6 Ways to Identify Phishing Attack Emails
Staying alert to an increasingly targeted threat
The process of cybercriminals sending emails that appear to come from legitimate companies or individuals in order to gain access to private data (bank account numbers, passwords...) seems like one of the oldest forms of internet criminality. So why is it still so prevalent? Simply — because it still works.
Whether you are an IT engineer, a CTO or a complete tech novice, phishing attack emails still pose a significant threat because the mistake of one can impact every user account across the business. Even those who think they would spot one with ease are sometimes more at risk because the level of sophistication and targeted nature of these attacks are on the rise.
So given the similarities between genuine branded emails and phishing attacks, how can individuals recognize phishing attempts and avoid falling for them?
1. Look for Mismatched URLs and Redirects
Phishing attack emails often display links within the body of the fraudulent messages. Sometimes, people may see the address spelled out in the body, then notice the target address is different when they put their cursors over the link before clicking it. In other cases, individuals might get redirected to strange websites after clicking on links in messages.
Both of these scenarios are warning signs that a message is an attempt at phishing.
2. Beware of Messages Conveying Unusual Urgency
A common quality of phishing attack emails is that they try to get people to behave haphazardly and not think through their actions. Sometimes, the approach is to tell recipients that they've won prizes and have to act fast to claim them before it's too late. Or, the criminals might warn that people will have their accounts closed down unless they provide information immediately.
'If colleagues are sending blank correspondence with attachments or links, it is advised they include a personal note and email signature to help validate their message.'
3. Think Before Responding to Unauthorized Account-Related Emails
People who orchestrate phishing scams frequently try to lure their victims by mentioning how their accounts showed suspicious activity and got suspended. They continue by saying that people need to provide information to restore full functionality. Frequently, the fields for choosing and confirming new passwords appear directly in phishing attack emails.
Google is among the reputable sites that ask users to reset passwords after unusual activities on accounts. However, a primary difference between those correspondences and the ones sent by criminals is that the real ones advise recipients to log into their accounts and change their passwords — outside of their email interfaces. Additionally, many companies remind users that they'll never ask for passwords in emails. Therefore, seeing such requests should equal automatic red flags in the minds of people checking their inboxes.
4. Be Suspicious of Messages Warning of Severe Consequences for Inaction
Hackers perpetually look for creative ways to impersonate unsuspecting users. Analysts believe there's even a risk of voice impersonation attempts with smart speakers and other devices that have microphones. There's already a tactic called vishing, where attackers threaten people with phishing messages over the telephone.
But when cybercriminals send out phishing attack emails, they might try impersonation in another way. The IRS published a warning about how scammers could send emails and pose as tax officials who tell victims they have to pay Uncle Sam or risk huge fines. This tactic is similar to the one where criminals say people must act fast to claim prizes or avoid account closure. This scam coerces individuals into paying supposed tax debts through wire transfers. They may also threaten law enforcement involvement unless people respond within certain time frames.
The IRS does not use email to communicate with taxpayers. It typically uses postal mail and, in rare circumstances, makes in-person visits.
5. Check for Spelling and Grammar Mistakes
Phishing attack emails exist globally, which means they may originate from people who speak languages other than English. When cybercriminals target businesses operating in English-speaking countries, they may not have the knowledge necessary to correct misspelled words or grammatical errors in emails.
Typos can happen to anyone who sends emails, but most legitimate companies have people who proofread before distributing content.
6. Beware of minimalism
Given the amount of red flags thrown up by errors or inconsistencies in the text or content of a phishing email, some perpetrators hope to avoid giving the game away altogether by limiting text to a few words or none at all.
A blank email with an attached document, seemingly from a trusted colleague, can seem innocuous in its simplicity and commonality. After all, how often do we send these types of emails to each other every day? An attacker may use this method in conjunction with a compromised account and generic document name to further encourage a recipient to click.
Ultimately, these types of minimalist emails should be avoided unless the sender ID can be verified. If colleagues are sending similarly blank correspondence with attachments or links, it is advised they include a personal note and email signature to help validate their message.
'As the threat sophistication grows, so must we — as a collective — increase our sophistication in implementing best cyber security practice.'
How to Avoid Phishing Attempts
If you want to keep your company and information safe, you'll want to take advantage of the following:
- Training: Teach employees to recognize fake emails. A study centered on how phishing affects C-suite executives mentioned a statistic that 94 percent of people couldn't tell the difference between a phishing email and a real one across all the times they were asked.
- Browsers: Type URLs directly into browser address bars instead of relying on email links.
- Phone calls: When possible, take the time to contact the supposed senders of unusual emails by phone instead of reacting in haste.
- Skepticism: Don't assume that just because an email features a company's graphics and fonts, it's real.
- Caution with email: Never enter details into a form contained in an email. If a received email mentions needing to change account details due to information getting compromised, always go directly to the website, then log in to the account from there. Again, do not depend on links in an email. They can take people to fraudulent sites through redirects.
Knowledge Leads to Better Protection
Phishing attack emails can get sent to anyone at a business, but knowing how to spot them and taking steps to avoid them can help to protect all organizations. As the threat sophistication grows, so must we — as a collective — increase our sophistication in implementing best cyber security practice.