A significant problem for small businesses is how to spot phishing emails. Often, hackers trick employees into clicking malware infected zip files and malicious links in emails that redirect to fake landing pages. This type of cybercrime involving fraudulent emails is designed to bait you.
It mimics a reputable company to steal financial and confidential information. It is known as phishing and it’s a real threat.
What is a phishing email?
Phishing is similar to fishing, but instead of attaching the hook to a fishing pole, the phishers put it in an email. Well, the phishers pose as a genuine person or company and convince users to click a link to a website that looks like the real deal. It’s a fake, designed to be the “hook” in the whole operation. Once users enter their information, it is effectively stolen.
Alternatively, hackers might trick people into downloading a file that looks innocuous but is malware or ransomware.
Malware is malicious software, designed to steal data. In contrast, ransomware encrypts all files on an infected computer. The hacker can then demand a ransom to de-encrypt the data.
Phishing attacks are more rampant than ever before, rising by more than 162 percent from 2010 to 2014. They cost organizations around the globe $4.5 billion every year, and over half of internet users get at least one phishing email per day.
The best defense companies have against phishing attacks is to block malicious emails before they reach customers with the DMARC standards.
DMARC means Domain-based Message Authentication Reporting and Conformance. Brands must also work with a vendor that can offer email threat intelligence data revealing attacks beyond DMARC. For instance, attacks that spoof their brand using domains outside of the company’s control).
Unfortunately, no matter what companies do, some phishing emails will always make it to the inbox.
And those messages are extremely effective—97% of people around the globe cannot identify a sophisticated phishing email.
That’s where customer education comes in. They can also learn how to spot a phishing email, in case the fake emails somehow are received.
How to a spot a phishing email
Now that you have the low-down on how dangerous the scams are to a business, let’s look at how to spot a phishing email.
Before we start, remember this. Phishing is about the manipulation of natural human behavior. It is about getting someone to click a link or open an attachment before thinking about it. Phishers are looking to capture that knee-jerk reaction and turn it into a win for them.
With this in mind, here is a list of how to spot a phishing email:
#1 The email asks you to confirm personal information
Often an email will arrive in your inbox that looks very authentic. Whether this email matches the style used by your company or that of an external business such as a bank, hackers can go to painstaking lengths to ensure that it imitates the real thing. Especially when this authentic-looking email makes requests that you wouldn’t normally expect. It’s often a strong giveaway that it’s not from a trusted source after all.
Keep an eye out for emails requesting you to confirm personal information that you would never usually provide, such as banking details or login credentials. Do not reply or click any links. But if you think there’s a possibility that the email is genuine, you should search online and contact the organization directly. Do not use any communication method provided in the email.
#2 The web and email addresses do not look genuine
It is often the case that a phishing email will come from an address that appears to be authentic. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses.
If you only glance at these details, they can look genuine. But if you take a moment to examine the email address, you may find that it’s a bogus variation intended to appear authentic.
For example @mail.uber.work as opposed to @uber.com
Malicious links can also be concealed with the body of email text, often alongside genuine ones.
Before clicking on links, hover over and inspect each one first.
#3 The message contains a mismatched URL
One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid.
However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook).
If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.
#4 URLs contain a misleading domain name
People who launch phishing scams often depend on their victims, not knowing how the DNS naming structure for domains works. The last part of a domain name is the most telling.
For example, the domain name info.anitachichi.com would be a child domain of Anitachichi.com because Anitachichi.com appears at the end of the full domain name (on the right-hand side).
Conversely, Anitachichi.com.maliciousdomain.com would not have originated from anitachichi.com because the reference to anitachichi.com is on the left side of the domain name.
#5 It’s poorly written
It is incredible how often you can spot a phishing email only by the poor language used in the body of the message. Read the email and check for spelling and grammatical mistakes, as well as strange turns of phrase. Emails from legitimate companies will have been constructed by professional writers and exhaustively checked for spelling, grammar, and legality errors. If you have received an unexpected email from a company, and it is full of mistakes. This can be a reliable indicator that it is a phish.
Interestingly, there is even the suggestion that scam emails are deliberately poorly written to ensure that they only trick the most gullible targets.
#6 There’s a suspicious attachment
Alarm bells should be ringing if you receive an email from a company out of the blue that contains an attachment, especially if it relates to something unexpected.
The attachment could contain a malicious URL or trojan, leading to the installation of a virus or malware on your PC or network.
Even if you think an attachment is genuine, it’s good practice always to scan it first using antivirus software.
#7 You didn’t initiate the action
Just yesterday I received an email message informing me I had won the lottery!!!! The only problem is that I never bought a lottery ticket.
If you get a message telling you that you have won a contest you did not enter, you can bet that the message is a scam.
#8 Expect the unexpected
In a 2016 report from Wombat Security, organizations reported that the most successful phishing attacks were disguised as something an employee was expecting.
For example, an HR document, a shipping confirmation or a request to change a password that looked like it came from the IT department.
Make sure to scrutinize any such emails before you download attachments or click on any included links, and use common sense.
Don’t hesitate to call a company’s customer service line, your HR department or IT department to confirm that any such emails are legitimate. It’s better to be safe than sorry.
#9 Trusted brands
Phishers like to make you feel at ease. Trust is a significant driver when making decisions. If you trust something or someone you tend to do what they say, with little question.
Phishing emails depend on this natural human behavior to encourage you to do something.
Phishing emails typically take on the guise of a well-known, trusted organization.
For example, your bank or government service or Apple or PayPal. Many of the most successful organizations have already and will continue to be used by phishers.
Which brand a phishing campaign uses often depends on topical issues or the time of year. For example, around tax return time, you will often see a spate of phishing emails that are disguised as the Inland Revenue brand.
If you see a trusted brand come into your inbox, then you are more likely to do what that email asks, like click on a link.
#10 You’re asked to send money to cover expenses
One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message.
But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.
#11 The message is designed to make you panic
It is common for phishing emails to instill fear in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details.
Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to think about whether an email is asking something reasonable of you.
If you’re unsure, contact the company through other methods.
Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they’ll send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about any other entity.
That is enough to scare the average law-abiding citizen.
I can’t tell you how government agencies work outside the United States. But here, government agencies don’t usually use email as an initial point of contact.
That isn’t to say that law enforcement and other government agencies don’t use email.
However, law enforcement agencies follow specific protocols. They don’t engage in email-based extortion.
How to avoid getting caught in a phishing net
- Always be suspicious. Phishing emails try to freak you out with warnings of stolen information or worse, and then offer an easy fix if you “click here.” (Or the opposite: “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go to the company’s website, and then sign in frequently to see if there are any signs of strange activity. If you’re concerned, change your password.
- Check for bad spelling and grammar. Most of the messages that come from outside the US are riddled with spelling mistakes and bad grammar. As I noted earlier, big companies hire professionals to make sure their emails contain perfect prose. If you’re looking at one that doesn’t, it’s almost certainly a fake.
- Beef up your browser. An accidental click of a phishing link doesn’t have to spell disaster. McAfee SiteAdvisor and Web of Trust are free browser add-ons that will warn you if the site you’re about to visit is suspected of malicious activity. They’re like traffic cops that stop you before you turn down a dangerous street.
- Use your phone. If you’re checking email on your phone, it might be harder to spot a phishing attempt. You can’t “mouse over” a questionable link, and the smaller screen makes you less likely to spot obvious gaffes. Although many phone browsers (and operating systems) are immune from harmful sites and downloads, it’s still good to exercise caution when dealing with suspicious links. (Obviously, you still shouldn’t complete a form that asks for your password or other personal info.) Android users, in particular, should be aware of the potential risks.
- Most of all rely on common sense. You can’t win a contest you didn’t enter. Your bank won’t contact you using an email address you never registered. Microsoft did not “remotely detect a virus on your PC.” Know the warning signs, think before you click, and never, ever give out your password or financial info unless you’re duly signed into your account.
Preventing your organization from becoming a victim of a phishing campaign is an ongoing process. Phishing emails are frequent visitors to the inbox of all of us.
Security awareness training offers focused phishing simulation exercises which help to teach people, using realistic examples, how to spot a phishing email.
Keeping one step ahead of the cybercriminals is a way to stay on top of this most insidious of cybercrimes.