How to Identify a Phishing Email

Phishing is a cyber-attack method using email, social media, text messages, and phone calls to trick the victim into giving up personal information. The attacker will then use the information to access personal accounts or commit identity fraud.

Look at the from email address – If you receive an email from a business or your association, the portion of the sender’s email address after the “@” should match the business or association name. If an email represents a company or government entity but is using a public email address like “@gmail,” this is likely a sign of a phishing email. Keep an eye out for subtle misspellings of the domain name. For example, let’s look at this email address “support@netflixx.com.” We can see that Netflix has an extra “x” at the end. The misspelling is a clear sign that the email was sent by a scammer and should be deleted immediately.
Look for grammatical errors – An email full of grammatical mistakes is a sign of a malicious email. All of the words may be spelled correctly, but sentences are missing words that would make the sentence coherent. For example, “Your account is been hacked. Update password to account security”. Everyone makes mistakes, and not every email with a typo or two is an attempt to scam you. However, multiple grammatical errors warrant a closer look before responding.
Look for Suspicious attachments or links – It is worth pausing for a moment before interacting with any attachments or links included in an email. If you don’t recognize the sender of an email, you shouldn’t download any attachments included in the email as it could contain malware and infect your computer. If the email claims to be from a business, you can Google their contact information to verify the email was sent from them before opening any attachments. If an email contains a link, you can hover your mouse over the link to verify the URL is sending you where it should be.
Watch out for urgent requests – A common trick used by scammers is to create a sense of urgency. A malicious email might manufacture a scenario that needs immediate action. The more time you have time to think, the greater the chance you will identify the request is coming from a scammer. Common phishing examples include that urgent email from your “boss” asking you to pay a vendor ASAP or from your bank informing you that your account has been hacked and immediate action is required.

Association treasurers have received suspicious emails requesting funds to be transferred via wire. The email is sent to the treasurer and utilized what appeared to be the president’s email address.

Here is an actual email received by a treasurer claiming to be from the president:

Hello Barbara

Bank of American
Acct number:488045795808
RT:111000025
Address:6166 refound rd.Dallas 75231
name:marcus Steven
Amount…$4,250

Email me with a copy of the wire confirmation as soon as the payment is done.

I cant give you much details at the moment, I am in a conference, the payment need to be completed today, I will send you the invoice when am back home, let me know how soon you can get this sorted.

This activity is most commonly referred to as phishing. In the fraudulent email, there may be links to spoof websites or even spoof email addresses that imitate an association’s website. If you Google “email requesting wire transfer” you will see lots of postings on this subject.

The emails will often state that there is an urgent need for you to update your information immediately. Once obtained, your personal information can be used to steal money or transfer stolen money into another account.

The fraudsters will often find your information from the board roster on the website to help authenticate their request for information.

Use caution if you receive an email expressing an urgent need for you to update your information, activate your online banking account, transfer money or verify your identity by clicking on a link. These emails may be part of a phishing scam conducted to capture your confidential account information and commit fraud.

While technical controls have been implemented to help minimize this from happening, the best prevention is board member education and association policies and procedures regarding the disbursement of funds.  The association may also want to consider removing the email addresses listed on the website board roster or at least removing the email address of the treasurer from the association website.