Phishing scams are practically as old as email and the World Wide Web themselves. The basic concept is simple—trick someone into providing personal information such as a bank account or login credentials (taking the bait, if you will) by appearing to be a legitimate entity (the lure).

Phishing requires two basic things in order to work:

1. A legitimate-seeming appearance and message
2. A lack of informed scrutiny on behalf of the recipient

Many factors play into making a message seem legitimate, including and especially recognizable branding and (often) a sense of urgency. It comes down to the sophistication of the scammers. But in a digital world, practically anything can be convincingly replicated. That’s why the burden of informed scrutiny falls on you.

The scam doesn’t have to originate from a global brand with a huge user base like eBay or Bank of America, either. In fact, a few times each year, some Track customers receive emails from scammers pretending to be us.

A legitimate company will almost never ask you to provide or confirm sensitive information, so if you receive an email asking you to do something like that, you should be immediately suspicious.

Telltale Signs of Phishing

1. Strange or unfamiliar email domains
   Because scammers don’t have access to a company’s domain name registration or hosting, they have to make one up. The most recent Track phishing scam, for example, used the domain name “streamlinevrassets.info” and the username, “marketing=tnsinc.com.” The format in our case should be, “[email protected].”
   
   To see this information, your email view needs to include the full email of the sender, and not just their name. For example, the basic Gmail inbox view doesn’t show the sender’s address until you click into the email itself. The majority of phishing emails fail this test, however, it’s possible to spoof email header information like the “From” and “Reply-to” information.
   
   There are tools available, such as MX Toolbox, that can help you draw some useful conclusions about a sending domain. In this example, the domain, “streamlinevrassets.info” has no DMARC record or DNS record. Legitimate domains are registered through these established global mechanisms, so you will see those records as being found.

2. Misspelled domains or unusual domain extensions
   In our most recent phishing attack, the scammer used the domain tnsincs.com and not tnsinc.com, hoping somebody wouldn’t notice the change. Sometimes, they’ll just use an extension other than .com, such as .info or .net.
   
   If you’re not sure what the actual domain name is, Google the company and visit their actual website to verify. If what you received is different, there’s a good chance it’s a scam. Subdomains, however, such as support.google.com, are likely legitimate because they end in the root domain.

3. Poorly written content
   Many scammers come from non English-speaking countries and are trying to replicate legit emails through the filter of their native tongue. Odd or weirdly formal turns of phrase are common, as are obvious grammatical errors like subject-verb agreement or basic typos.
   
   This isn’t necessarily a reliable measure, however, as many companies and even former bastions of journalism are prone to such errors. At the same time, AI can now write grammar-perfect copy that could fool just about anyone.

4. Urgency or pressure
   Be cautious of emails that create a sense of urgency, such as “This step is required to maintain access to your account” or “Please verify your account immediately.” Additionally, emails that include multiple hyperlinks asking for sensitive information, such as account details or credentials, are clear signs of a phishing attempt.
   
   Generally speaking, legitimate companies rarely ask you to take time-sensitive actions regarding your account other than to occasionally change your password, renew a subscription, review suspicious activity, and the like. If you’re not sure about the legitimacy of a message, don’t click any links in the message and go directly to the company’s website for more information.
5. Weirdly long or complex hyperlinks
   When an email contains hyperlinks or buttons, you can roll over them to see what address they point to. If it’s an especially long or strange-looking URL, there’s a good chance it’s a scam.
   
   Look especially for a distinct and accurate representation of the company’s actual domain in the address (e.g. login.amazon.com). Often, if you look closely, it will be misspelled or combined with numbers or have an unusual domain extension like .info.
6. Use an email protection service
   Systems like Trustfi, Area 1, and Barracuda offer inexpensive services that can help protect you from phishing scams. Basically, they act as a “middleman” between the sender and whatever email service you use to flag and potentially intercept suspicious messages.
7. Change your passwords, especially if you accidentally submit personal information
   Changing your passwords every so often is always a good idea, as is making them an adequately long combination of letters, numbers, caps, and symbols. But what do you do if you realize you submitted information that you shouldn’t?
   
   The most important thing is to change your password(s) immediately for the service or platform being spoofed. If you act quickly, you may be able to get ahead of the scammer.

Phishing has been around for about as long as we’ve had passwords. Scammers and bad actors have had a lot of time to perfect their odious craft, and the average user hasn’t necessarily kept pace. But by applying healthy skepticism, a little know-how, and helpful tools to your daily interactions online, you can avoid becoming a victim.

Cybersecurity at Track

We at Track take cybersecurity seriously and have taken many steps to safeguard not just the data in our care but our customers’ trust in us. For a software company, that trust is everything.

Multiple layers of enterprise-class security are in place between our applications and the databases from which they read and write. These layers include email security, hosting security, password management, and many more attached to Amazon Web Services (AWS) such as firewalls. We also have 24/7 monitoring and alerting in place for our network based on the most current and comprehensive security frameworks and controls.

In other words, we practice what we preach and are as vigilant as we can be. The truth is, phishing scams aren’t going anywhere—they’re just getting more sophisticated. But that doesn’t mean you have to live in fear. By staying informed, thinking critically, and taking advantage of the tools and safeguards available to you, you can navigate your inbox with confidence.

Remember: when in doubt, don’t click. Take a breath, take a closer look, and trust your instincts. And if you’re a Track customer, know that we’re not just watching out for ourselves—we’re watching out for you, too.

Stay safe out there.