What exactly is a "phishing" scam? Well... the term is a play on words for 'fishing', as these 'fraudsters' or 'bad actors' are trying to fish you, and unfortunately in this scenario you're the fish and they're trying to catch you.
There are different ways for these people to do information gathering - a lot of the time it is through your Company Website, Facebook, LinkedIn, Twitter, Google or other internet searches. You could receive an email that seems legitimate or you feel they have too much information to be a scam, but in this day and age of social media, a lot of this information can be found freely and available online. That's commonly how these bad actors find out who you are, who your boss is, your email address, title, who one of your direct reports are, etc. It is important be aware that it is not uncommon for bad actors to find this information publically that you may not know is out there.
Phishing Scam Scenerio
One of the main Phishing scams to go around is Exploitation. In this scenario we're going to talk about receiving an email from a coworker asking if you are busy.
So, your receive an email that's asking you to help with a task and it looks like it came from your coworker John Doe. You reply back letting them know when you are available to chat,. You quickly get a response from John giving you an excuse on why he can't talk on the phone or in person because he's in a meeting but needs you to run an errand quickly. You reply back insuring you can help! The task John wants you to do is to run down to the store, buy some gift cards, scratch the back of them and send him the codes. Ok easy enough... you do that! Well turns out a scammer has impersonated your coworker John Doe and has now quickly resold or bought products with the codes you gave him. Once you have sent them the codes, your money is lost, and you could be out anywhere from hundreds to thousands of dollars!
Let's take a look at some signs you can pick up on to avoid falling victim to this.
The first thing to look out for when receiving a fishy message is the email address. The company email domain in this scenario is "@yourcompany.ca". If the email was legitimate from your coworker it should read "email@example.com" but when looking at the email you received it reads "firstname.lastname@example.org", this is the first major sign to pick up on! If it was your coworker emailing you it should be coming from their regular work email domain. However maybe your coworker is reaching out to you on their personal email, what should you do then?
You aren't sure if John Doe has sent you a message from his personal email account. Instead of replying back to the email, the best advice we can give you to help validate if it's real, would be to call your coworker and have a conversation. It's very hard to fake a real conversation on the phone with someone.
Look out for small details like weird language, bad grammar, not having the regular email signature that your coworker typically uses, and anytime you get the sense of something fishy, like we mentioned above, best advice is to have a quick phone call to confirm!