Ever got phished? This is literally nothing to be proud of but it is absolutely common now for every one of us to receive phishing emails almost daily, if not a few in a day.
“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” –Abraham Lincoln
Phishing emails and what are they?
What is phishing? Phishing is a type of social engineering attack where the attackers attempt to steal user data, login credentials, credit card details, and/or any other sensitive data. Phishing occurs when an attacker pretends to be someone they are not, usually using a renowned name or brand name to attract you. Their objective is to ultimately have you click into opening an email, instant message, or text message, and eventually trick you into clicking a malicious link, which can lead to the installation of malware, the freezing of a system as part of a ransomware attack or the revealing of sensitive information.
An attack like this, commonly done through phishing emails, can result in devastating results. It could mean unauthorized purchases, stealing of funds, or even identity theft for individuals. And for corporate or governmental networks, phishing is often used to gain a foothold, usually seeing a bigger attack. Attacks such as an advanced persistent threat (APT) event will see employees bring compromised in order to bypass security perimeters, distribute malware inside a close environment or gain privileged access to security data. Such attacks can cause an organization to face severe financial losses in addition to declining market share, reputation, and consumer trust.
How to recognize a phishing email?
Legit companies don’t request sensitive information over emails
When you receive an unsolicited email from an institution asking for your details by requesting you to click on a link or attachment, this is highly likely that it’s a scam! Companies will not send you an email asking for your passwords, credit card information, tax details, nor send you any unknown link or attachment to log in or download.
Legit companies call you by name
Most of the time if not all, phishing emails do not address you by your name, but use generic salutations such as “Dear customer”, “Dear account holder”, “Dear valued member”. If it is a legit company, and one that you have been dealing with, all their correspondence would address you by name, and most probably direct you to contact them via phone.
Having said that, there are also hackers who avoid using a salutation altogether. This is commonly seen in advertisements. See an example of a phishing email below. Can you spot that it is potentially malicious?
Other than going through the email content thoroughly, always check back on the email domain used to send you this email.
Legit companies use domain emails
As the example above shows, it is important that we check back on the email domain used to send us that particular email, other than properly going through the content in the email. You can check the sender’s email address by hovering your mouse over “from” to see their email address. Make sure that there are no alterations made (like additional numbers or letters) to a known company or brand name.
Do note that this isn’t a foolproof method. You may also come across companies that make use of unique or varied domains to send emails. There will also be occasions where smaller companies use third-party email providers. So, it is important that you get to know the companies with which you have engagements and to read through your emails in detail before taking any actions.
Legit companies know the right spellings
One of the easiest ways to recognize a scammy email is by the bad grammar used. An email from a professional organization should be well written, without obvious spelling or grammar issues. You may think, what is the purpose of using bad grammar in a phishing email? There’s actually a purpose behind this. Hackers generally aren’t stupid or naive. They jump on the advantage of the uneducated, believing them to be less observant and thus, becoming easier targets.
Legit companies will not force you to their website
A lot of the time, phishing emails are coded as a hyperlink. Hence, accidentally clicking anywhere in the email or deliberately doing so will open up a fake webpage, or even download spam onto your computer.
Legit company links match legitimate URLs
A good point to take note of; check before clicking into a link sent to you in an email and make sure that the text in the link is identical to the URL displayed as the cursor hovers over the link. From this, you can identify whether you will be taken to a legit website or one that could be malicious. If a hyperlink’s URL doesn’t match the context of the email or looks suspicious, don’t trust it.
To ensure additional security, check that the links begin with https:// when you hover your mouse over embedded links before clicking into it.
Phishing emails are commonly seen now. Having a good security system for your website is important, but it does not mean that it can filter out all possible attacks. It takes one careless click or a misread and you will be fooled by a phishing attack that could cause harm to the data you’ve been protecting. Depending on the scope, a phishing attempt could possibly escalate into a security incident where you’ll find difficulties recovering from.
Ensure that everyone in your company knows and understands the patterns of phishing emails to avoid being attacked.