Skip to content

How to spot a Phishing email

David West Sep 9, 2020 12:00:00 AM
Laptop screen displaying a warning notice for a phishing scam

Cybercriminals know that the weakest part of your cybersecurity is your employees. In fact, according to a study, 88% of all data breaches are caused by an employee mistake.

Not long ago, phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to businesses. Today, phishing is the top social attack on companies and is responsible for most security breaches. 

Before we delve into how to spot a phishing email, let's first explain what they are and how they work.

What is phishing?

Phishing is a type of social engineering attack* often used to steal personal details such as account numbers, credit card information, or passwords. It happens when a threat actor is mimicking as a trusted entity and dupes you into opening an email, instant message or text message. You're then tricked into clicking a malicious link, which can lead to installing malware and sensitive data being stolen.

*Social engineering attacks involve a threat actor looking at your social media accounts to find out personal information about you and the people you're connected with. Then, they use this information to psychologically manipulate and trick users into making security mistakes or giving away sensitive information.

Common features of phishing emails

There are a couple of key indicators that you can drastically reduce your chances of being phished. So here are our top 8 red flags to look out for.

1. The from address is misspelt or from a freemail account

Don’t just check the name of the person sending you the email. Instead, check their email address by hovering your mouse over the ‘from’ address. Unless cybercriminals have compromised the organisation’s email systems, they’ll have to use a different domain. This usually involves a public email domain, such as Gmail, in which case the message will come from an address that looks like, for example, ‘netitude@gmail.com’.

Always inspect the email address closely, and make sure there are no spelling mistakes or alterations made in the email address, such as additional numbers or letters. For example, here it’s our domain, but with an extra T – at a glance, you probably wouldn’t spot this!

Snippet of a fake email titled "URGENT! Payment Needed" from field states Adam Harling, however, the company email is spelt wrong <adam.harling@nettitude.co.uk>

2. The email states urgent action is required

Be suspicious of emails that claim you must click, call, or open an attachment immediately. Often they’ll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing scams to gain sensitive information.

3. The content seems out of character

If you’ve received what looks like a legitimate email from a colleague that seems out of character, take a moment to ask yourself, “would this person really contact me about this?”

If you’re in any doubt whatsoever, speak to that person either over the phone or face-to-face. If you reply to the email itself, there’s a good chance the attacker already has control of their mailbox and could respond to confirm the initial request.

4. An impersonal greeting

Fraudsters often send thousands of phishing emails at one time. They may have your email address but not your name, meaning an impersonal message could spell a mass-scale phishing campaign.

Be sceptical of an email sent with a generic greeting such as “Dear Customer” or “Dear Member”.

5. The email has bad spelling or grammar

Spelling and grammar can play a significant role in detecting a phishing message. Check for fonts that don’t match the brand, spelling, and grammatical errors. An email from a legitimate organisation should be well written.

Believe it or not, hackers send error-ridden emails to weed out individuals who may be less observant or unable to recognise mistakes, making them easier targets.

6. Check URLs from suspicious-looking emails

Don’t open any links if you suspect an email message is a scam. Instead, hover your mouse over the link to see if the address matches the link typed in the message. You can also test links by typing them into a URL checker.

7. The email links to a fake website

Fraudsters often include a link to a malicious website that displays a sign-in page to trick you into disclosing your login credentials. Be careful; just because a site consists of a company’s logo or looks real doesn’t mean it is.

Check the web addresses carefully, for example, www.netitude.co.uk or www.netittude.co.uk. If in doubt, exit the website.

8. The email has a strange or unexpected attachment

Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments but instead direct you to download documents or files on their website.

Sometimes companies that already have your email will send you information, such as a white paper that may require a download. Look for high-risk attachment file types, including .exe, .scr, and .zip.

Contact the company directly using contact information obtained from their website when in doubt.

How to prevent phishing attacks

Phishing attack protection requires steps to be taken by both users and enterprises.

For users, vigilance is vital. For enterprises, several steps can be taken to mitigate both phishing and spear-phishing attacks:

  • Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications.
  • In addition to using 2FA, organisations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and not reuse a password for multiple applications.
  • Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.

CTO of WatchGuard, Corey Nachreiner, “I believe your phishing education program isn’t complete until you phish your own company’s tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them.”

Tools such as KnowBe4’s free phishing test allow you to send a customised phishing email to your users as a test. Then, based on who interacts with the emails, you can design a training program for your employees to teach them how to identify phishing emails, harmful attachments, etc.

It’s time to get your defences in place and plan for if the worst happens. Watch our webinar on Backup & Disaster Recovery – the art of business continuity and getting things back up and running quickly after the worst happens.

It’s time to not only get your defences in place but have a plan for if the worst happens. Click to watch our webinar for advice.