Phishing attacks are all too common in the world. Cyber-security is one of the top priorities for all business owners worldwide, particularly in light of lockdown measures resulting in more people working from home. Keeping your emails, data, employees and clients informed and safe is absolutely crucial.
Verizon Data Breach Investigations found that last year, 94% of malware was sent via email. How confident are you that 100% of your employees can accurately identify a phishing email? Keeping informed about phishing techniques is the key to preventing attacks.
Here are 5 ways to help you identify a phishing email:
1. Suspicious Attachments & Links
Identifying phishing emails can be tricky, as they come in many forms and appearances. However, the one thing they all have in common is that they contain a payload. A payload is the button/download that the attacker wants you to click on in the email. We’ve all heard ‘don’t open any suspicious links!’ before, but when the link doesn’t look too suspicious, all it takes is a split-second decision to release the infected attachments or links.
Many payloads lead to websites that hope to obtain sensitive data/information. Usually, attachments are the worst to open, as they are often infected with malware. Unfortunately, attachments are also some of the easiest attacks to disguise as they can easily be made to look like a legitimate PDF or document.
Top tip: Never download or open any attachment you are unsure of
2. Poor Spelling and Grammar
We all remember being told in English Language that grammar is important! Well, funnily enough when it comes to phishing emails… it can be a great indicator that something is wrong.
It is commonly thought that cyber criminals use grammatical errors intentionally in an attempt to target more gullible people. This might sound harsh, but the reality is that they believe if someone is unable to identify grammatical mistakes, they might not be paying a lot of attention to detail and will be less likely to notice the warning signs of a cyber-attack.
This is just a theory of course, but better safe than sorry! It’s worth mentioning this element of phishing emails as it is a very common occurrence, especially as many cyber-attacks come from locations where English is not their first language. Most scammers do not take to the time to carefully craft well-worded emails and documents like a professional organisation would.
Top tip: Look for grammatical mistakes, not spelling mistakes!
When creating phishing emails, attackers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the right context.
3. The Sent Address is from a Public Domain
Every legitimate organisation will have its own domain when it comes to emails. This is a really quick and easy way for you to identify fake email addresses. For example, no business will contact you requesting personal data from a “@gmail.com” email address, or any other public domain (except some small sole traders perhaps).
Well established organisations will usually send email from a public domain that is the same as the sender name. For example, Apple will email you from “@apple.com” or about your iCloud from “@icloud.com”.
If you’re not 100% sure whether the email is safe, you can always search online for the domain name of the organisation to clarify from a reliable source whether the email you’ve received is real.
Top tip: Look at the email address, not just the sender
Especially if you are viewing on a mobile, always check the full sent from address and not just the name of the sender, this can give away the fraudulent domain hiding behind a trustworthy business name.
4. Misspelled Domain Name
As well as checking that your email is from a public domain, it is also important to double check the sender’s name for any misspelling. These clues can be a little more subtle and hard to identify, but it’s worth the time to take a second look.
Domain names can be bought by anyone, and although they all have to be unique, scammers intentionally choose names that are similar to those of a trusted organisation. Anyone can buy a domain name. For example, an email from firstname.lastname@example.org could be quite hard at first glance to distinguish from the real email@example.com
You might feel very confident in your ability to screen for false domain names while you’re reading this – but unfortunately even the best of us slip up from time to time. When you are in the middle of a busy working day, looking at your 1000th email of the day, it’s an easy mistake to make!
5. A Sense of Urgency
Cyber-criminals know that you are busy, and that you might (occasionally) procrastinate. Juggling hundreds of emails with varying priorities often means that email get ignored for a little while. This is something that hackers want to avoid as it will give you longer to reflect on the content, and perhaps even come back to it with a fresh pair of eyes.
Scammers want you to act immediately so that you don’t have as much time to consider your actions. You will find that the majority of phishing efforts place an emphasis on urgent action, immediate reward, or instant results e.g. “you will receive a call within one hour to confirm your deal, but the deal ends at 4pm”.
In the workplace, your employees are likely to drop everything if an email posing as a boss or an industry professional comes their way telling them to “act now”. Creating a cyber-security aware culture in your workplace is crucial in preventing the success of this kind of attack. If your employees feel safe to raise concern about any suspicions they have (even if it looks like it’s from a boss!) then they could prevent a scam, rather than being too afraid to have the awkward conversation.
We hope that these tips will help your business to decrease the likelihood of a cyber-attack. Maintaining a vigilant approach to cyber security is so important for every business. Ensuring that your employees, users and clients are educated and aware, will help to create a culture of safety in your workplace.