Phishing continues to be a major threat to businesses. According to Proofpoint’s 2023 State of the Phish, 84% of organizations fell victim to at least one successful phishing email in 2022, resulting in direct financial losses that are 76% higher than in 2021.
To mitigate the risks associated with phishing emails, your business must learn more about these attacks and their telltale signs.
What are phishing emails?
Phishing emails are deceptive messages that typically mimic the branding, logos, and email formats of legitimate individuals or organizations. These are sent by cybercriminals to trick recipients into giving up sensitive data, including login credentials, financial information, or personal details. Cybercriminals can then exploit such sensitive information to conduct identity theft, financial fraud, or other malicious activities.
What are some ways to spot a phishing email?
Here are some tips to help you and your employees spot a phishing email.
Check the sender's email address
The name that is displayed in your email application can be easily “spoofed”--anyone can set up a free account using your name or the name of one if your co-workers using a free email service. It is important pay attention to the email address used on a message.
Cybercriminals often mimic the email addresses of legitimate organizations to make their fraudulent emails appear authentic. They may use slight variations or misspellings in the email address to deceive recipients. For example, they may use "[email protected]," using a zero instead of the letter "o" in "Amazon."
To check the sender's email address, hover your mouse cursor over the sender's name or email address in the email header. A tooltip or a small pop-up will display the actual email address linked to that name. This allows you to verify if it matches the legitimate email address of the purported sender. Even if the email address checks out, emails can be forged or email accounts compromised, so pay attention to other clues that an email might be a phishing email.
Look for generic greetings or salutations
Legitimate organizations typically make an effort to personalize their communications with customers or clients. They often include your name or username in the email greeting to establish a sense of familiarity and authenticity.
On the other hand, phishing emails usually use generic greetings, such as "Dear Customer," "Valued User," or "Account Holder." This allows them to send out mass emails more easily. A generic greeting can be a clue that a message is suspicious.
Examine the email for spelling and grammatical errors
Phishing emails, in contrast, are often created hastily, so they may contain spelling or grammatical mistakes.
When reviewing an email, keep an eye out for misspelled words, inconsistent capitalization, poor grammar, awkward sentence structures, or awkward phrasing. The sender may also use improper or overly formal language that doesn't align with the organization's usual communication style.
Beware of urgent or threatening language
Phishing emails usually try to create a sense of urgency or fear to prompt you into taking immediate action. They may say that your account has been compromised or that you will face consequences if you don't act promptly.
In such cases, it’s best to stay calm and verify with the supposed sender directly using their official contact information. Don’t use any contact details found in the email, as they may be fake.
Be wary of links and attachments in emails
Exercise caution when it comes to links and attachments in emails, especially those from unexpected or unknown senders.
To verify the authenticity of a link, hover your mouse cursor over any links in the email so you can see the actual URL. If the link doesn't match the official website address of the organization or looks suspicious, do not click it. Also, be cautious of shortened URLs, as they can hide the true destination URL.
When it comes to attachments, do not download or open them, as they may contain malware that can compromise your computer or expose your personal information.
Be skeptical of requests for personal information
Avoid sharing personal information in response to an email request. Legitimate organizations usually don't ask you to provide sensitive information, such as passwords, credit card details, or Social Security numbers, via email.
Phishing tactics keep evolving, so it’s important to keep everyone updated on the latest scams. You can do this by sharing resources, holding regular security awareness training, and having open discussions about phishing and best practices. This proactive approach will bolster your company’s security posture.
Fidelis' team of IT experts can keep your company safe from phishing attacks and other cyberthreats. We offer a comprehensive range of managed security solutions that covers everything from design, deployment, and configuration to ongoing management, monitoring, and reporting. Schedule a call with us today.