In our working days, it can be difficult to fully concentrate on tasks 100% of the time, especially when churning through a backlog of emails.
The truth is, many of us believe that we're able to spot the signs of a fraudulent email, without actually knowing what the real signs are. Simply knowing not to interact with an email that is asking for personal information isn't enough to avoid a phishing scam - especially with these attacks becoming more and more cunning.
From the automatic ‘mailer’ technique of launching a high volume of emails targeted towards the more susceptible users - to the more direct technique of ‘spear phishing’ a specific individual of certain importance to an organisation, all of us have the potential to take the bait. That is why spotting the warning signs of a phishing attempt is important.
So, to get you started, we've put together a guide to discuss:
1. How to spot phishing emails
2. How to prevent phishing attacks
3. How to report a phishing scam
Chapter 1: How To Spot Phishing Emails
-Be smart and vigilant
In our working days, it can be difficult to fully concentrate on tasks 100% of the time, especially when churning through a backlog of emails. But if/when you receive an email asking for personal information, it's time to be smart.
Legitimate organisations should never request sensitive information via email, especially banks. If you are suspicious of the email, then contacting the original sender can be a good option to take. Looking out for ‘red flags’ or warning signs is also a good technique. If the email is asking for information such as your password, then this should be reported to your IT department.
-Don't give in to scare tactics
Phishers like to get you to react quickly - and they have a range of proven techniques to do so. Scare tactics, such as threatening to disable an account or delay services until you update certain information, can often make an employee unwittingly hand over their personal information through a state of urgency. Fraudulent emails that appear to be from your IT support team asking for a password change is a common example.
Be sure to contact the merchant directly to confirm the authenticity of their request, and raise the issue to IT should your suspicion increase.
-Look out for spelling and grammar mistakes
Employees tend to be common targets for hackers and they will continue to be until employees stop reacting to phishing emails and happily giving away their information.
Most phishing emails contain blatant indications of being fake. Punctuation can often appear different to that of legitimate ones, with typos, excessive exclamation marks (especially for scare tactics) and capital letters indicating that they might not be from an authentic source.
Even the way in which the email greets the user can be a suspicious sign. Common examples are ‘Dear Sir/ Madam’ and ‘Dear Customer’, which both noticeably show a lack of personal details, such as your name, not being available to them.
Although many of these mistakes are genuine errors by the attackers, intentional mistakes are also used in order to pass spam filters, improve responses and to weed out the more savvy recipients who are aware of such scams.
-Look out for dodgy links or attachments
Never use links in an email to connect to a website - unless you are absolutely sure it is authentic. Instead, open a new browser window and type the URL directly into the address bar. Often, a phishing website will look identical to the original - look at the address bar to make sure that this is the case.
In some phishing emails the URL will look legitimate, hovering your mouse over the top of the URL will show you the real address. If the address is different from the one displayed, there is a high chance its a phishing email.
As well as dodgy links some phishing emails will contain attachments, the email will ask you to open or download the attachment. These attachments can contain various types of malware that can harm your device and steal your personal data.
-Watch out for pop-ups
Pop-up phishing involves fraudulent messages that "pop up" whilst your surf the web. Phishers will infect legitimate well known websites with malicious code that causes pop-up messages to appear when someone visits the website.
The content of the pop-up message usually presents the visitor with a fraudulent warning, usually about security on their device. The aim of these phishing pop-ups are to prompt the visitor to download a tool "to fix the problem" these tools are usually anti virus applications or firewalls. Once the visitor downloads the tool their device will become infected with some form of malware.
Malware-tips has a great blog on "How to remove tech support scam popups"
-Common phishing phrases
Hackers use scare tactics to scare their victims into taking immediate action and giving away their credentials. Although some phishing emails look almost legitimate, there are a few common phrases that are used regularly in phishing emails.
Top phrases used by phishers
"Click here to update your information"
"your account has been deactivated"
"Click here to open your document"
"We need to verify your account"
"If you don't respond immediately, your account will be closed"
Chapter 2: How To Prevent Phishing Attacks
-Enable spam filters
One effective but simple way to prevent phishing emails is to utilise an effective spam filter software program in your email system.
The spam filter will filter out any spam, including phishing emails. (however, some phishing emails can still make it into your inbox)
Since most phishing emails have specific characteristics, its easy for the spam filter to identify such emails before they even reach your inbox. The most advanced spam filter is Gmail, its very easy to enable your spam filters on Gmail:
go to Settings (in the top right hand corner)> The click Account and Import> Click Send Mail> Fill in the details in the pop up box and follow the instructions.
Enabling this will not only prevent phishing emails but it was also give you an rich interface for your email address.
-Implement 2FA and MFA
Using a strong password to protect your accounts will simply not cut it. Cyber security threats are continuing to grow in variety and sophistication, this is why its crucial to do what ever you can to protect your data.
You might not realise it, but most people regularly use 2FA. For example, when swiping your debit card you are asked to enter you pin code or write a check. Two factor authentication requires two ways of providing your identity through two different means.
As well as 2FA, multi factor authentication is an added layer of security on your online accounts. Instead of requesting two forms of security MFA will request 3-4 types of authentication such as:
-Run regular phishing simulations in your business
Phishing your employees is one of the most important ways to combat the threat of phishing. With email being the main source of business communication these days, its a favourite target for cyber criminals.
Many organisations invest heavily in tools and other technology gadgets, this is a great way to protect devices but there not the weakest link in the security chain... it your employees.
Phishing your employees has numerous benefits. It allows you to locate individual knowledge gaps and provides you with a clear into how vulnerable your organisation actually is.
Phishing simulations bring reality to your employees and unconsciously creates a mindset that scrutinises emails before taking action.
We have a free phishing tool that enables you to launch your own phishing simulation with ease and track your users' open and click rate.
-Regular backups and updates
Backing up your data makes it a lot easier to retrieve it. Conducting regular backups has multiple benefits, one obvious reason to back up your data is the recover in the event of a breach. With cyber security threats constantly evolving, backing up your system on a regular basis is incredibly valuable.
As well as helping the recovery of your data backing up adds an extra layer of security. When you implement remote data backup, you store your data in a secure location.
Upgrading your software is another crucial element of strong security. By keeping software up to data you and your end users can ensure their system works smoothly and prevents the system from crashing. When updating your software it comes along with new features and services that can offer great value to your organisation and employees.
-Educate your employees
As well as running phishing simulations another way to protect your business is to educate your end users of how to spot and prevent phishing scams. To do this you will need to find a good security awareness platform that educates your end users on not only phishing, but the many cyber security topics such as:
These are only a few of the key topics your end users should be educated on. A good security awareness program will cover all the essential topics and discuss what the risks are and how to prevent them. We have a free trail of our security awareness platform that can give you a true insight into what knowledge gaps are in your business.
Chapter 3: How To Report a Phishing Scam
If you or your employees do fall for a phishing scam, the best thing you can do it report it.
To report a phishing scam go to:
When you go to the website this page will appear below:
Dealing with the repercussions of a phishing attack is not only very time consuming but equally costly. One careless click on has the potential to destroy an entire company. It is extremely important for your employees to understand how severe the consequences of a phishing attack can be and what they can do to prevent them from happening. We have a free phishing awareness kit that can help improve phishing awareness among your employees and prepare them for any attacks in the future.