Phishing scams have been around for a long time. You’ve probably heard many horror stories of individuals and businesses falling victim to an email scam. In July of this year, email scams totalled almost £800,000 in Northern Ireland. Despite growing awareness, it is getting harder to spot a phishing scam as they are getting more sophisticated. Even with standard security measurements, there is no one tool or method to guarantee 100% protection against phishing. The responsibility lands with you. Thankfully there are a few simple things that you can do to help protect yourself from phishing emails.
What is a phishing email
Phishing emails can take many different forms and the methods that cybercriminals use are constantly changing. Becoming more targeted and ultimately more effective. Each type of phishing attack will have different goals, some are seeking data, others money and some want to gain access to private networks. However, the underlying pattern of a phishing email scam is the same – the fraudulent misuse of sensitive data to steal and to extort.
Before you read on, why not test your knowledge with this quick Google Phishing quiz. The results may surprise you as it highlights the sophistication of current phishing emails.
How to spot a phishing email
Who is the sender?
There are multiple ways scammers can fool someone into thinking they are receiving an email from a legitimate contact. If you think this is something that could not possibly happen to your business, think again. A housing association in Northern Ireland this year fell victim to a spoofed email address. They received an email which appeared to be from a construction company that they work with. The email asked for payment to be sent to their recently changed bank account details. Mistakes like this can prove to be extremely costly.
There are several steps you can take to avoid this type of deception. First, you should always check the ‘From:’ field in the email header. Cybercriminals tend to imitate larger companies like Apple, Amazon and Tesco as they prey on the idea that the recipient will trust the brand. Remember a legitimate organisation will have its own domain.
If an email address looks suspicious, then it probably is. If you’re unsure, flag the email and go directly to the organisation’s official website to find out the best method of contacting them directly.
What are they asking for?
Reputable businesses will not ask for personal information such as bank details or passwords over email or text. This should be an immediate red flag. They will also never send unsolicited attachments or For example, if you get an email from your ‘bank’ that warns you about unusual payments and it has a link to click – do not click that link. Instead, go directly to your bank’s official website, access your account from there or contact your bank via their official telephone number. Use this same approach for texts and voicemails. Always go direct.
If you receive an email from an organization that includes an HTML link in it, hover your mouse over the link without clicking and you should see the full URL appear. If the URL does not include the organization’s exact name, or if it looks suspicious in any other way, delete it because it’s probably a phishing email.
If you do happen to click on a link from a phishing email you may be redirected to a site that looks indistinguishable from a legitimate website. Even the URLs in the browser bar may be very similar to the official domain name. In this case, phishers are exploiting the fact that unicode incorporates many writing systems that each have different codes for the same letter.
Be wary of typos
Often phishing emails will contain typos, awkward language and formatting errors. This is a dead giveaway. While all organisations have different lexicon and business practices that are unique to them, legitimate organisations will always take care to create professional communications for current or prospective customers.
There is some logic behind poorly written phishing emails. Firstly, they are often written by non-native English speakers, and instead of carefully proofing an email they will leave typos in to weed out sceptical people. The theory is someone who might fall victim to a phishing scam is less likely to be dissuaded by a few spelling mistakes. Secondly, typos are used to attempt to fool spam-blocking software.
It is important to remember that because of the increasing sophistication of phishing emails, a well-crafted email can still be a scam.
In 2018 scammers sent a very convincing email from ‘the TV Licensing department’ to unknowing victims. The email subject lines included variations of ‘correct your licensing information’ or ‘renew now or risk becoming unlicensed.’ Scare tactics like this put pressure on victims into making payments or divulging sensitive information.
This type of manipulation is much more common in spear-phishing attacks where fraudsters try to obtain as much personal information about the victim to make the emails that they send look legitimate and to increase the chance of fooling recipients.
Does it sound too good to be true?
Be wary of emails offering cash prizes or other rewards. Fraudsters may send emails asking you to fill out a customer survey and offer a prize such as an itunes voucher for participating. This survey scam is designed to steal your personal information, earning the fraudsters commissions each time people supply their details. In a BBC interview Action Fraud had this to say about survey fraud:
“Legitimate companies like online surveys because they are quick, easy to put together and cheap to do. It’s not unusual to get a survey request in your email inbox from a company that you’ve recently bought something from or signed up to.
“Fraudsters also love online surveys because it’s easy to trick victims into revealing personal information such as banking details or passwords in the belief they are going to get something in return. They then use this to steal victims money or identity, or to sell on this information to other fraudsters.”
Be vigilant, look out for the warning signs and remember if it sounds too good to be true, then it probably is.
Create a culture of cyber security awareness
Even a business with the most sophisticated security system isn’t fully protected from phishing attacks. It only takes one mistake or an untrained employee to compromise your valuable data. Make sure both you and your employees understand what a phishing scam is, the telltale signs and what to do if they receive one. Download our FREE cybersecurity guide, to learn how to create a culture of cybersecurity in your business.