Catching a Phish Before it Bites: How to Protect Your Business from Costly Mistakes
All it takes to bring your business to a standstill is one successful phishing email. This makes spotting them before they unleash their destructive potential critical, but it's not always easy—especially with today's sophisticated scammers.
Here's where to focus your attention to avoid becoming a victim:
Most phishing emails are sent to mass lists of addresses with the hope that a handful of targets will respond. Cybercriminals know that many will skip past the email's address section and go right to the message. So, red flags, such as a To: field full of names you don't recognize or one that's empty are often overlooked.
A quick check of the email date and send time can also reveal clues. A high percentage of phishing emails originate outside the United States and pass through several servers and time zones before arriving at their destination. An email sent late at night, on a weekend or holiday should raise suspicions.
Finally, it pays to look at the last part of the sender's email address, known as the domain. After the '@' symbol, this is the portion that usually ends in '.com.' If it's not what you'd expect or gibberish, it's likely a fake.
Sophisticated scammers will also use a tactic called domain spoofing, the practice of modifying a legitimate address so it's not conspicuous. Think 'goog1e.com' a '1' for an 'l' instead of the correct 'google.com,' and you get the idea.
Quality of Writing
Poor writing quality is a good indicator that the email you received is "phishy." Pay close attention to punctuation, structure, tone, or anything else that might seem off.
Typos are a dead giveaway, especially if the email claims to be from a reputable source, such as Microsoft or Amazon. Legitimate companies typically don't make these kinds of mistakes in emails. Cybercriminals, however, do.
Sometimes an odd tone or clumsy phrasing may be the only sign that indicates that you're being phished. This scenario is especially true in business email compromise cases where criminals use stolen login credentials to send emails from legitimate email accounts. If someone you correspond with regularly via email suddenly sounds different or makes an odd request, be suspicious and listen to your instincts.
Scammers often mimic big names like Amazon and Walmart to fool their targets. What they tend to overlook, however, are specifics like brand standards.
An email from UPS with a delivery update that features the old package and string logo instead of the current day shield is likely a scam. An e-coupon from McDonald's with an image of a Whopper is cause for concern.
Companies spend years cultivating consistent brand standards that make them unique. Pay attention to colors, logos, image aspect ratios, and overall email construction. When these don't add up, it's a clear sign that something is amiss, and you're probably being phished.
Criminals often play on emotions to make targets respond to their phishing emails. Whether it's fear, pride, anger, or empathy, there's no shortage of feelings they'll exploit to get you to act.
It starts as early as the subject line with words like 'free' or 'last chance' that elicit desire and fear of missing out. Other ploys may include mentioning a frozen account or compromising photos that instill fear of what could happen next. Or a threat of negative consequences or unrealistic rewards for acting.
An emotional response is made with the heart, not the head, and scammers are banking on you to respond to their phishing email without thinking.
Links and Attachments
Most phishing emails are just a sophisticated delivery mechanism for a malicious payload deployed by clicking a link or downloading an attachment. Pay close attention, however, and you can spot their toxic traits.
An attachment file type with an unfamiliar suffix or extension is usually a reason for suspicion. Suppose you receive one that you either don't recognize or aren't accustomed to receiving, avoid it. Check this list of potentially dangerous and malicious file extensions for a comprehensive list.
Treat all links, especially hyperlinks—images, words, or phrases, with a healthy dose of suspicion, as they can be used as substitutes for the real thing. Hovering your mouse over the hyperlink without clicking can reveal the true link destination. If it's not what you expected, don't click. To learn more about avoiding dangerous links read on blog: Don’t Click That! The Dangers of Phishing Hyperlinks and How to Avoid Them.
Protecting Yourself and Your Business
If your business uses email, you're just one click away from becoming a phishing statistic. Understanding how to identify a phishing email is an essential step toward protecting your company from costly ransomware attacks, dangerous data breaches, and other cybersecurity threats.