Top Tips to Identify and Avoid Phishing Emails

Phishing is a form of social engineering in which users are tricked into providing sensitive information. While the original goal of phishing was to gain credentials and steal personal or corporate data, it is no longer the only reason cybercriminals “go phishing.”

They also use phishing to trick victims into launching malicious files on their computers. These may open a link to an infected website that enables the attacker to take over corporate systems. In some cases, they launch ransomware software on the system.

Company employees (including management) are particularly vulnerable since they offer easy entry into computer networks, systems and data stores. Despite decades of phishing attacks (the first was against AOL employees in the 1990s), phishing still works frequently due to human gullibility.

One study found that 97 percent of users cannot identify a sophisticated phishing email, and among those that do, only 3 percent report them to management. Fortunately, with proper education users will be prepared to identify, avoid and report phishing emails. Following are tips you should review (and share) today.

Identifying Phishing Emails

Phishing emails (and text messages; a new attack vector) may look like they’re from a company you know or trust such as a bank, credit card company, online website, app or store you may use. They will often tell a story (or issue a threat) to trick you into proceeding with their request to take action. These may include:

• An account has experienced suspicious activity or log-in attempts.
• There’s a problem with an account or some payment information.
• A payment (or deposit, for a bank) was rejected or cannot be processed and the user must confirm personal information before they can provide the details.
• An online bill or an invoice for a service is due (or overdue) and should be paid, now.
• An account has been overpaid, or the user was accidentally overbilled, and he or she can click a link to request a refund.
• An application, cloud service or online tool has experienced a service outage and the user must log back in to restart it.

Furthermore, since phishing emails may be written by individuals not familiar with the recipient’s native language — or even computer generated — they may look “off,” e.g. use bad grammar, have spelling mistakes, or use unusual or generic salutations/greetings.

Confirming Email Oddities

Finally, since phishing emails attempt to create the semblance of being real, they often include links, attachments, or special requests that appear real enough for the recipient to follow their lead. Following are some telltale signs.

• Oddities in email addresses, links and domain names, e.g. www.landsend33.com or [email protected].
• Attachments the recipient is urged to download right away.
• Text that asks the recipient to log in or provide credentials, payment Information or other sensitive data to confirm their identity so they can receive details regarding the issue, offer, etc.

Phishing is a serious problem, but it is just one element of cyber risk in a world of ever-evolving threats.