6 Tips and Tricks to Spot a Phishing Email
A report released by INTERPOL in early August shows that phishing has accounted for 59% of cyberattacks exploiting fears around COVID-19 in the first four months of 2020. It is no secret that COVID-19 has been seen as an opportunity by many cybercriminals to conduct phishing attacks. Criminals are using the confusion and misinformation associated with the COVID-19 pandemic to their benefit.
We have found when working with our clients, that the original source of a cyberattack is typically via a phishing email. Phishing isn’t a new phenomenon; it is one of the most commonly known and widely used forms of a cyber attack, quite simply because it is effective and works.
It is becoming increasingly difficult to spot a phishing email, cybercriminals have moved on from the original spam emails. We all know them, many of us have received these early phishing emails daily and can spot them a mile off. However, we are continuously asked, how do you spot a modern phishing email?
Unfortunately, it is not an exact science as cybercriminals are continuously changing the structure of their phishing emails and some are a lot more sophisticated than others. However, below is some guidance that if you apply to all suspicious emails will help you root out the majority of malicious emails.
1. The email requests personal information
With cybersecurity and cyber awareness becoming more prominent, organisations typically don’t ask for your personal information within an email. Hackers can go to extraordinary lengths to make their email look legitimate like it actually came from a bank or revenue office for example.
Your bank or revenue office would never ask you to send personal information such as account details or login credentials in an email. If you receive an email which you think may be genuine from your bank or revenue or any other reputable business but you are unsure. Search online and contact the organisation directly. Never use any communication method provided in the email as it could also be compromised.
2. The email domain is suspicious
One of the main giveaways to a phishing email can be a suspicious email domain. For example, if you receive a legitimate-looking email from a company you recognise but the domain is incorrect, for example, @gmail.com this would be a cause for concern. Not many organisations would send an email using a domain ending with ‘@gmail.com’. If you receive an email from a company you know and it is firstname.lastname@example.org the best way to check if it is correct, is visit their website, but not by clicking a link in the email, Google the company and only visit the official website. More often than not their info or contact email will show their true domain.
Another tool employed by hackers is misspelling a domain name to catch you off guard. You should always check the email domain address of emails you receive. Especially if you receive one out of the blue and weren’t expecting it. At first glance, it may look normal, however, always double-check the email domain to ensure it is spelt correctly, at a glance it can be easy to miss a misspelt domain. For example, you could receive an email from email@example.com and all looks ok, the branding, company details, staff name and role, however, our email is actually firstname.lastname@example.org.
Did you spot the spelling mistake in the first email domain?
If you didn’t, don’t worry I’m sure you weren’t the only one. This highlights the importance of double-checking email domains even from companies you recognise, they may look ok at a glance, however, it only takes two minutes to review the domain and make sure it is correct.
3. The email contains a suspicious attachment
The end goal of all phishing emails is to exploit a vulnerability. That may be in the form of duping an unsuspected victim into sharing personal information. However, some phishing emails can contain malicious payloads such as malware designed to infect a company’s infrastructure. These payloads can come in many forms including documents which the victim is asked to open, it could be disguised as any number of things such as a form you need to complete and send back or an invoice.
If you have received an attachment from a sender you aren’t familiar with it is advised you don’t open it, as once you do it may unload the malware which could begin to take over your systems. If you are unsure about the attachment, you should either send it to your IT team to review, or contact the sender directly by phone (not using any numbers in the email, but rather Google the official number) and asking them if they could confirm the email attachment before you attempt to open it.
4. The email contains a suspicious link
As well as suspicious attachments some emails can contain suspicious links, which when clicked can redirect you to a false webpage created by the cybercriminal. These webpages can include forms used to harvest your personal information such as login credential, banking information, or phone numbers. Often these webpages look identical to the page you are supposed to be logging into. Any links sent in an email you’re unsure of or weren’t expecting, we recommend that you Google the official website and login through that, never follow links on emails you are unsure.
If you receive an email with a link embedded in it, it is recommended you hover over the link before clicking it. This will show you the destination URL, if this URL seems to be out of place then it is likely to be a malicious URL and you shouldn’t click it.
For example, if you received an email from us with a link, it would redirect you to our website and the URL should contain secoraconsulting.com, however, if the URL was different to the expected end site it would be a red flag.
To avoid falling for malicious links, you should ensure you check all links by hovering over them before you click it. This very quick exercise could be the difference in you falling victim to a scam.
5. The email contains a threat or sense of urgency
If you receive an email which includes a deliberate sense of urgency or a threat then it is likely to be a scam. This is because the scammers don't want you to ponder the email too long in case you spot an inconsistency or doubt the legitimacy of the email.
For example, you could receive an email posing as an accounts firm of another firm demanding you pay them immediately, this is unlikely. If you owed an overdue invoice, it would be more likely that you would receive a phone call asking when this would be paid, or why it was delayed. Very few firms would send an email demanding payment immediately, it is always wise to double-check if you receive an email like this, as acting on a whim could be a major mistake.
6. The email is extremely informal
Very few companies email their customers or potential clients in an informal manner. The whole profession of lead generation is built around gaining trust and developing relationships with potential clients.
If you receive an email from a company you are a customer of that opens with ‘Dear Client’ or ‘Dear Customer’ then you should be cautious.
For example, your bank is never going to email you saying ‘Dear Customer’ or ‘Dear Account Holder’, why would they? If the email legitimately came from the bank they would have your details. They would know your name so it is highly unlikely they address you indirectly.
If you receive an email with an opening like the above, it is best practice to treat it suspiciously, contact the sender directly by phone (after Googling their details) and ask them if they sent it.
As a general rule of thumb, we tell our clients they should always air on the side of caution when it comes to emails and phishing attempts. These are only a few ways that you can spot phishing emails, unfortunately, cybercriminals are getting extremely good at targetting malicious emails. Some of them are incredibly difficult to spot, you should always remain vigilant. If something doesn’t look right or looks out of place, it is best to treat it as suspicious until it is confirmed either by your IT department or by contacting the sender directly (after Googling their details) that it is legitimate. When in doubt we recommend you always trust your gut, don’t ever assume all is ok if something seems out of the ordinary.
How can Secora Consulting help?
Phishing is a form of social engineering which relies on the goodwill or lack of awareness of people to steal sensitive data, including login credentials and bank details.
Secora Consulting was set up to assist you with your cybersecurity requirements. We understand the challenges your organisation faces and the importance of remaining secure.
Our social engineering assessments are a simulation of real-world attacks your organisation is likely to encounter, to see if we can compromise the integrity of many aspects of our organisation through tailored phishing and telephone campaigns. Our service is not designed to “catch you out”, we are here to help you identify any gaps which may exist in your policies and procedures.
Our phishing campaigns are tailored to your organisation and the employees to replicate malicious emails you are likely to receive. All of our emails contain non-malicious code which will capture click rates, capture credentials and provide an ingress point to your internal network for any employees who open the email. We help your employees spot phishing attacks and improve their security awareness which in turn increases your organisation's resilience.
Are your staff security aware?
Make sure your staff know how to spot a phishing email before it is too late. Get in touch, to find out how our phishing assessments could help secure your organisation.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.