Phishing emails live in everyone’s inboxes, even if just in the spam folder. These emails can take many forms, but usually come from fake accounts pretending to be services you use or key individuals in your life. For instance, emails posing as services like Netflix or Verizon are extremely common, as are spoof emails from your boss, a coworker, or even family members. Most of these malicious emails are easily sniffed out by your email’s filter or by your own suspicions. However, there’s no denying the success attackers have had with phishing and social engineering.
According to the AARP, money lost in 2019 on “imposter scams” exceeded $667 million, which is a 53 percent increase from 2018’s total ($497.2 million). In addition to a sizable increase in the money lost from phishing, Retruster reports that phishing attacks are up 65% year-over-year and make up 90 percent of successful data breaches worldwide. These statistics show that while the majority of business professionals are confident in their ability to spot phish attempts, attacks are successful more often that you might think.
These statistics and the growth of phishing attacks as a whole suggest we should all pay a little more attention to this email annoyance. These tips should provide a solid foundation for you to take and use in your everyday lives, whether you’re a business professional working from a work email or someone looking to protect your personal account.
Before we dive into the tips for identifying phish emails, it’s important to know a couple of key definitions relating to today’s blog topic:
Phishing — A scam by which an Internet user is duped (as by a deceptive email message) into revealing personal or confidential information which the scammer can use illicitly. (Source)
Spear Phishing — An email or electronic communications scam targeted toward a specific individual, organization, or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer. (Source)
Search Engine Phishing — A type of phishing that refers to the creation of a fake webpage for targeting specific keywords that guide the searcher toward the fake webpage. Once a searcher clicks on the page link, s/he will never recognize that s/he is hooked until it is too late. (Source)
Social Engineering (in cybersecurity) — a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions. (Source)
While it is quite common for your family members to send emails from addresses ending in “@gmail.com,” “@hotmail.com,” or “@yahoo.com,” the same cannot be said for the majority of businesses and business professionals. The biggest giveaway that an email is not from who they say they are is the presence of a public domain email address.
With this being said, many users only look at the email sender name instead of the actual email address. There are no rules against sending an email from the name “Netflix,” “Verizon,” or “insert your boss’ name.” This is why you need to vet the email sender’s address to ensure it’s sent from the proper and reputable domain.
Another dead giveaway for a phishing email is the sender asking you to confirm, clarify, or recite your personal information back to them. Your employer or a business you buy from will never ask you to confirm confidential information like your credit card or social security number via email. Additionally, a popular phishing attempt through email is to obtain your account password by having you send it in a fake “password recovery” email. DO NOT DO THIS. All password recoveries are done securely on the company’s official website, not through direct message on your email.
If you previously updated confidential information or submitted a request for a password reset this may cause confusion. If there is ANY possibility for the email you received to be fake we suggest contacting the company directly. Responding to an email whose credibility you question is a risk that you do not need to take as an employee or customer. It is better to be safe than sorry when it comes to your personal information.
Despite most phishing emails having the goal of voluntary disclosure of personal information through social engineering, many are also done via malware. This malware is typically included as an email attachment, posing as an important document like a bill or invoice. This is a tricky situation for email victims, as they must gather prior information to determine the validity of an attachment. For example, if the email is sent from a public domain or one you do not recognize, absolutely DO NOT open the document. However, there are many times where a completely reputable account will send a bill via email.
In times where you think an email attachment may be legitimate, it is still better to scan the document with antivirus software. This way you can be sure that the attachment is free of any dangerous and/or damaging contents.
Looking deeper into the body of the email in question will tell you a lot about its legitimacy. There are two key areas you want to look at when dissecting the email’s writing. The first is the quality of the copy. If the email is filled with spelling and grammar mistakes, odd wording, or unclear or misleading directions, it is likely that you are a target of a phishing attack. Emails from your employer or a legitimate business will be clear, concise, and (usually) free of major spelling and grammatical errors.
The second part of writing you want to look at is the tone. One of the most common ways that phishing attacks succeed is by creating a sense of urgency for the victim through the messaging. This urgency creates fear and the desire to quickly solve a problem that is completely fabricated. The outcome is often a successful phishing attack. Most emails from businesses will be conversational and helpful, not urgent or demanding in nature. Common ways that attackers insight fear in their victim is to threaten shutting the account down or to claim that the user may be at risk (when the real risk is the email sender themselves). Do your own research on these claims instead of giving in to the fear.
The last of our tips to identify phishing emails is a simple one. If you did not ask to get an email from the sender, it is most likely a fake email. Especially in cases where the email claims you submitted a request or wished to discuss a topic, it is important to think back on whether you did or not. Attackers prey on individuals who blindly follow emails without thinking back on the message’s context and the validity of the email. When in doubt, move that unsolicited email to your trash or spam folder. If the message is legitimate, the company or individual will reach out to you through another conversation channel.
This tip is only compounded on unsolicited emails with attachments. However, following this tip means that you may occasionally delete legitimate messages from companies you’ve talked to before. Without coming off as a broken record it’s important for us to remind you to check the sender’s domain and email address to ensure the whitepaper, invoice, or case study that’s been sent to you is legitimate.
Email phishing may be seen as largely juvenile in the security world, but its success rate makes it a legitimate and booming area of attack. This fact is why it’s important to ensure you’re educated on all signs of a phishing attempt so you don’t fall victim to one. A compromise for you through phishing can range anywhere from a small inconvenience to a large data breach for you or your company. These tips are great reminders of best practices for avoiding the pain—big or small—of a successful phishing attack.