Employment Advice Column: Phishing Alert: How to conduct a safe online job search?

Dear Joanna,

I have been applying for jobs online to work in a daycare. Recently I’ve been receiving these emails and texts asking me to click on a link in order to update by banking account. Having done the training with my Reena job coaches, I am very suspicious of such messages. I’d like to learn more about Phishing as these scammers are getting better all the time!

Signed: Phish out of Water

Dear POW

Cyber-criminals are on the rise! I consulted with Reena’s leading IT team who have helped me to respond to your inquiry. Let’s first define “Phishing”. These are scam emails, phone calls (“vishing”), social media, SMS messaging (“Smishing”) and apps. It is an attempt for a hacker to trick you into doing what they want – give out your personal information, share your passwords, as well as ask you to send money. Sometimes, these requests appear legitimate like an email from your friend. But it’s dangerous and a criminal activity! According to our IT Team as well as Palmer (2023)’s blog these are four out of several tips on how to spot a phishing attack even those that are specially crafted so the message looks real.

1. Poor spelling and grammar. Many of the less professional phishing operators still make basic errors in their messages. Official messages from any major organization are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate. It’s common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural.

2. An unusual URL/link/website. It’s very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website. Many phishing attacks will contain what looks like an official-looking URL. However, it’s worth taking a second careful look. Don’t open or even click on a link unless you know who the sender is and have double, triple-checked to see if it reads as a standard link. Attackers will take a minor variation on a legitimate web address and hope the user doesn’t notice. If you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don’t click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that you’d usually expect.

3. A strange or mismatched sender address. You receive a message that looks to be from an official company account. The sender address looks almost like the company! The message warns you that there’s been some strange activity using your account and urges you

to click the link provided to verify your login details and the actions that have taken place. In many instances, the phisher can’t fake a real address and just hopes that readers don’t check. Often the sender’s address will just be listed as a string of characters rather than as sent from an official source. Keep an eye on the sender’s address to ensure that the message is legitimately from who it says it is.

4. This message looks too strange or too good to be true. Congratulations! You’ve just won a free trip to Las Vegas – now just provide us with all of your personal information, including your bank details, to claim the prize. As is the case with many things in life, if it seems too good to be true, it probably is. In many cases, phishing emails with the aim of distributing malware will be sent in a blank message containing an attachment. Never clicking on mysterious, unsolicited attachments is a good rule to live by online. Even if the message is more detailed and looks as if it came from someone within your organization, if you think the message might not be legitimate, contact someone else in the company — over the phone or in person rather than over email if necessary — to ensure that they really did send it.

If you want more strategies to protect yourself against hackers and phishing attacks, there is lots of training online and always complete your privacy and security settings on your computers!