Cybercriminals never seem to run out of crafty schemes and clever ploys to grab a quick buck from victims they manage to dupe. These cyber hackers unleash thousands of phishing attacks every day and they are so often successful, it a very lucrative venture, and totally worth their time.
The FBI’s Internet Crime Complaint Center reported they received an average of 1,300 complaints every day in 2019 and recorded more than $3.5 billion in losses to individual and business victims. The most frequently reported complaints are phishing and similar ploys.
This is an eye-opening statistic. Cybercriminals make it hard to spot phishing. However, there are still several things you can look out for to help prevent falling for one and protecting yourself from these types of scams.
How to spot Phishing
Real emails come from a company’s actual domain* and email system, not from some unrelated email address. If you have no past communication from the sender, the email is unusual or out of character for who is sending it, or you do not recognize the sender’s email address and they were not verified by someone you trust, be suspish! More importantly, don't just look at the name that shows up as the from address either, that is too easily manipulated. It may appear to a name or address you recognize.
To check the actual sent email address, hover your mouse over the ‘from’ address. Are there additional letters or numbers in the email address, or is it a completely different email name/domain? Is it YOUR email address? These are Red Flags! (ex. firstname.lastname@example.org vs. email@example.com or firstname.lastname@example.org). *This is not always the most infallible way to verify, as sometimes companies will use varied domains to send emails, and some smaller companies use third-party email providers, but it is a start.
Did you receive an email that you normally would get during regular business hours, but it was sent at an unusual time like 3 a.m.? - Red Flags!
Is the email in question unexpected or an unusual email with an embedded hyperlink or an attachment from someone you have not communicated with recently? Were you copied on an email, but do not know the other people it was sent to? Was the email also sent to an unusual or random mix of people at your organization whose last names start with the same letter, or a whole list of unrelated addresses? - Red Flags!
Make it a habit to check all links before you click them and make sure they are valid. Even though the text may look correct, it could take you someplace completely different. Hover over the hyperlink to view the actual address its links to. Also, don’t ever click on an image without verifying that the link is legitimate too!
Lastly, if you receive a hyperlink with a misspelling of a known website, that is a BIG Red Flag! ex.: www.bankofarnerica.com - the ‘M’ is actually two characters: ‘R’ and ‘N’ or www.micosoft.com, www.mircosoft.com, www.verify-microsoft.com (misspellings and made up domains)
Is the subject line irrelevant or does not match the message content or is the email message a reply to something you never sent or requested? - Red Flags!
Is the email requesting sensitive information? Legitimate companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers. Phishing scams will also typically use generic greetings such as ‘Dear customer’, Valued member, or ‘Account holder’, and some hackers will simply avoid the salutation altogether. This is especially common with ads.
Are there misspelling and typos? How is the grammar and is the tone appropriate? Real companies know how to spell. One of the easiest red flags to spot is bad grammar. Emails from legit companies will be well written.
Other Red Flag content to look for: Email promising a lot of money for little or no effort. Asking you to provide money upfront for questionable activities, a processing fee, or to pay the cost of expediting the process. Asking for an account number, other personal financial information, or passwords or to “Click the link below to gain access to your account. Emails stating that if you don’t respond within xx hours, your account will be closed., An email letting you know if you fail to do this xxx it may automatically render your account deactivated., Telling you their investigation shows that your email address is compromised.
One of the most common techniques for circulating computer viruses and other malevolent software (malware) is through email attachments. If opened, malicious attachments can give someone complete access to your device. Opening the door for attacks on your whole network or giving access to all the contacts and data it finds in your address book. Pay close attention to the attachments, they may show an unusual icon or extension, especially ones like .pif, .scr, .exe, .zip. Do not click on them! - Red Flags!
When in doubt, contact the company directly using contact information obtained from their actual website (not the email). Typically, genuine companies will not randomly send you emails with attachments, so never open unusual attachments or attachments from strangers.
The Bottom Line
Remember, if it ever doesn’t seem right, it probably isn't. Even if you have the most secure network in the world, It only takes one untrained employee to be fooled by a phishing scam. This opens the door for cybercriminals to steal all you are trying so hard to protect.
DOWNLOAD our Social Engineering Red Flag Guide to spotting phishing emails. We also offer quarterly cybersecurity training to help you stay cyber-smart, and keep you up to date on the latest threats and precautions. By training your staff how to be vigilant and use their cyber-smarts, you can greatly reduce your risk of falling for a Phishing Scam and risking a cyberattack.