Go Phish

In late 2016 I received an email alerting me that a scam email that had been circulated disguised as Official OCR Audit Communication.  This email had very official-looking HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels, but was instead a phishing email.  Are you wondering if you could have spotted the difference?  Let’s dive in to phishing and ensure that you don’t get hooked by an email scam. (Warning: more sea-worthy puns to come!)

First, what is phishing?  Phishing utilizes electronic communication, such as email, in an attempt to gain access to sensitive information or put malicious information onto your computer.  Phishing emails are often camouflaged as a legitimate communication from a trusted source.  Phishing takes advantage of the fact that, unlike with face-to-face communication, it can be difficult to know who you are communicating with electronically.  Phishing emails have gotten increasingly deceptive – they look professional, official, and trustworthy, and most importantly, not out of place.

Here’s an analogy:


A phishing email is a bit like a predatory deep sea creature—very adept at blending in. Just like the unsuspecting fish swims up to that rock that isn’t actually a rock, the unsuspecting email user may click on that Google email that isn’t actually from Google.

Phishing emails don’t have to be scary – and if one lands in your inbox, it’s easy to take the proper steps to ensure neither your computer nor your personal information is compromised.

Here are a few tips for spotting phishing emails:

  • Look for the obvious signs – excessive typos, an offer that seems too good to be true (free airfare), or a threatening call to action (act now to avoid having your bank account suspended) can all be signs of a phishing email.
  • Hover your mouse over links – a phishing email is likely to contain a link with instructions prompting you to click on it. Before clicking, you can hover your cursor over that link and the website it will redirect you to will be displayed. If you receive an email from Amazon and when you hover over the Amazon link within the email only to see garbled letters and numbers, don’t click on it.
  • Never give up your personal information – every year we see the same IRS scams around tax season where people are tricked into thinking that the IRS is urgently requesting money from a taxpayer. Every year the IRS also warns that it will never demand immediate payment or ask for any personal information via email.  If an email asks you for personal information – be skeptical.  Odds are, like the IRS, legitimate and trustworthy organizations will not ask you for your personal information over electronic communication.
  • When in doubt, don’t click! – Receiving a phishing email does not put you at risk – but clicking on one or downloading something from one does. If something doesn’t look right, contact the supposed sender or go directly to their website (without using an embedded link) to see if you should have received a communication from them.  I took a technical security class with a FBI agent once, and he went so far as to recommend never clicking on a link in an email, ever.  I haven’t been able to abstain 100%, but having that recommendation in my head definitely helps me to click a lot less.

And lastly, if you want to put yourself to the test without any risk of clicking on malicious links, check out this quiz, courtesy of the Today Show, to see if you can catch the phishy email.  (I was wrong about one~ maybe you can beat me!)