Tips to Spot Phishing Emails and Limit the Fallout
Just one employee clicking on a malicious link in an email message or downloading the wrong attachment can cause serious damage to your business. These attacks, known as phishing, are typically spread through email or social media and pretend to be from legitimate sources, thereby luring users to click or download something that can then spread ransomware, capture passwords, or launch other forms of cyberattacks.
All sorts of organizations are at risk. In both the public and private sector, such as with the Democratic National Committee and likely at Yahoo, phishing emails have led to massive data exposures, which can cause major reputational and financial harm.
One specific threat is spear phishing, which KnowBe4 defines as, “an email targeted at a specific individual or department within an organization that appears to be from a trusted source… [but is] actually cybercriminals attempting to steal confidential information.” This approach tends to work very well. In fact, 91% of cyberattacks and the resulting data breaches start with a spear phishing email, according to Trend Micro.
Phishing: The SMB Risk
If you focus on the major news headlines, it may seem that cybercriminals only want to phish large organizations like the DNC and Yahoo. However, most actually target small and midsized businesses. This SMB targeting is a relatively new trend, interestingly enough. As of 2012, the majority of enterprise phishing attacks targeted large businesses, but by 2014, that had flipped, according to research from the University of Connecticut.
It’s also more common than you might realize. A survey by Nationwide found that 20% of small business owners have fallen victim to a phishing attack. That’s one in five small businesses.
The actual number of phishing victims could be even higher than reported, considering that nearly half of U.S. internet users cannot correctly identify examples of phishing attacks, according to a study by Pew Research Center. In some cases, breaches happen and are not discovered for months, years, or ever.
Even when people understand the concept of phishing, they may still fall victim. Mainly out of curiosity, up to 56% of people click on links from unknown senders through email, while about 40% do the same on Facebook, find researchers from the University of Erlangen-Nuremberg in Germany. Yet 78% of those said they knew the risks of doing so.
The fallout from a phishing attack can include major reputation damage, financial loss, legal repercussions, and more. Many small businesses are at risk of being bankrupted by an attack. To combat this, businesses need to thoroughly educate employees about the risks of phishing and help them avoid falling victim by following best practices when it comes to suspicious messages from unknown senders.
Tips to Spot Phishing Attempts
An ounce of prevention is worth a pound of cure, so here are our recommendations to protect your business from phishing:
Train Employees to Spot Red Flags
Organizations should train employees to watch out for these three telltale signs of a phishing scam:
Red Flag 1: Unknown Sender — Especially with Misspellings
Messages from unrecognized senders should always be met with skepticism. Even if the recipient is curious about the content or thinks the sender might be a contact from a conference, for instance, it’s better to be safe than sorry. Think before you click, and investigate further to see if it’s likely to be a phishing attempt. How? Look for misspellings, especially if the sender is trying to emulate a real company. For example, if the sender is supposedly Jackie from Google, look at the email address and see if something is off, like using zeroes to spell “jackie (at) g00gle (dot) com.” Similarly, the sender’s name and the email address might be totally different. So in the preview portion of your email, the name might be Jackie Smith, but the email address might be “jimmyseth (at) g00gle (dot) com.” That’s another big red flag.
Red Flag 2: Unusual Mistakes
While it’s not unusual for someone to make a typo when sending an email, phishing attempts are often loaded with grammatical and spelling errors that go beyond the norm. A phishing email might also misspell the recipient’s name, which is a good indicator that there is no pre-existing relationship there. Or there might not even be a name at all, but something more generic like “Dear Sir or Madam.” That could be a bad sales pitch or a phishing attempt; either way, better not to click. Finally, another warning signal is when the body of the email sounds like it has been translated from another language, with verbs mis-conjugated or showing up in the wrong places.
Red Flag 3: Unexpected Urgency
Sometimes there really is an issue that requires you to reset your password, change your itinerary, etc. But if you receive an unexpected message to that effect, take an extra few minutes and investigate a little further. Don’t immediately fall for urgent language. Instead, if possible, call the organization that is supposedly asking you to make this change to verify. Or visit their website directly to make the change, rather than clicking any links or downloading any attachments in the email.
If there are any red flags like these that don’t stand up to further scrutiny, it’s best to treat these as phishing attempts. And if you suspect an email or other message may be a phishing attempt, here are some ways to safely investigate a little further.
Hover Before You Click
For links within a suspicious email, hover with the mouse above a link to check the URL, which might be different than what the email indicates. For example, the email might say it’s taking you to reset your bank password, but if the URL points somewhere other than your bank’s website, it’s very likely a phishing attempt to capture your bank login details.
Even if it looks like the right address at first glance, inspect the URL carefully, as it may look legitimate, but like the email address, it could have spelling errors or small punctuation changes, like a “0” (zero) where an “O” (oh) should be or an “L” (ell) swapped for an “I” (eye). The link might also be shortened such as with bit.ly, so copying and pasting the link (without clicking it!) into online tools like GetLinkInfo can reveal the full link before something malicious happens.
Verify Attachments Before Downloading
As for attachments, do not open any if the sender’s validity is questioned, or if you suspect someone’s email may have been hacked. If you have an IT department, encourage employees to forward suspicious emails to IT to verify their authenticity. If the email is supposedly from someone you know but has some red flags, call or text the alleged sender to confirm they actually sent an attachment. The slight inconvenience of doing so far outweighs the risks of falling for a phishing scam.
Use Effective Malware Protection
In the event that your organization does get lured by phishing and your network is hit with malware as a result, it’s important to have the tools in place to prevent malware from seizing your machines. Strongarm’s simple, automated anti-malware solution quickly identifies and neutralizes malware. With Strongarm in place, you can feel confident that, even if an employee takes the bait, phishing attempts will not succeed at harming your business.
Ready to protect your organization from phishing?