A phishing attack is a type of online scam by which cybercriminals send emails appearing to be from a legitimate source, such as a recognised and trusted business or colleague. It’s designed to lure users into providing sensitive information or may include malware. Phishing is popular because it gives criminals direct access to the most vulnerable part of any network – the users. According to Iconsclales 2017 Email Security Report, 90% of successful cyber attacks trace back to phishing emails, so it’s important you and your employees know how to recognise a fraudulent email.
Check the source
A favourite tactic used is sender or domain spoofing. The display name shown from the email header may look familiar, perhaps a colleague or recognised business. However, take a close look at the full email address or the email properties. The sender address may be misspelt or slightly altered but may resemble a well-known domain. Even if the mail comes from a trusted source, were you expecting this email? Does the purpose of the email match who the sender appears to be?
Check the content
Read through the entire email before clicking anything. Often the language is a giveaway for phishing emails so check for spelling and grammatical errors. Emails from legitimate companies are always constructed in a professional manner and will rarely have typos. However, do not judge an email solely on the language and tone. Over the years, cybercriminals have become more sophisticated, and often, the body of the email can look very convincing.
Attachments & Links
Although click rates have come down, many users still get caught out with attachments and links. Attachments can contain malicious malware that can be installed onto your PC and network from just one click, so do not open unexpected attachments. Before clicking any hyperlink hover over it and check the address. If it is different from what’s displayed or if it looks like a misspelling of a familiar domain name, then it’s probably fraudulent. Even if the web address is HTTPS, this does not indicate the site is legitimate. It only means the website communications are encrypted, and as of 2018, 50% of phishing sites were using HTTPS.
Is the email threatening?
The types of phishing campaigns that are most successful are ones that invoke a sense of urgency or threat, so you will be inclined to act without thinking. The email may make claims such as “Your account will be deactivated…please take the necessary action” or “If you do not verify your account, we will be forced to block it”. Legitimate companies would rarely address their customers like this, but if you are concerned, contact the company directly to confirm the status of your account.
What is the purpose of the email?
No matter where the email is sent from or how official it looks, nobody should ask you to send them personal information over email. If it’s an offer of something, think about what you are being promised, and if it sounds too good to be true, it probably is. Just because an email has convincing brand logos, language and a seemingly valid email address does not mean you should provide any information or click on any links. Be cautious and report any suspicious emails to your IT department.
Next steps…
Despite spam filtering and email authentication methods, phishing emails will still reach inboxes. Training users how to detect and react to these threats will help protect you and your business. To establish how vulnerable your employees are, you can run Simulated Phishing Attacks. The results will enable you to take immediate remedial action if it’s needed. To find out more about running simulating phishing phone us on 0131 208 0080 or fill out our contact form and we’ll quickly get back to you.
