According to Verizon’s Data Breach Investigation Report, nearly 85% of breaches involved phishing in some form.
Phishing emails are not new; it has been the most common attack vector for cybercriminals for years.
To be able to spot a phishing email, you first must know what phishing is. Phishing is the fraudulent practice of sending emails purporting to be from reputable sources to induce individuals to reveal personal information, such as passwords and credit card numbers. Attackers are making phishing emails more difficult to spot and appear genuine to their targets. The results can be devastating.
Attackers can easily find out a lot about individuals just by looking through social media sites, professional profiles, and other online publications in order to identify the triggers that people are likely to respond to. It’s not very difficult to find details of someone’s children, the school they attend, and an event happening at the school to send the parent an email inviting them to click on a link or open an attachment about their child’s participation in the event. With the advancement of machine learning and artificial intelligence, attackers will be able to collate this information much more quickly in the future.
The ability to spot a phishing email is imperative to defending against one, no matter how many tools you have in place. Below are a few red flags to note when receiving a suspicious email.
1. Demands Urgent Action
Be wary of emails threatening a negative consequence or a loss of opportunity unless urgent action is taken. Attackers will use this approach to rush users into action before they have had the opportunity to properly review the email for potential flaws or inconsistencies.
2. Bad Grammar and Spelling Mistakes
Emails containing bad grammar or a high number of spelling mistakes are often signs of a phishing scam. Most modern-day email applications apply spelling and grammar checks to outgoing emails to ensure the emails are grammatically correct. Seeing an email with poor grammar or obvious spelling mistakes should raise a red flag immediately.
3. Inconsistencies in Email Addresses, Links & Domain Names
Always check for inconsistencies in email addresses, links, and domain names. Did the email come from an organization you correspond with often? If so, does the sender’s email address match the organization’s URL? Check any links in the email body and ensure the link is legitimate by hovering the mouse pointer over the link to see what pops up.
If the email allegedly originates from Google, but the domain name reads something else, report the email as a phishing attack. You can also hold down the URL on your mobile device to see what the URL is before going to the link.
4. Suspicious Attachments
Always be wary of any attachments you receive. Most business-related file-sharing takes place via collaboration tools such as SharePoint, OneDrive, or Dropbox. If you receive an attachment from someone you trust, it is always good to call the person who sent the email to verify if they sent the attachment.
5. Requesting Login Credentials, Payment Information, or Sensitive Data
Any emails you receive that request login credentials, payment information, or other sensitive data should always be treated with caution. Phishing that is highly targeted toward a specific individual, can forge login pages to look similar to the real thing. They can then send an email containing a link that directs the recipient to the fake login page.
If you receive an email of this type, always verify that you either requested this type of email or if the sender or email is legitimate. Any emails requesting changes to payment information or how you receive payment should always be verified with a phone call.
6. Too Good to Be True
If you read an email and it seems too good to be true, it most likely is. These emails incentivize the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate contact, it’s likely a phishing email.
Next Steps to Combat Phishing Emails
Companies should be conditioning employees to spot and report suspicious emails. The chances are that if one of your employees is the subject of a phishing attack, other employees will be as well. Train employees to always report suspicious emails to the proper personnel for your business.
TenHats is always here to help protect and educate you and your users. We offer solutions to easily deploy and maintain phishing and security awareness training for your users at a low cost. Please let us know if you’d like to further discuss how we can help!