Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. In fact, according to KnowBe4, 70% to 90% of all malicious breaches are due to social engineering and phishing attacks.
What is Phishing?
At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.
If you don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.
Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.
Identifying a Phishing Attack
We’ve broken down the eight key indicators of a Phishing Email so you can learn how to spot one a mile away.
- Urgent Subject Lines. Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to get the recipient to respond quickly without recognizing the signs of a scam.
- Imitating Known Brand & Using A Fake Email. To work, phishing campaigns must trick the email recipient into believing that the message is from a reputable person or company. As such, the email will appear to come from a legitimate entity within a recognized company, such as customer support. Upon closer look, however, you may see that both the sender’s name and the sender’s email address are a spoof on a known brand, not a genuine vendor.
- Impersonal Messaging. Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.” This is a red flag; while businesses may send out mass e-blasts announcing a sale or service, legitimate companies will address you by name when asking for an update to financial information or dealing with a similarly sensitive matter.
- Punctuation and Spelling Mistakes. Phishing emails are also often riddled with both grammar and punctuation mistakes.
- Link display text and address are different. A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or, as above, are formatted to look like a legitimate link that corresponds with the company and message of the fake email. However, rolling over the link shows a malicious address that does not take you to the stated web address.
- Fear Tactics. As with the subject line, the body copy of a phishing email typically employs urgent language designed to encourage the reader to act without thinking.
- Vague Signature. As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.
- Attached Zip Files. In addition to malicious links, phishing scams often include malicious downloadable files, usually compressed zip files, which can infect your computer. Often the body of the email is encouraging you to click on and open the file.
Avoiding the Phisher’s Net
It is often said that the weakest link in security is the user, but with enough awareness and understanding, this does not need to be the case. Technology does not yet have a 100% reliable solution to phishing, but utilizing email filtering, keeping your software and apps up to date, and regular training and testing of your team to spot phishing attempts can help your company stay protected. If we can recognize phishing attacks by understanding the anatomy of a phish, stay calm and vigilant, and not allow our emotional buttons to be pushed, users can become the strongest link in security.
If you would like to learn more about how we can help keep your company safe & secure, book a call with us via the button below.