Remember the good old days when spam was so easy to recognize for anyone that had been using email for more than a month.
There were the Nigerian princes who decided on a whim that you, of all people, deserved a portion of their inheritance and that all they needed was your bank’s routing number to make the deposit.
There were also the cyberextortionists who claimed to have Trojan Horsed your system and screen grabbed all the “naughty” sites you had been to with the threat of releasing said discoveries to friends, family, and employers unless a payment was made (usually in Bitcoins) to a specific address.
Well, gone are the days of simple cybercriminals pretending to be billionaire Nigerian princes or porn-finding extortionists trying to gain access to your private data or cash reserves.
“Today’s cybercriminals are employing more complex social engineering tactics to deceive individuals,” explains Chad Lauterbach, CEO of Be Structured, a provider of IT services in Los Angeles. “These ‘phishing emails’ are now designed to be subtle and crafty ways of accessing a consumer’s credit card numbers, Social Security numbers, or even a company’s entire network.”
From re-creating internal emails with compromised links to replicating emails from trusted organizations, phishing attacks can now deceive even the most diligent employees.
What Are Phishing Emails?
Phishing emails are often cleverly disguised to appear as if they’re being sent from a company you know or trust. They could look like they’re from a well-known banking institution or a credit card company you’re familiar with. They could also seem to have emanated from a social media platform you probably frequent a lot, so why wouldn’t you want to see what so-and-so has been up to?
Once the user’s (misled) trust has been established, the emails will trick you into opening an attachment or clicking a link, oftentimes to “update your personal information” even disguised in the ironic message of being, “for your security’s sake.”
Phishing email scams reportedly cost duped consumers more than $57 million in 2019 according to the FBI’s Internet Crime Complaint Center.
Being proactive and earning awareness about these phishing scams will help prevent more heartbreak and monetary losses.
Here are the latest—and more subtle—indicators to recognize and avoid phishing scams.
Phishing Scams – Key Warning Signs
Phishing emails are just the latest form of cyberattacks that every company and every individual should be aware of.
Some of the lesser-known phishing email indicators you should be on the lookout for include:
- You Don’t Recognize the Sender
The first thing you should consider when examining an email for legitimacy is the sender. If you don’t recognize the sender or the sender distorts a seemingly familiar email address, you should be careful about its content.
Anytime you receive an email from a sender you don’t recognize, you should immediately be suspicious and not engage any of its content (i.e., clicking links, forwarding, or download attachments) until you have confirmed its legitimacy.
At the same time, just because you recognize the sender of the email doesn’t immediately mean it’s safe. Cybercriminals can compromise email accounts and use them to exploit other users. In fact, the Be Structured IT support group in Los Angeles, has even seen internal phishing attacks purportedly sent by a company’s CEO, in which case why wouldn’t a faithful employee trust to open it.
These types of phishing attacks can be a little more difficult to discern. Keep reading to discover some of their telltale traits.
- Asking for Personal Information
You should also be immediately suspicious of any emails requesting personal information you wouldn’t feel comfortable sharing online. This information includes your name, address, logins, passwords, Social Security numbers, driver’s license numbers, credit card numbers, and anything else you wouldn’t post online.
Legitimate institutions and businesses never reach out to confirm confidential information over email. If you receive an unexpected email that asks for personal information, it’s almost always going to be a phishing attempt.
- External Linking
If an email encourages you to click on a link, you should always be careful before clicking. Oftentimes, links are masked as legitimate but redirect you to an unsafe URL. If you hover over the link and notice a URL you don’t recognize, chances are it’s unsecured. Online anti-phishing tools like isitPhishing and PhishingCheck can help you determine whether a link’s URL is legitimate or if it redirects you to another site.
- Suspicious Attachments
One of the most common ways for cybercriminals to infiltrate an organization’s network structured foundation is by spreading unsafe attachments via phishing emails. Simply by downloading and opening an unsafe attachment, your network can be exposed to threats such as malware, data breaches, and even ransomware.
Cybercriminals do everything they can to make attachments look legitimate even when they aren’t. Before opening or downloading any attachments, make sure they have been run through your organization’s virus scanner and have been confirmed as credible.
- A Sense of Urgency
Just as infomercials encourage you to buy products right away by offering a limited-time deal, phishing emails trick individuals by claiming an urgent matter needs to be addressed to avoid unwanted consequences.
What to Do Next
Fortunately, harm rarely comes from merely opening a phishing email. In fact, opening the email can often help you determine whether it’s phishing or legitimate. The danger comes when you interact with the mail by clicking links, replying with personal information, or downloading and opening attachments. Once you’ve determined that an email is phishing, you shouldn’t engage the email or the sender in any way. You can also personally mark the mail as spam in your mail program.
Depending on your organization’s policies, you should report the email to your IT department or your outsourced technical support team as phishing. They will investigate the matter further and get to the bottom of the issue. In the best-case scenario, you prevent a phishing attack and inform your IT team of tactics cybercriminals are using to target your organization. In the worst-case scenario, the email may not turn out to be phishing, but you’re better off safe than sorry.
In short, if you’re in any way suspicious that an email may be phishing, go ahead and report it. Little harm comes from a mistaken report, while a lot of mistakes can happen because of unreported phishing.
If your organization doesn’t have any phishing policies in place, it should. If you receive a phishing email, this means cybercriminals are targeting your organization, and you need to have concrete strategies in place to guard against these threats. In the meantime, you can mark the email as spam to filter out future emails.
Ongoing Phishing Training Solutions
Just as cybercriminals are continually adapting their tactics to exploit networks, you need to be prioritizing ongoing training that empowers your team to respond to ever-changing threats.
Continue to read up on the latest ways to recognize and avoid phishing scams.
Fortunately, today’s marketplace overs a variety of ongoing phishing training solutions like KnowBe4 and Rapid7 to keep your team on their toes.
Virtual phishing training works by sporadically sending out automated, simulated phishing emails to your team. The email works like a real-world phishing attack by encouraging them to click a link, reply with information, or open an attachment.
If they fall for the attack, they’re required to complete virtual training within a specified time frame. If they spot the attack and report it as phishing, they’re congratulated and encouraged to keep up the excellent work.
Sitting your team down and informing them of the key warning signs that an email may be phishing is a critical first step. However, they need concrete experience to be able to respond appropriately to real-world phishing threats. Simulated phishing attacks bridge the gap between theory and practice by offering a safe environment for your team to test their skills while keeping them alert to real-world vulnerabilities.
In any case, with the days of Nigerian princes and Trojan Horse infiltration behind us, it’s time everyone took a more proactive approach to the potential danger and network debilitation of today’s sophisticated phishing emails.
And if you’re looking for a fun virtual event to check out take a look at our friends over at Two-Headed Dreams. Witness real magic in a show you’ve never seen before. Join Zabrecky, Penn & Teller, Michael Carbonaro, and more in this sophisticated interactive Extravaganza (not a zoom show).