There’s not a lot to unpack here. Phishing succeeds because it so closely mimics legitimate behavior.
The first “secure” message I received from my bank was, likewise, incredibly suspicious. It was from my banker, but not from my bank itself. It included an HTML attachment and instructions to “open the attached page in a browser” for further instructions.
This kind of thing should immediately trigger warning bells. I called my banker directly.
“No, it’s real. I need you to print out and sign some documents.”
I referred him back to his own company’s warnings about phishing emails. He didn’t budge and insisted I just use the attached page he’d sent.
Email remains one of the most laughably insecure and unsophisticated communication mediums we use today. It’s easy to breach, even easier to spoof, yet absolutely critical for many of the ways we run our world.
This makes it an easy target for attack.
Before clicking any link in an email (or downloading any attachment), ask yourself the following questions:
- Do the sender and I know one another? A message opening with “dear customer” or another impersonal salutation should immediately trigger suspicion.
- Was I expecting the message? Banks, legal firms, and the like will rarely reach out to you out of the blue. Requests will usually be pre-empted by a phone call or some other notice that a request is on the way. In the rare cases this doesn’t happen, it’s easy enough to contact the requestor through some other means to confirm its validity.
- Is the request urgent? Most phishing scams will fabricate urgency by claiming something bad will happen if you don’t respond immediately.
In short, be aware of what’s going on and train yourself to recognize a phish for what it is so you don’t take the bait.