According to Avanan, 1 in every 99 emails is a phishing attempt. While this may not seem like a lot, put in the context of a typical business day, it’s fair to say that your team is likely to be exposed to phishing every day. It takes only one human error to put your business data and infrastructure at risk.
The FTC describes phishing as “a type of online scam that targets consumers by sending them an email that appears to be from a well-known source.” Unlike other forms of cybersecurity attacks, phishing doesn’t need a talented hacker to expose hard-to-detect vulnerabilities in your systems. Still, it is at least partially responsible for 90% of security incidents. What makes it such a successful type of data breach attack is the fact that hackers rely on human error to get access to confidential data.
But just because human error is often a business’s biggest security weakness doesn’t mean it can’t be repaired. Here’s what you need to know about identifying phishing emails and training your staff so you can protect your business’s sensitive data:
Why is it hard for people to spot a fake email?
What makes phishing emails so effective is the fact they’re designed to look the part and fool you into a false sense of trust. They seem to originate from a known and trustworthy source, such as your bank, Netflix, Amazon, your Internet provider, Paypal, etc. In the business world, they can also appear to come from a colleague within the organization.
Additionally, phishing strategy relies on creating a sense of urgency that encourages the recipient to act quickly to address an issue, such as sorting out an unexpected problem with your bank account, canceling a fake order, etc. Because the recipient is made to feel that immediate action is required, fewer people take the time to question the email and spot the red flags.
But what are those red flags?
Red flag #1: The sender needs your personal information.
You should never be required to share confidential data in an email. More importantly, if the email has been sent from a company where you’ve got a personal account, such as Amazon or your bank, there is no need for them to request your information. The company should already have your data on file, and therefore they don’t need further information to validate your account.
Red flag #2: The sender has an unusual email address.
At first look, everything may seem normal, but suddenly you might notice discrepancies, such paypal.com appearing as pay.pal.com. These might be small differences, but they matter. If you notice that the sender has an unusual email address or includes links with strange URLs, delete the email.
Red flag #3: The sender doesn’t address you by name.
When you receive an email that appears to be from a colleague or company who should already know your name and basic information, you should expect a personalized greeting. The “Dear Sir or Madam” approach is a dead giveaway that there’s something fishy—or phishy—about the email.
Red flag #4: It includes a “please click on the link below” alert.
Reputable companies and sources can send you a link in an email. However, if you want to minimize risks, you should type the URL of the company into your browser bar rather than clicking the link contained in the email. Many phishing emails ask you to verify the information by clicking on the link, which sends you to a copy of the company page where your password and username can be stolen.
Red flag #5: It includes a “please find below the invoice” alert.
Phishing emails can also share malware, which the recipient unknowingly downloads onto their device. More often than not, your mailbox should alert you about suspicious attachments from a questionable source. Unless you can confirm that you recognize the email address and expect an attachment, you shouldn’t open invoices or other statements sent to you.
Red flag #6: The grammar is noticeably incorrect.
More and more phishing emails are written to imitate corporate speech. But if the language feels a little awkward, it might be the work of a non-native-English speaker creating fake content. Additionally, the wording may also be different from the typical emails you get from the company, even if the grammar appears to be correct.
Red flag #7: You don’t notice any issues beyond the email itself.
Nowadays, most users can access the same information from a variety of touchpoints. If you’ve received a suspicious order confirmation from Amazon, it takes only a few seconds to open your Amazon app separately and verify your last orders. Alternatively, the same principle applies to your bank statements or any other transaction information.
In other words, you should be able to verify any true issues by directly contacting the source (such as by calling your bank or logging into your account from a separate window) rather than clicking on any links or attachments.
Fundamental Rules to Help your Staff Stay Safe
The first step when receiving an email is to question it. Encouraging your team to verify the validity of every communication that is sent to them can prevent many issues.
Additionally, providing cybersecurity awareness training by an IT Service Provider for your employees can be a more comprehensive way to ensure your staff understands the risks of phishing emails and how to avoid them. Security awareness training can also go far beyond phishing emails, also addressing safe ways to interact on social media, “clear your desk” policies, and other secure procedures that should be followed to keep business data secure.