“Is this email legit?” I get this question a lot and most of the time the answer is no. Many of them are simply scams, companies trying to sell sketchy SEO programs or miracle medical devices. Others are more actively criminal, hoping to trick you into providing personal information, such as the login credentials to one of your online accounts. These techniques, known as phishing, are becoming more sophisticated every day.
Phishing attack emails often mimic the look and feel of companies whose services you already use, to fool you into responding. These messages frequently claim that there is an urgent issue requiring immediate action. Clicking a link or downloading a file is almost always the next step. At this point, stop!
Apply a “smell test” to the entire message, especially to the link you’re being asked to click. In a web browser, hovering over the link with your mouse will display the link at the bottom of the window (you can try it out on the links in this post). The key to deciphering links is this: the true domain that the link points to comes last. For example:
https://docs.google.com = good
https://docs.google.criminals.com = bad
If the domain is followed by a slash and more stuff, just ignore everything to the right of the slash. The domain is the important part.
Test your skills
There’s more to know than just learning to read a link. The folks at Jigsaw, a division of Alphabet, the parent company of Google, have created a Phishing Quiz that walks you through a number of scenarios, showing how to recognize and avoid phishing attacks. I highly recommend that you give it a try.
Even if you ace the quiz, take the time to enable two factor authentication on your important accounts and install a password manager on your devices. You’ll then have better protection than the vast majority of people who get hooked by phishing and other online scams.