Knowing how to spot a phishing email begins with understanding what phishing is. A phishing attack is a scam attempting to trick a recipient by sending a fake email that appears to be from a legitimate source, such as a person or organization the individual would know and trust in order to access personal information. These emails look like they are from reputable companies – such as a bank or online store that the recipient often uses – or a friend, colleague, or acquaintance. It will encourage the targeted individual to click on a link to a phishing website that collects sensitive information (such as passwords, bank or credit card information, social security numbers, and other private data), open an attachment that installs malware on their computer, or otherwise reveal personal information. In turn, the cybercriminal can easily steal the recipient’s data, money, and identity.
Another form of phishing attack is spear fishing, which targets a specific individual by using information from the person’s online presence. A spear phishing email will appear to be from a trusted friend or colleague. Often the email sender is masked to look like they are the CEO or other executive of the recipient’s company asking for confidential information or requesting money to be transferred.
Phishing is one of the most common and effective cyber threats, so it is important to be aware of what to look for in order to defend yourself against it. Here are some key ways to identify a phishing email:
Inconsistencies in email addresses, company domains, links and URLs
In phishing emails, the domain of the sender’s email address usually doesn’t match the domain for the company’s website. They may be completely different (such as a generic gmail.com domain), have slight
misspellings (for example, using a “0” where an “o” should be, like @c0mpanyname.com when the actual domain is companyname.com), or have subtle differences aiming to look authentic (such as using @mail.companyname.com for a companyname.com domain).
Malicious links within the email itself can similarly be disguised to appear legitimate. Again, look closely for slight misspellings or differences. Also, the text of the URL in the body of the email may be correct – but if the link itself is different, don’t click on it. Hover over links before clicking on them to reveal the
Poor spelling, grammar, and design
Watch out for misspelled words, unusual language, grammatical errors, and poor design. Emails from legitimate companies are created by professional writers and designers and are carefully checked for
spelling, grammar, and quality. If an email has obvious errors, it may be a scam. Many phishing attacks come from other countries and have been awkwardly translated. Sometimes errors are made deliberately aiming to avoid filters that try to block scam emails. Also, attackers tend to construct websites and emails quickly so they usually don’t look as professional.
Requests for personal information
If an email asks you to confirm or provide personal information, such as banking details or passwords, do not reply or click on any links. Legitimate companies don’t usually send emails asking for personal
information to be entered on a website. However, phishing emails aim to get sensitive information from recipients by requesting they share information, transfer money, or download something. They can then use that information or get into your system to steal your money, access your accounts, and take your identity. If you suspect that the email could potentially be real, look online for the organization’s information and contact them directly to inquire about the legitimacy of the email (rather than using any contact information from the email itself).
Threats and demands for urgent action
Phishing emails often use fear and threatening language with a sense of urgency in order to persuade recipients to act immediately. Beware of emails claiming you must click on a link, open an attachment, or call a number immediately. These messages may suggest you must take action to claim a reward or to prevent penalties such as money being lost, an account being closed, or legal action being taken. The goal is to instill panic so the recipient won’t think too much or ask questions before acting.
Be wary of attachments, especially if you’ve received an unexpected email. Phishing emails may contain attachments that install malware or a virus on your device or network. Even if the email appears to be from a trusted source or seems genuine, you should be absolutely certain of who the sender is before opening an attachment. Better yet, use antivirus software to scan it first.
Now that you know what to look for…
Knowing how to spot a phishing attempt is an important first step in protecting yourself and your business from these attacks. However in today’s fast paced business world, it can be easy to accidentally click on a link or attachment or respond to an email with sensitive information. That’s why the best way to prevent phishing attacks is to have multiple layers of security programs and practices. In addition to security awareness training, you should consider anti-spam and anti-malware software that includes automated anti-phishing tools. Such programs automatically identify anything in an email’s
content, header, URLs, and attachments that could indicate a phishing attempt, and will also block them if they are determined to be malicious.
Talk to the cybersecurity experts at Merit Technologies to learn more about how their advanced security solutions can protect your business.