Phishing is a type of cyberattack that aims to trick you into revealing your personal or financial information, such as passwords, bank accounts, or credit card numbers. Phishing messages often look like they come from legitimate sources, such as your bank, your employer, or a popular website, but they are actually designed to lure you into clicking on malicious links, opening infected attachments, or taking other actions that could compromise your security.
Phishing is one of the most common and dangerous threats on the internet, as it can lead to identity theft, fraud, ransomware, and other harmful consequences. It's also one of the most difficult threats to guard against using purely technological safeguards. Therefore, it is essential for us humans to learn how to recognize phishing messages and avoid falling victim to them.Remember, phishing isn't just for email anymore. Phishing attacks can come through text messages, voicemails, phone calls, even old-fashioned letters.

In this blog post, we will share with you a simple and effective method to spot phishing messages, no matter the source or the medium. We've dubbed it the A.E.I.O.U. method, and it consists of asking yourself five questions with every email, text message, call, and voicemail you receive. These questions are:

A: Is there a requested ACTION?

Phishing messages often want you to take an action, like clicking a link, signing on to a website, resetting a password, transferring money, or allowing access to your system. If the message asks you to do something, be suspicious and verify the request before proceeding.

Not every message that asks you to take an action is a phishing attack, but every phishing attack starts by asking you to take an action.

E: Did I EXPECT this message?

Phishing messages are often indistinguishable from legitimate ones. Cyber criminals take great care to copy the look and tone of legitimate messages. A message that is pretending to be from your boss will have your boss' signature at the bottom. A message purporting to be from Microsoft 365 will exactly copy other official communications from Microsoft. A message from a compromised vendor account will likely be about an existing matter and will use the correct industry terminology.

The most important question you can ask yourself is, were you expecting this message from this source? Or, would you normally expect this sort of message from this source? If the message is unexpected, unsolicited, or out of the ordinary, it could very likely be a phishing attempt. Proceed with caution.

I: Will I disclose INFORMATION?

A message looking for sensitive information is another red flag. The message itself might not request information directly—that might come in a subsequent message, or it might come after you click a link, and are asked to provide a password.

If taking the requested action would provide sensitive information to the recipient, there’s a high likelihood it’s a phishing attempt. Never give out your personal or financial information to anyone online, unless you are absolutely sure of their identity and legitimacy. Always check the sender’s email address, the URL of the website, and the security indicators of the connection before entering any information.

O: How do I verify this message is OFFICIAL?

If the message seems at all suspicious, you’ll need to verify its authenticity before proceeding. You can’t do that by replying or using any contact info in the message, as they could be fake or compromised. Instead, use a different channel or source to contact the sender, such as their official website, phone number, or social media account.

You need to confirm with the purported sender if they really sent you that message and if the request is valid. With a human, that's easy, but what about if you receive a message that looks like it's from an online service? Don't click the link! Simply go to the website for that service and sign in normally. If there's an issue that you need to take care of, you should be notified of it when you sign in.

U: Is the message URGENT?

Urgency is the number one tell of phishing messages.

An enhanced level of urgency, a time limit, or an elevated tone are frequently used to trick a victim into taking action they would normally think twice about. Phishing messages often create a sense of pressure or fear, such as threatening to close your account, suspend your service, or report you to the authorities. Don’t let these tactics rush you into making a mistake. Take your time and think critically before responding to any message.

There's a takeaway for all of us in this one. In your legitimate correspondences, avoid unnecessary urgency. Employees in a high-pressure environment where everything is urgent are far more likely to fall for phishing scams than employees in calmer climates.

Wrap-up

By asking yourself these five questions, you can quickly and easily identify phishing messages and avoid falling for them. Building this quick habit can prevent serious consequences such as ransomware and financial loss. Habits aren't formed overnight, though. If you need a convenient resource to help you remember the questions to keep you safe, download your free, printable, A.E.I.O.U. Phishing Prevention poster here.

AEIOU Phishing Prevention

  • Download your free, printable resource: The AEIOU Method of Phishing Prevention.

    Print out our proven method to recognize and avoid phishing messages in email, text, chat, and more!

  • This field is for validation purposes and should be left unchanged.