It’s estimated that last year employees in around 86 percent of organizations opened an email message that was designed by a cybercriminal to steal sensitive information or otherwise cause harm.
Cybersecurity professionals have a fitting name for scams that involve fraudulent email messages that trick their recipients into doing something that’s against their best interest: phishing.
While this threat isn’t new, it costs organizations large and small more and more money every year. Why? Because phishing doesn’t exploit information technology infrastructure but the people who rely on it.
The following signs can help employees recognize phishing emails before it’s too late, transforming them from easy targets into watchful guardians of sensitive data.
1. The Email Is Badly Written
The days of Nigerian prince email scams may be behind us, but a large chunk of spam emails continue to be badly written because the cybercriminals behind them are not native speakers of English.
Everything from overly formal/informal greetings to the incorrect use of articles to switching tenses unnecessarily are good signs that the email isn’t written by someone who was born and raised in an English-speaking country.
If, at the same time, the email seems to come from an individual or organization that is actually based in an English-speaking country, then there’s a good chance that you’re being phished.
Of course, not all phishing emails are badly written. When cybercriminals execute highly targeted phishing campaigns, they spend a lot of time researching their targets to craft emails that read as if they were written by someone familiar. That’s why you should also pay attention to the other signs of email phishing described in this article.
2. The Domain Name Doesn’t Exactly Match the Sender
If you receive an email that claims to be from Microsoft but is sent from a domain that doesn’t exactly match Microsoft’s official domain name (mlcrosoft.com versus microsoft.com, for example), then you can be sure that the email isn’t legitimate.
We mention Microsoft because it’s the most commonly phished brand, accounting for 43 percent of all brand phishing attempts globally. Other big names that phishers often impersonate include DHL, LinkedIn, Amazon, Rakuten, IKEA, Google, PayPal, Chase, and Yahoo.
When impersonating providers of free email services like Microsoft, Google, and Yahoo, phishers sometimes send their messages from the corresponding public email domains (outlook.com, gmail.com, or ymail.com). Such domains are available to anyone, but they’re never used by the companies behind them for business correspondence.
Unfortunately, particularly skilled cybercriminals can sometimes spoof the domain name of a legitimate website using techniques like DNS cache poisoning to convince their targets that the emails they receive are legitimate. Once again, the solution is to also pay attention to other signs of phishing.
3. The Message Includes a Suspicious Attachment or Link
Phishers have two main goals, and they can accomplish them by including malicious attachments or links with their messages:
- Steal login credentials: Exploiting unpatched software vulnerabilities requires a lot of skill and effort, but convincing the average employee to click on a malicious link and enter their username and password on a fake login page is an easy way to obtain sensitive login credentials.
- Infect your device with malware: Phishing is often just a means to an end, and that end is infecting the targeted organization with malware. Email is a convenient vehicle for malware because infected files can be attached to messages as innocently looking documents and file archives.
In order to avoid malicious links, it’s paramount to hover the cursor over every link before clicking to make sure that it actually leads to the expected site.
Email attachments should be automatically scanned by a reliable anti-malware software solution, and they can also be independently verified using an online malware scanner like VirusTotal.
4. There’s a Sense of Urgency or Threats
Phishing is a form of social engineering, and it exploits human psychology to achieve the desired results. More specifically, phishers often create a sense of urgency or make various time-based threats to prompt their victims to act quickly.
They do this because humans who are under pressure are more likely to act without thinking and make such careless mistakes as clicking on a malicious link or downloading an infected email attachment.
Here are several examples of urgent and threatening subject lines used by phishers:
- Change your [website] password immediately!
- Your online meeting is about to start. Sign in now.
- Please sign the attached policy update by tomorrow.
- Abnormal activity on [website] account has been detected!
- Warning: your [website] account will be deleted within 24 hours.
Whenever you see a similarly urgent or threatening subject line, you should be extra careful because the person behind the email could be trying to phish you.
5. The Email Feels Too Generic
Many phishing emails start with generic salutations like “Dear Sir/Madam” or “Dear Customer” or even “Dear Friend.”
Although such salutations are perfectly acceptable in certain contexts, they should be perceived as signs of phishing when found in emails that seem to come from senders that have your personal information.
Likewise, you should always proceed carefully when you receive an email whose tone doesn’t seem right to you. For example, if a colleague who is always upbeat and friendly suddenly sends you a generic email, then it’s possible that your colleague’s email account has been hijacked by a cybercriminal.
When not sure, it’s always better to verify your suspicion by contacting the sender over a different communication channel.
6. The Sender Is Requesting Sensitive Information
All requests for sensitive information, such as credit card details, passwords, or social security numbers should automatically trigger phishing alarms in employees’ heads.
Legitimate senders usually know better than to request this kind of information over email, or they have it already. And even if they don’t, sending it as a plain text email message is a big cybersecurity no-no that could get you in real trouble.
Again, all suspicious requests for sensitive information should be verified using a different communication channel or in person.
Educate Your Employees to Help Them Spot Phishing Emails
Phishing emails remain dangerously effective even in 2022 because many employees have yet to be trained to recognize them. What’s more, a large number of those who have received phishing awareness training don’t remember much from it because it happened a long time ago.
All organizations that don’t want to risk a phishing disaster should combat this threat by providing their employees with regular phishing awareness training, and that’s something we at BCA can help with. Contact us to learn more about our services.