An increasing amount of the work that we do as small and medium-sized businesses is performed over the internet, particularly with the increase in teams working remotely. Whether it’s sending an email to a client, selling a product online or talking to employees, we are constantly communicating with both individuals and organizations online.
This reliance on the internet, without proper precautions, has opened organizations up to the threat of cybercrime, and in particular phishing scams. In fact, according to Verizon’s 2019 Data Breach Investigations Report, 32 percent of corporate data breaches started with a phishing email. What’s more, phishing was present in a staggering 78 percent of cyber-espionage incidents.
Phishing emails have been around for years, but it’s no surprise that they are still in use when they continue to keep scamming innocent people. In this blog we improve your small business cybersecurity solution by explaining everything you need to know about phishing emails.
What is a phishing email?
Phishing emails are a type of online scam in which a criminal sends an email that appears to be from a legitimate company asking you to provide sensitive information. This is usually done by including a link that will appear to take you to the company’s website to fill in your information.
This website, however, is a clever fake and the information that you provide will go directly to the criminals behind the scam.
A phishing email may also include attachments, which, when clicked on, will install malicious software and viruses on to your PC or device. It is of the utmost importance that everyone within your organization is vigilant and cautious when opening emails and accessing links.
To help prevent your organization falling prey to such online scams, OT Group has developed five tips that will help you to better identify phishing emails:
1 - The message is sent from a public email domain
Your business should be particularly wary of organizations contacting you to open invoices, attachments or visit links with a public domain - such as @gmail.com. Not many legitimate organizations will contact you from a public domain.
With the exception of any independent freelance workers that your company partners with, the vast majority of organizations will have their own email domains and business accounts. For example, legitimate emails from Google will come from @google.com not @gmail.com.
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate. The best way to check an organization’s domain name is to type the company’s name into a search engine.
2 - The domain name is misspelled
There’s one other clue hidden in domain names that will provide a strong indication whether an email is a phishing scam or not - misspelled domain names. Unfortunately, this slightly complicates our last tip of checking a company’s domain name.
The huge problem is that anyone can buy a domain name from a registrar. Every domain name must be unique, but there are plenty of ways that scammers can create addresses that are almost indistinguishable from the genuine email address.
Simple misspellings - such as firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com - can make an email seem legitimate even when it is not.
3 - The email is poorly written
Phishing emails are often distinguishable if they contain poor spelling and grammar. In fact, so many phishing emails are poorly written that it’s quite clear that scammers simply aren’t very good at writing. With this in mind, it becomes a lot easier to spot the difference between a typo made by a legitimate sender and a scam.
Since many phishing scammers are from non-English speaking countries, as well as from backgrounds where they will have limited access or opportunity to learn the language, a top tip is to look for grammatical mistakes rather than spelling errors.
When crafting phishing messages, scammers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the right context.
4 - It includes suspicious attachments or links
Phishing emails come in a variety of forms and layouts, but the one thing they all have in common is that they all contain a payload. This could either be a malicious attachment that you have to download, or a link to a bogus website that requests sensitive information.
A malicious attachment is a seemingly benign document that entices the reader to open it. Once the attachment is opened, it will unleash malware on the reader’s computer, performing any number of malicious activities.
You should never open an attachment unless you are fully confident that the message is from a legitimate party.
Spotting a suspicious link can be just as tricky. You can spot a suspicious link if the destination address doesn’t match the context of the rest of the email. Unfortunately, however, some links are disguised in phishing emails as a button.
To ensure you don’t fall for schemes like this, you must train yourself to check where links go before opening them. Thankfully, this is pretty straightforward. On a computer all you will have to do is simply hover your mouse over the link and the destination address appears in a small bar along the bottom of the browser.
5 - The message creates a sense of urgency
The most obvious sign of a phishing email is that it will request for you to act now or else it will be too late.
A sense of urgency is the only way phishing scams lure people in, and they often come across way more demanding than a legitimate email. That’s because scammers know that most of us procrastinate. We receive an email giving us important news, and we decide we’ll deal with it later.
The longer you think about something, however, the more likely you are to notice things that don’t seem right.
Maybe you realize that the organization doesn’t contact you by that email address, or you speak to a colleague and learn that they didn’t send you a document. Even if you don’t get that ‘aha’ moment, coming back to the message with a fresh set of eyes might help reveal its true nature.
How should your company proceed with malicious emails?
If you feel that you are receiving emails with malicious attachments or intent, you should advise your management so they can create a plan on how to best proceed. Alternatively, you can contact OT Group - we are always here to help.
To receive our help on phishing emails, simply contact our team of experts by phone or email.