Phishing Attacks and Dealing with Suspicious Emails
Phishing attacks are a type of online scam where criminals pose as a legitimate organization to trick people into giving them sensitive information. These attacks can be very sophisticated, and they are becoming increasingly common. One way to protect yourself from phishing attacks is to be suspicious of any email that asks you for personal information or login credentials. If you are not expecting an email like this, it is best to delete it without opening it. You should also be cautious of any emails that contain misspellings or grammatical errors, as these are often indicators that the email is not legitimate. However, even if an email looks legitimate, you should never click on any links or attachments unless you are sure that they are safe.
Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email.
Our latest blog post provides some insight and education on:
- What is phishing?
- What is a phishing email and how it looks like?
- 7 signs of a phishing email
- Some tips to making it harder to be a phishing victim
- What to do if you’ve already clicked on a phishing email link?
This advice includes tips about how to spot the most obvious signs of phishing, and what to do if you think you’ve clicked a bad link.
What is phishing?
Phishing is a cybersecurity threat and a type of social engineering tactic, aimed at collecting private information on the internet. Phishing scams are typically based on fake websites (emulating financial or eCommerce websites), with URLs that are manipulated to resemble the web address of the real website.
What is a phishing email?
Are you sure that the email from DHL is from DHL? Businesses and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.
A phishing email may attempt to create a sense of urgency (for example “your account expired”, or “regarding your recent purchase from amazon”) or may offer a reimbursement or other positive benefit to many internet users.
In the body of the message, the attacker often invites users to visit a form that seems specifically hosted by the legitimate organisation, which requests the user to provide their personal data, often of a financial nature. During the whole procedure, the victim believes they are interacting with the official website of a trusted entity.
Phishing emails may also be accompanied by an attachment, commonly presented as an invoice or sales receipt. The message is written in such a way as to encourage you open it and infect your machine with malware.
7 Signs of a Phishing Emails
All internet users, especially those using company equipment or have access to sensitive data, should be able to identify suspicious emails in their inboxes. Below are six common signs that can help your users identify a phishing email.
1. Spelling Mistakes and Grammatical Errors
Spelling mistakes and poor grammar are common indicators of phishing emails. Most companies use professional copywriters, or at least a spelling checker, to review official emails before sending them to their customers/clients. Therefore, emails sent from professional sources should be free of grammar and spelling errors – end of.
2. An unfamiliar message tone or greeting
When reading phishing messages, look for improperly used words. For example, a colleague sounds very familiar, or a family member sounds very formal. If the email sounds strange and doesn’t use the language you’d expect from the sender, it is a good idea to look for other indicators that it may be fake.
3. Threats or a sense of urgency
Emails that warn the recipient about something negative are immediately suspicious. Another strategy used by attackers is urgency—encouraging or demanding immediate action, in the hope that the user would panic and act quickly and won’t have time to fully investigate the content of the phishing message. Any type of threat or urgent request should prompt you to stop and investigate the email more closely.
4. Inconsistencies in email addresses, links, and domain names
Another easy way to detect potential phishing attacks is to look for discrepancies between the email address, link, and domain name. For example, it is a good idea to verify previous communications that match the same email address (you may find previous emails from the same organisation came from a different email account or domain).
If a link is included in the email, first mouse over the link to see the destination uniform resource locator (URL). A sure sign of phishing is that the domain used in the link does not match the company who supposedly sent the email. For example, the email is from eBay or Amazon, but the link does not go to ebay.com or amazon.com.
5. Unusual Request
If the request made in the email is uncommon, the email may be malicious. For example, an email from a CEO or MD requesting to transfer funds urgently, without going through the regular standard operating process for payments approval with finance department – then its fake of phishing.
6. Your bank (or any other official source) should never ask you to supply personal information in an email. So, if you get an email like that, call them directly or visit your nearest branch to make them aware.
7. If it sounds too good to be true, it probably fake. It’s most unlikely that someone will offer you designer trainers for $20, or codes to access films for free. Be vigilant and don’t be tricked.
Social engineering attacks like phishing will inevitably happen, so you should ensure your organisation has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can act.
Some tips to making it harder to be a target
Information from your website or social media accounts leaves a ‘digital footprint‘ that can be exploited by cyber criminals. You can make yourself less likely to be phished by doing the following:
- Criminals use publicly available information about you to make their phishing emails appear convincing. Review your privacy settings and think about what you post.
- Be aware what your friends, family and colleagues say about you online, as this can also reveal information that can be used to target you
- Never post personal and sensitive data online e.g., date of birth, full name, address, bank details etc.
- Don’t connect to unknown Wi-Fi Hotspots on public places.
- Be careful what you download and click
- Update your software devices and keep your apps up to date.
What to do if you’ve already clicked?
The most important thing to do is not to panic. There are number of practical steps you can take:
- Open your antivirus (AV) software and run a full scan. Follow any instructions given.
- If you’ve been tricked into providing your password, you should change your passwords on all your other accounts.
- If you have lost money, you need to report it to the cybercrime agency immediately.
Phishing attacks are an unfortunate reality of the digital age. However, by being aware of the signs of a phishing attack and knowing what to do if you receive a suspicious email, you can protect yourself and your business from becoming a victim. Educating your employees about phishing attacks is one of the best ways to help prevent them from happening in the first place, so make sure to spread the word and stay safe online.