's date-of-birth.

Armed with this information, the thieves managed to obtain a new SIM card, and somehow (we won't tell you exactly how) used this to transfer funds via phone banking.

Thieves got away with $13,000 before the bank's security systems stepped in and stopped further transfers.

  • Be aware of how you may be giving critical information away
Posted in Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *