How to tell if an email is “Phishy”

Email is a vital tool for conducting PTA business, but like many tools it can be misused and cause harm. Bad actors are using email as a way to transmit malware, ransomware, and phishing attacks, all of which can harm the finances and reputations of individuals and organizations. In fact, PTAs in California and across the country have been targeted by these attacks.

What is phishing?

Phishing is a general term for a variety of email-based scams that seem to come from a trusted source but trick you into giving up private information or taking risky actions. They are difficult to defend against because they rely on human psychology rather than technology to victimize their targets. At the California State PTA office alone, 10% of blocked emails are phishing attempts. This figure does not include the number of phishing emails that are delivered to individual users’ email inboxes.

Spear Phishing, a specific subtype of these scams, targets members of a company or organization who possess sensitive or privileged information. In the case of California PTA, volunteer leaders are sent messages that purport to be from a member of the staff or a member of the Board of Directors or  Managers. They request that the recipient click a link or button in the email, provide financial information, or even purchase gift cards. Most of these emails appear legitimate, and with the advent of AI, they are becoming more and more indistinguishable from genuine messages.

Stay alert and you can catch these “phish”

Due to the nature of the scam, technological solutions will not provide complete protection. The best defense against phishing emails are vigilant, informed users. To keep yourself and the PTA safe, arm yourself with critical thinking before you click on a link or respond to an email.

  • Recognize who is sending the email to you. Do not trust the name on the signature. Instead, look at the email address itself. In Outlook, double-click the name of the sender to see the email address that the message was sent from, and verify it is the correct address; in Gmail, hover over the name of the sender.
  • Verify through other communication methods that the message is legitimate. If a message is asking you to provide passwords or financial information, contact the sender via phone or text message to verify that they have sent the email to you.
  • Trust your intuition. Phishing scams pose as people we know and often include an element of urgency to take advantage of our natural tendencies to want to help. If a request seems unusual or needlessly rushed, consider such things as a warning that the message may not be what it seems to be. Verify with the purported sender before responding.
  • Don’t respond to strangers. Never click links or open attachments from email messages that you receive from unknown senders.
  • Practice good cyber-hygiene.  Keep your software updated and your firewalls and anti-virus software current. Use separate, strong passwords for all online accounts.

Following these practices and exercising general vigilance will help to safeguard your assets and privacy as well as the security of our organization as a whole.