How do you spot a Phish?
Phishing scams worry me. Not because I'm afraid I'll fall for them and give up my private bank data to some jerk in Russia who works for the mob - or in Texas or China or wherever these guys are these days - but because these scams are becoming ever more common, more sophisticated, and harder to spot. And as I work in a field that's striving to get more adult English language learners and lower-literate adults online, I worry about how well we are preparing our clients to be safe. Do you know how to spot a phishing scam? Do you know how to teach someone else to spot a phishing scam? Not sure? Here's a few tips using a phishing email that arrived in my inbox today (after getting past my pretty rigorous spam filter!).
Here's the original message. Take a look and see if you can spot the red flags. Then read on to see how many you saw.
Red Flag #1. I don't know who the sender is. I've never heard of Fulton Bank before. Why would they be contacting me? OK, you don't have access to my brain, so you probably didn't spot this one. But did you look at the name and think "Who's Fulton Bank?" Then you're on the right track.
What to teach? Your students - even those with limited reading skills - need to learn to recognize the names of the legitimate businesses they do business with, and to be suspicious of emails that don't come from trusted businesses.
Red Flag #2: They don't know me, either. The message is addressed to "Dear Fulton Bank member" not "Dear Ms. Wetenkamp-Brandt." Also, the "to" line in the message is blank - a red flag for Spam.
What to teach? Your students should be suspicious of email messages that address them as "customer" or "member" rather than using their proper name.
Red Flag #3: They ask me to "confirm my profile," name, address, etc. YIKES! Of all the red flags in a phishing scam, this one is the most brilliant shade of crimson.
What to teach? Your students need to know that no legitimate business will EVER send an email asking them to provide this kind of information. EVER. Under no circumstances should they ever respond to such an email, call a number provided in it, or click any link in the message. If they do accidentally click the link, they should immediately close the browser. The most important message is that they should never provide their personal information in response to an email request.
Red Flag #4: The writing/language is less than professional. Many phishing messages include spelling and grammar mistakes. This one is pretty good (see what I mean about the scams becoming harder to spot?) but there are run-on sentences and generally it just doesn't have a professional tone.
What to teach? Well, literacy. Have your GED students ever asked you to provide a real-life use for all that practice with "authorial tone?" Here's one! This message lacks a professional tone - and it's a red flag that, yep, the message is a fake.
Red Flag #5: When I point my mouse at the link in the message (note just point! not click!) the URL does not match the linked text, and it looks phishy! OK, you get a pass if you didn't spot this one, because you don't have the original message and can't do it. But, give yourself extra credit if you thought about doing it! (And take a look at the image below to see what I saw.)
What to teach? How to point a cursor at a hyperlink without clicking it, to see where the link leads. How to read a URL and differentiate a legitimate business website address from a phishy one. Yes, this is the hard part. But it's a very important step in making our students safety-savvy.
Need resources to help you teach these concepts? Here are two good videos that drive home the point:
Happy Browsing! And don't get caught by anything phishy!