Recognize and Avoid Spoofing/Phishing Scams

Owned by Johnson Nguyen
Last updated: Jun 16, 2023
5 min read

Spoofing

Spoofing is when someone disguises an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source.

For example, you might receive an email that looks like it’s from your boss, a company you’ve done business with, or even from someone in your family—but it actually isn’t.

Criminals count on being able to manipulate you into believing that these spoofed communications are real, which can lead you to download malicious software, send money, or disclose personal, financial, or other sensitive information.

A scammer might:

  • Spoof an email account or website. Slight variations on legitimate addresses (john.doe@examplecompany.com vs. john.doee@examplecompany.com) fool victims into thinking fake accounts are authentic.
  • Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the schemes.
  • Scammers pretend to be someone you trust. They make themselves seem believable by pretending to be connected with a company you know or a government agency.
  • Scammers create a sense of urgency. They rush you into making a quick decision before you look into it.
  • Scammers use intimidation and fear. They tell you that something terrible is about to happen to get you to send a payment before you have a chance to check out their claims.
  • Scammers use untraceable payment methods. They often want payment through wire transfers, reloadable cards, or gift cards that are nearly impossible to reverse or track.

Phishing

Phishing schemes often use spoofing techniques to lure you in and get you to take the bait. These scams are designed to trick you into giving information to criminals that they shouldn’t have access to.

In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested.

Phishing is a social engineering tactic that consists of an attacker sending an employee a fraudulent message via email, instant message or text message, in the hope that the unaware employee will click a link that downloads malware onto their system, freezes the system as part of a ransomware attack or reveals sensitive information of the organization. 

Uses Cases: No need to request or discuss with IT, these can be marked as Spam/Phishing on your Email provider

  • Mailbox Quota Exceeded emails
    • Your mailbox is almost full!
  • Requesting money via gift cards from apple or other stores
  • Your email is about to expire!

How to Protect Yourself 

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request. Can be done via Slack or on a call.
  • Be especially wary if the requestor is pressing you to act quickly.

Common Scams

  • Fake Invoices

  • Unordered Office Supplies and Other Products

  • Directory Listing and Advertising Scams

  • Tech Support Scams

  • Social Engineering, Phishing, and Ransomware

  • Credit Card Processing

  • Requesting Bitcoin
Keeping Yourself ProtectedDocumentation Link (expand link to view more)
Spam & Phishing in Gmail
 Mark or unmark Spam in Gmail

Mark or unmark emails as spam

Mark emails as spam

As you report more spam, Gmail is better able to automatically mark similar messages as spam.
Mark email as spam

  1. On your computer, open Gmail.
  2. Select one or more emails.
  3. Click Report spam Report spam.

Tip: When you click Report spam Report spam or manually move an email into your Spam folder, Google and LFIT will receive a copy of the email and may analyze it to help protect our users from spam and abuse.

Unmark an email as spam

You can remove an email from Spam if you incorrectly marked it as spam:

Unmark email as spam

  1. On your computer, open Gmail.
  2. On the left, click More.
  3. Click Spam.
  4. Open the email.
  5. At the top, click Not spam.

Delete emails in spam

  1. On your computer, open Gmail.
  2. On the left, click More.
  3. Click Spam.
  4. At the top, click Delete all spam messages now. Or, select specific emails, then click Delete forever.

Spam attack on your Gmail account

What this warning means

You get a lot of unwanted emails, such as subscriptions or promotional offers. A hacker tries to fill up your Inbox so that you can't find important security alerts from websites or services you signed up for with your Gmail account.

For example, if a hacker tries to get into your bank account, your bank can notify you by email. But if your Inbox is full of junk mail, you might miss the bank’s alert.

Spam from one of your contacts

If someone on your Contacts list sends you spam, a hacker may have taken over their account.

  1. Do not respond to the email.
  2. To report the email, in the spam alert, click Message looks suspicious. This sends a report to the Gmail team to investigate. You'll continue to get emails from this contact in the future.
  3. Let your contact know their email account may be hacked
Is that a real LF employee email?
 Did that email really come from LF?

Got a weird email that claims to have come from someone at LF, but is setting off some alarm bells? Trust your feelings!

Here’s how to check if that email really came from your LF coworker:


Look for a small button in the header with the hover that says “Show details

show-details.png

2. Look at the window that pops up and check the “Signed by” field:
legitimate-email.png

On your mobile device

To check the same on Android or iOS using the GMail app, click on “view details” and then “view security details.” Look for the same “Signed by” line:

 android-security-details.png

What does it look like in a phishing email?

Here’s an actual phishing email that was sent to Tasha pretending to come from Abby Kearns:

 phishing.png

Hmm… I’m still not sure!

If all of the above looks good, but the email is still giving you some concerns, double-check with the person via a secondary mechanism like Slack, Hangouts, Skype, or by calling them on the phone.

Using 2FA or MFA

2-Factor & Multi-Factor Authentication

Using a VPN Provider

VPN Requirements

Keep Devices & Software up to dateKeeping Software, Devices & Applications up to date