The last few years have seen a surge of phishing attacks - unsolicited emails intended to deceive you into revealing personal information, account credentials, or other sensitive data. If successful, stolen information can be used for credit card fraud, identity theft, and even for extortion.
Cybercriminals sometimes target company employees to access their business accounts. Corporate data can be leveraged for a much larger financial reward, so fake emails can be persuasive, especially if the targeted recipient is unaware of phishing attacks.
In this article, we’ll cover eight common indicators of a phishing attempt and how business owners can ensure the safety of their company data.
Eight common indicators of phishing attempt
In the past, phishing attempts were obvious and easy to notice. Since then, they have evolved to use expert phishing tactics, which can be a serious threat to anyone who’s not paying attention.
Look out for these eight signs of a phishing attempt to avoid making a costly mistake.
1. Bad writing
Most cybercriminals are not good writers or native English speakers. Their fake emails are often full of grammatical or spelling errors.
Emails from real companies are unlikely to contain errors, as they have teams of writers who create error-free messages with a clear structure
Bad writing is a common indicator of a phishing attempt, but it’s not the only one.
The last few years have seen the rise of false emails with much better writing. Sometimes cyber criminals even hire professionals to avoid making this basic mistake.
2. Unrealistic requests
Most organizations have established lines of communication between members of the team. Top-level managers rarely reach out to supervise low-level subordinates, and certainly don’t ask them to download any suspicious files.
Receiving an email with an unusual task is a common indicator of a phishing attempt.
Do the following before you share any information or follow the email’s instructions:
- Examine the sender’s email address
- Bring it to the attention of your supervisor
Make sure the email is coming from your organization’s business email address. The CEO or other co-workers would not send you an email from a basic ‘@gmail.com’ account.
Sometimes hackers will imitate a business email address by changing one or two letters in the domain, a practice called ‘spoofing’. For example, instead of using the legitimate ‘@salesforce.com’ business email address, they’ll use ‘@saleforce.com’. When suspicious, make sure to closely inspect the sender’s email address.
3. False sense of urgency
To catch your attention, cybercriminals often disguise their emails as if they’re coming from companies you trust. Messages often urge you to take action.
The pushy and urgent tone of the letter is another common indicator of a phishing attempt. These emails try to induce fear by threatening bad consequences if the recipient doesn’t immediately comply.
Real companies notify their users and associates in neutral, respectful language.
4. Generic email salutation
Some phishing attacks are directed at thousands of people, so emails can’t be personalized. Messages feature generic greetings like ‘Dear customer'. Sometimes email has no salutation at all.
Genuine emails usually greet you by your name. It’s very unlikely for a familiar individual or company to not address you by your name.
5. Nonspecific message
Sometimes hackers sending phishing emails try to insert themselves into common workplace situations.
For example, the email contains a malicious file with the text: ‘here’s the file you requested'. These emails might work if the recipient is in fact expecting a colleague to share a file or a link.
6. No signature
Official emails typically include a signature with details about the sender: their name, position, contact information, and address. Malicious actors don’t want you to call the person or business they’re pretending to be, so they don’t provide phone numbers or other contact information.
Official emails lacking a signature with specific contact information is another common indicator of a phishing attempt.
7. Request to share personal information
Trusted organizations or individuals will never ask you to share personal information via email. You already provide them with necessary information when you work with an organization or socially engage with a person.
Be suspicious of unexpected requests to share personal details like birth date, phone number, or home address.
8. Request to download an attachment or visit a link
Be careful with emails that urge you to open a link or download an unknown attachment.
It’s normal for people to send and receive emails with links to important internet resources.
Here’s when you should be alarmed:
- You didn’t ask for a link. It is unsolicited.
- It comes from an unverified source
Simply ignore emails with suspicious links in them. Also, do not click any part of the letter. Often they are designed to open the link even if you clicked on a blank white space.
The actual destination of the link can be different from its text. It may look like a legitimate URL like hotels.com, but clicking it will take you to a different website set up by hackers to steal your credit card information.
Hovering over anchor text will show the real destination in the browser's bottom left corner.
If you think you might’ve unknowingly exposed important credentials, go back and change all the passwords. Then report the incident to your supervisors.
Do not download files from unknown emails. Pay attention to the file extension. It’s normal for employees to share document files (.docx, .ppt, .xlsx), but even these can contain malicious scripts like macros. Other file types (.zip, .exe, .html or even .pdf ) are especially dangerous and should be treated with caution.
An email with an attached document is safe, as long as you can verify its source. You can also usually preview it. On the other hand, unsolicited requests to download a file is a common indicator of a phishing attempt.
Companies will never send you an email asking you to download and install files as a solution to your problem.
Protecting your business against phishing attempts
When it comes to phishing attacks, businesses are more vulnerable than individuals. A phishing attempt getting through one of your employees may be enough to expose your entire business data. What can you do to prevent it?
Reading this article to become more aware of the threat is a good place to start.
The next step is making sure that all of your employees are also informed and prepared to handle phishing attacks. For starters, you can ask them to read this article.
It’s much easier to prevent phishing attempts than to deal with them after they occur. Even if data security is restored, your business will have lost money, reputation and customer trust.
Phishing attempts only succeed if people are unaware of them or don’t pay attention. You can make sure that doesn’t happen by continuously training your people.
Secure Email Gateway (SEG) solutions can often detect malicious emails and prevent them from reaching their target. Using them would reduce the risk of successful phishing attacks, but educating your employees is still the most effective way to safeguard your data.
Employees who notice and report suspicious emails should be encouraged. It’s easy to do the bare minimum and simply delete the email, but it’s much better if they raise the question to their supervisors, letting you know that your business is a target of a phishing attack.
Noticing warning signs and avoiding costly mistakes is the first step to keeping your business secure. By raising awareness of phishing attacks and other cyber threats facing your business with your employees, you can ensure your business’ continued security.
At IT Force, we help keep businesses up to date and secure as new phishing threats and trends emerge each day. Stay ahead of the curve by reading more about phishing here.