Phishing emails are a real problem for today’s businesses, which makes it critically important that you and your team can identify them as they come in. Let’s touch on a few reliable indicators that a message isn’t a legitimate one.
What Makes Phishing Attacks So Bad?
One of the largest threats inherent in a phishing scam is that there is a relatively low barrier for entry. There’s a tendency to romanticize hackers somewhat, picturing them in dark rooms lit only by an array of computer monitors as their fingers dance across their keyboard. While cinematic, this imagery is grossly inaccurate. In truth, hacking has trended more towards the psychological, focusing on user manipulation over fancy programming skills.
Which sounds easier to you, learning how to pick a lock, or asking someone for their keys?
Phishing attacks are not only easier on the cybercriminal, they’re also effective. It’s easy to be fooled by a legitimate-looking email or website, especially when you aren’t anticipating being scammed.
Let’s say someone poses as your bank. At first glance, there may be every indication that the email they send is legitimate. A quick look at the sender’s address may pass muster, the bank’s logo and contact information may be present, even any filters you have set up to organize your emails may work.
At a glance, all may be in order… which is exactly how many phishing emails will get you.
While phishing emails themselves aren’t usually dangerous, they contain links to risky and insecure websites or have nefarious files attached to them. Generally, these elements are where the danger lies.
Spotting a Phishing Attack
Let’s go through a step-by-step process to check any email that you may receive. The first sign of phishing can be found in its tone: if it has a too-good-to-be-true offer, is overly urgent, or is requesting information about one of your accounts unprompted, you’re right to be suspicious.
Check all links to confirm they direct to a legitimate URL. DON’T CLICK THEM. For example, if the email were from Amazon, links would most likely lead back to amazon-dot-com. However, anything added between “amazon” and “dot-com” is a sign of trouble. Furthermore, the dot-com should be immediately followed by a forward slash (/).
Let’s go through a few examples to demonstrate how important the little details of a URL can be, using PayPal as our subject.
- paypal.com – Safe
- paypal.com/activatecard – Safe
- business.paypal.com – Safe
- business.paypal.com/retail – Safe
- paypal.com.activatecard.net – Suspicious! (notice the dot immediately after PayPal’s domain name)
- paypal.com.activatecard.net/secure – Suspicious!
- paypal.com/activatecard/tinyurl.com/retail – Suspicious! Don’t trust dots after the domain!
Check how the email address appears in the header. If you ever receive an email from Google, the address isn’t going to be “gooogle@gmail-dot-com”. If you’re unsure, throw any email addresses into a quick search for legitimacy.
Be wary of any attachments. As we mentioned above, most email-borne threats are going to be transmitted as an infected attachment, or as a link to a malicious website. If an incoming email has either a link or an attachment, exercise caution.
Don’t take password alerts at face value. Some scammers will use phishing emails to steal your credentials. Stating that your password has been stolen or some similar breach has occurred, the email will prompt you to supply your password—springing the trap.
If all this sounds like we’re telling you to wonder if any of your emails are legitimate, it’s because we are, in a way. With a healthy sense of skepticism, email and email correspondence can be very useful business tools. Many phishing attempts can also be weeded through with a reliable spam-blocker as well.
Want us to assist you with your email security? Call up our team of professionals by dialing (505) 242-5683.