Phishing emails are the most common cyber-attack method in use today. Last year alone, over 75% of businesses reported they were the victim of a phishing attack. You may think the popularity of these scams has made them obvious to the average user, but this is not the case. Phishing emails have become more detailed, more on-brand, and more believable than ever before. According to Verizon, as many as 30% of phishing emails are opened.
Phishing has become such a large concern for businesses, our cybersecurity team offers Security Awareness Training to help clients better pinpoint phishing dangers and the tell-tale signs to look out for. Here are just a few little details that could cause a big headache for your business. (We’ve followed these up with our own go-to checklist you can return to whenever you’re in doubt.)
Look at the Subject & Sender
Before you even open an email, pay close attention to the subject and sender. Phishing emails typically employ scare tactics and urgent language to make a user click in such a panic that they don’t give the legitimacy of the message a second thought. For example, “Your Credit Card Has Been Denied,” “Your Profile is Locked,” or “Monitor Your Account.”
Then, look at the sender. What is their domain? No business will ever send (or should ever send) an email from @gmail.com. Even Google uses @google.com. Is the sender Amazon.com or Amazon.net? IRS.gov or IRS.com? Make sure the company name and its spelling are correct. Something as simple as a letter change can indicate a fake email.
Read the Content Carefully
If the subject and sender don’t appear suspicious and you open the email, read the body content carefully before clicking on any links. Check the salutation first. Does it use your first name? Does it use “Dear customer” or “Dear Valued Member?” Or does it skip the salutation altogether? A legitimate email should address you by your name.
Next, check out the contact information. Is there contact information? Be suspicious if the email doesn’t include a phone number to call.
As you scan the body content, look out for poor grammar or misspellings. Phishing emails are typically rife with punctuation errors. Then pay attention to what you’re being asked. Real companies will not send you an email asking for passwords, credit card information, bank account information, or social security numbers. If KDG needed any of that information, for example, we would request it via an encrypted, secure message, not an average email.
Pay Attention to the Branding
It may be hard to tell a phishing email apart from a real email in terms of branding. Many are nearly perfect, stealing a legitimate company’s colors and logo. However, sometimes one email is more obvious than another. Old branding is a tell-tale sign. Poor-quality images are another. Sometimes the email itself will look unlike anything you’ve received from that company before. Other times the email may be a single image that links out to a website. If it is any of the above, delete it.
Inspect the URLs
Finally, inspect the URLs. All phishing emails include a “payload.” This is a link or attachment that aims to capture sensitive data like passwords or credit card info. You can check the legitimacy of a link or button by hovering over it. Make sure it is directing you to a real URL and not something like bit.ly or link346724-open=…
Never open an unsolicited attachment, especially if it is from someone you don’t know. When in doubt, contact the sender to have them verify the attachment’s legitimacy. Some of the world’s largest hacks were caused by phishing emails, so spending a few extra minutes to verify your email will be worth the time.
Your Phishing Protection Checklist
If you answer “yes,” to any of the below, hit the delete button! Chances are you’re the recipient of a phishing email.
Does the subject line employ scare tactics?
Is the sender’s name or domain spelled incorrectly?
Does the email say “Dear Customer” or skip the salutation entirely?
Is the email missing contact information, like a phone number?
Does the email ask for sensitive information like passwords, bank accounts, or social security numbers?
Are there any typos in the email?
Are the images low-quality and blurry?
Do the logo and branding look old?
Does hovering over the link bring up an odd or long URL?
Is there an attachment you weren’t expecting?
Security Awareness Training from KDG
Our information technology and cybersecurity team have been helping clients pinpoint suspicious emails and prevent hackers and attackers for nearly two decades. If the possibility of a data breach has you worried, we encourage you to enroll in our Security Awareness Training. Every member of your team will receive regular tips, tricks, and hands-on cybersecurity practice. With webinars, random phishing campaigns, and regular reporting, you’ll have the tools and insights you need to keep you, your business, and your data safe.
If you’d like to learn more or enroll in our training, contact us.
Kyle David is the President and CEO of KDG. He has navigated the dynamic intersection of technology and business, advising both leaders and organizations, from Fortune 25 companies and professional sports leagues to innovative technology startups.