Phishing emails are becoming a major problem in today’s society. People continue to fall victim to phishing scams because they have become so sophisticated in the way they entice recipients to provide their data; however, it must be said that many of us have become far too trustworthy of brands we recognise.
Emails from malicious senders masquerading as a familiar, trusted provider, such as your bank, Amazon, PayPal, eBay, HMRC and even your IT administrator, have become commonplace. They might refer to an issue you’re not aware of, an order you haven’t made or fictitious moneys you are due.
A phishing email will try to obtain sensitive information from you – be that login details for an online account or your personal details. Cybercriminals use this information for committing fraud, identity theft and extorting their victims. Whilst the cost of falling victim to a phishing email can vary, the risk should always be treated as very high.
When opening and interacting with emails, users must exercise diligence. If an email looks suspicious or unusual – even if it appears to come from a known person or organisation – confirm its authenticity through other means, before interacting with it. Working with a Managed IT Service Provider (MSP) makes this quicker and easier to do, with experts on hand to assess the situation.
We have broken down the process into some easy-to-follow tips to help you avoid unwittingly giving these cybercriminals what they want.
Tip 1 – Are phishing emails asking for personal information?
Emails that ask you for your details or to log in to an online account are always worth double checking.
Remember, no bank or financial institution will ask you to share your key personal information via email, or even phone. So, if you get an email where they ask for your PIN or your e-banking password, something’s amiss!
Tip 2 – Do the links appear genuine?
Phishing emails nearly always contain a link that you are asked to click on. You should verify if the link is genuine. Here are a few things to look for:
- Spelling: Check for misspellings in the link or URL. For example, if your bank’s web address is www.barclays.co.uk, a phishing email could misspell it as www.barclaysbank.co.uk or www.barcleys.co.uk. The changes are often only very slight, so you must be vigilant in checking these
- Disguised URLs: Sometimes, URLs can be disguised. This means while they look genuine, they ultimately redirect you to a fraudulent site. You can recognise the actual URL by hovering your mouse cursor over the link and waiting for the true link address to display, or you can right click on the URL and select the ‘copy hyperlink’ option and pasting the hyperlink in a notepad file, but NEVER EVER paste the hyperlink directly into your web browser
- URLs with ‘@’ signs: If you find a link in an email that includes the ‘@’ sign, steer clear of it even if it at first glance it seems genuine. Browsers ignore URL information that precedes an ‘@’ sign. That means, the URL firstname.lastname@example.org will take you directly to the phishing website and not the Barclays Bank web page
Tip 3 – Other tell-tale signs
Apart from identifying fake URLs, there are other tell-tale signs that help you identify fraudulent emails. Some of these include:
- Emails where the main message is in the form of an image – this may take you to a malicious URL
- Never open an attachment from an unknown source, it may contain viruses that can harm your computer and network
- The message seems to urge you to do something immediately. Scammers often induce a sense of urgency in their emails and threaten you with consequences if you don’t respond. For example, your iTunes account will be closed if you don’t verify your PIN or password
Educating your staff of the threat from phishing emails is one of the best defences. You could even test every month by sending out a test email and see who clicks on a link they shouldn’t do or opens the attachment. You can then discuss this with them proactively and provide further training to those who need a helping hand.
You should also consider Microsoft Advanced Threat Protection (ATP) service is you use Office 365. This is a real-time protection service that will intercept malicious email and replace unsafe links and attachments, so your business is better protected even if a user gets duped into clicking on a link. It’s a low-cost solution that can be easily added and potentially save you from falling victim of a phishing scam and all the serious issues this brings.