Phishing attacks recently surpassed malware as the most common cybersecurity threat, according to Microsoft’s Security Intelligence Reports. Rather than convincing someone to download a malicious attachment, attackers link to convincing fake websites designed to trick users into giving up login or financial details.
More than three quarters of companies experienced a phishing attack in 2017 and the average user received 16 malicious emails per month, according to studies compiled by Alert Logic. These threats are likely to continue to rise and become more sophisticated, which makes it important for businesses to take action to prevent costly mistakes.
The best defense is blocking these emails from reaching employee inboxes. For example, iTAG Active Network Protection service is designed to block many common phishing and malware attacks by looking at various technical signs. But unfortunately, the best cybersecurity software in the world won’t stop all phishing emails from reaching employees.
Cybersecurity education is critical to preventing employees from becoming a victim of phishing attacks. Enter iTAG’s Cybersecurity Awareness Training, an automated online learning solution that incorporates training modules, assessments and phishing simulations, built to reduce the odds they will become a cybercrime victim to begin with.
Let’s take a look at the five tell-tale signs of a phishing email and how you can spot them.
#1: The domain is wrong.
Domain-based Message Authentication Reporting and Conformance (DMARC) enables email domain owners to protect their domain from unauthorized use — or email spoofing. For example, if Chase Bank sets up DMARC for Chase.com, attackers cannot use any @chase.com without being caught up in an email filter.
The most common way for attackers to get around these restrictions is to use clever fake domains along with a convincing display name. For example, a spoofed email from Chase Bank may come in as Chase Bank or Chase Bank .
If the domain doesn’t match the sender, you should immediately be suspicious of the email, even if the display name looks legitimate. If the domain does match up, you should still exercise caution since DMARC isn’t a requirement for all businesses — only those that take the time to set it up.
#2: The request is urgent.
Many phishing attacks invoke a sense of urgency o fear. After all, these emotions can make it difficult to think clearly and recognize a threat. KnowBe4, a security awareness firm, found that these types of emails generated the most clicks, which means that they are likely to become more common.
Examples of urgent subject lines include:
- Account Suspended
- Unauthorized Login Attempt
- Email Account Will Be Closed
- Update Your Account to Avoid Shutdown
- Important Security Issue Detected
When receiving an urgent or fearful email, employees should be taught to step back and take a few minutes to assess the email and err on the side of caution. Most IT groups are happy to review such a request rather than deal with the repercussions of a cybersecurity incident.
#3: The link goes to a fake website.
Links are common in many emails, but there are some emails where they should never be trusted. For example, banks rarely include links in their emails. They usually state that something has occurred and encourage you to log in to your account separately or call them for more information.
If an email requests that you click on a link, it’s a good idea to exercise caution with one simple step: Copy and paste the link into a text document to see where it wants to take you. In many cases, phishing emails have links that go to a fake website that’s designed to steal your information.
For example, an attacker may want to gain access to your LinkedIn profile as a prerequisite to a more complex social engineering attack. They may send an email that looks like it’s from LinkedIn stating that there’s a security issue. After clicking the link, you may be taken to a fake login page.
#4: There are obvious mistakes.
Everyone makes spelling errors and grammatical mistakes, but these mistakes are extremely uncommon in automated emails coming from large companies. If you receive a notice from your bank about a suspicious transaction, there should be no spelling or grammar errors in the email.
Similarly, large companies should have well-formatted emails with a proper logo. An outdated logo or strange looking email formatting is a sign that the email may be a phishing attempt. Most companies have quality assurance processes that catch these mistakes early on in the process.
Employees should immediately be suspicious of any email that looks “off” and report it to their IT group.
#5: It’s not personalized.
Most businesses strive to provide personalized email as a way to increase engagement, and brand loyalty. For example, emails will usually address you by your first and/or last name rather than calling you a “Valued Customer.”. They may also provide details like the last four digits of an account.
Since attackers don’t know these details, they must come up with alternatives. They may address you by your email address or generic terms and omit account numbers and other details. These omissions are signs that the email may be a phishing attempt and you should be immediately suspicious.
How to Stay Off the Hook
The best defense against phishing attacks is both a proactive defense and a reactive education.
ITAG’s Active Network Protection and other firewall solutions help prevent phishing and malware emails from reaching employees by blocking the most common attempts. They look for common spoofed domains, spelling/grammar errors, and other factors that could indicate a phishing attempt.
While these are effective measures, every business should incorporate cybersecurity training into their onboarding and ongoing training for employees. The increasing pervasiveness and sophistication of phishing attacks mean that every employee should know how to spot them.
If this also a business concern, which it definitely should be, the most effective and holistic solution is frequent cybersecurity training for employees. iTAG’s Cybersecurity Awareness Training provides an online learning solution that incorporates training modules, assessments and most importantly phishing simulations that are built to reduce the odds employees will become cybercrime victim to begin with.