Not long ago, phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to businesses. Today, phishing is the top social attack on businesses and responsible for most security breaches. Before we delve into how to spot a phishing email, let’s first explain what they are and what they can do.
What is phishing?
Phishing is a cybercrime in which a target or targets are contacted via email, phone or text message by someone posing as a legitimate source to “lure” individuals into providing sensitive data such as banking details or passwords. The information is then used to access important accounts and can result in identity theft and financial loss. Phishing can also be used to trick users into clicking on a malicious link, allowing the cybercriminal to download malware onto your device and access your business data.
Common types of Phishing
Mass-scale Phishing: Attack where fraudsters cast a wide net attack that isn’t highly targeted.
Spear Phishing: Tailored to a specific victim or group of victims using personal details.
Whaling: Specialised type of spear phishing that targets a “big” victim within a company.
It doesn’t matter if you have the most secure security system in the world, cybercriminals know that the weakest part of your security is your employees. Your staff play a needed role in attacks – the initial launching of malicious software, scripts, or documents through links or attachments.
Without your users, the bad guys have no ability to infect your environment. It takes only one employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt. Check out our 8 tips below.
How to Spot a Phishing Email
If you receive an email from a person or company urging you to provide confidential information, such as a password or card number, you might be the target of a phishing scam. Whilst phishing has evolved to use complex techniques, there are a couple of key indicators which if you learn and keep in mind you can drastically reduce your chances of being phished! The following tips can help you avoid falling victim to phishers.
Check the actual “From” address: Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Unless cybercriminals have compromised the organisation’s email systems, they’ll have to use a different domain. This usually involves a public email domain, such as Gmail, in which case the message will come from an address that looks like, for example, ‘firstname.lastname@example.org’.
Always inspect the email address closely, make sure there are no spelling mistakes or alterations made in the email address, such as additional numbers or letters. Here it’s our domain but with an extra T – at a quick glance you probably wouldn’t spot this!
Urgent action required: Attackers often create a sense of urgency that puts users in a panic mode where they are more likely to fall victim to an attack. Be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The fraudster is taking advantage of your concern to trick you into providing confidential information.
Out of character emails: If you have received, what looks like a legitimate email from a colleague that seems out of character, take a moment to ask yourself “would this person really contact me about this?” If you’re in any doubt whatsoever, speak to that person either over the phone or face-to-face. If you reply to the email itself, there’s a good chance the attacker already has control of their mailbox and could reply to confirm the initial request, perhaps more convincingly the second time.
An impersonal greeting: Fraudsters often send thousands of phishing emails at one time. They may have your email address but not your name so an impersonalised message could spell a mass-scale pishing attack. Be sceptical of an email sent with a generic greeting such as “Dear Customer” or “Dear Member”.
Bad spelling or grammar: Spelling and grammar can play a big role in the detection of phishing emails. Check for fonts that don’t match the brand, spelling mistakes and grammatical errors. An email from a legitimate organisation should be well written.
Believe it or not but hackers send error-ridden emails on purpose to weed out individuals that may be less observant or unable to recognise mistakes – making them easier targets.
Links containing an official company name, but in the wrong location. For example: “https://www.outlook.com is a fake address that doesn’t go to a real Outlook website. A real Outlook web address has a forward-slash (“/”) after “outlook.com” — for example, “https://www.outlook.live.com/” or “https://login.outlook.com/.”
- Spelling errors, poor grammar, or inferior graphics.
- Requests for personal information such as your password, bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
- Attachments (which might contain viruses or keystroke loggers, which record what you type).
- Is the email written in the style or tone of the person sending it?
Strange or unexpected attachment: Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments but instead direct you to download documents or files on their own website.
What else can you do to protect your business?
With phishing attempts on the rise, teaching staff what a suspicious or malicious email looks like, what kind of tactics are used, and ways to avoid becoming a victim of a scam is a no-brainer. As part of our Managed Cyber Security service, we give your staff training on identifying and protecting themselves against attacks such as phishing. If you are interested in learning more about this service, get in touch with a member of the Netitude team today!