Defending your organisation from phishing attacks is a constant struggle. This is because cyber criminals are always using different tactics to try and dupe your employees. Regardless of the exact motive behind a phishing attempt, the worst-case scenario can cause a vast amount of damage to the business. The result can be data breaches, leading to financial losses and reputational damage.
It’s therefore important for businesses to be able to recognise phishing attempts, which is exactly what we’ll be covering in this blog.
What is phishing?
Phishing is a type of cyber-attack that uses social engineering. This is where someone with criminal intent tries to persuade another person into executing a specific action. Oftentimes, this involves clicking a link or opening an attachment that triggers an attack. Examples include the forced installation of malware or taking the user to a site where malicious third-party cookies are downloaded. Phishing can also aim to get someone to reveal valuable company information.
Phishing attempts typically use email to contact individuals, but they can happen over social media, text messages, or phone calls. Regardless of the channel, perpetrators can use the same techniques to gain access to sensitive data environments.
How to spot a phishing attempt?
The simplest anti-phishing solutions for businesses start with employee training. This teaches users how to recognise a phishing attempt and what steps to take to nullify it. It’s often an effective tactic, as phishing attacks rely on convincing someone within a company to complete a specific action. For example, by clicking a link or sharing sensitive information.
The challenge comes from the ever-changing nature of phishing attacks. Nowadays, many cyber criminals will employ automation to send thousands of phishing emails to different users simultaneously. With employees constantly receiving emails for regular business operations, it can be easy to miss the signs of a phishing attempt. Fortunately, we’ve put together a list of common indicators to help you spot a phishing attempt as soon as it lands in your inbox.
Errors in grammar or spelling
It can be normal to expect an email to have one or two spelling mistakes. However, any more than this combined with grammatical errors and it’s likely a phishing email. Most email providers will have spell check features to help identify mistakes quickly. For grammar, the user’s web browser should be installed with auto-correct anti phishing solutions to pick out grammatical mistakes.
Asking for identification
This fits directly into the goal of phishing – to obtain valuable information. These attempts seek to capitalise on a user’s uncertainty and will explicitly ask them to share personal information. A classic example is when an email says there has been a ‘policy update’. To create more pressure, phishing attempts like this will often use a person’s first name. Spotting these email attacks requires a basic level of training and awareness.
Creates forced urgency
One form of psychological manipulation used by phishing attempts is to make the email seem time sensitive. This is to incentivise the recipient to take action without stopping to question the nature of the message. Phrases such as ‘last chance’ or the use of time, are good indicators of forcing urgency. Unless you’re reading a marketing email, these phrases should feel out of place.
Sender mimicry
Oftentimes, a targeted phishing attempt (known as ‘spear phishing’) will research various aspects of the organisation. This is usually publicly available information about the organisation and the people who work there. The phisher will then impersonate someone they know is considered credible by the recipient. However, this can easily be spotted if their regular email account picture is missing, or their name isn’t spelt or capitalised correctly.
Email senders can be cross-referenced to where they claim to come from. For instance, if it claims to come from a business, you can check their branding is correct. Hovering over the URL link can also reveal domain name inconsistencies. Most of the time, there will be a very minor difference to make the sender seem as legitimate as possible at a glance.
Attachments
Yes, attachments are sent all the time as part of business communications. However, phishing emails will always have an attachment with a harmful trigger. Recipients should check the file format. Larger file sizes like exe or zip are more likely to contain malware. If the file extension is unknown the email should be flagged straight away.
Un-initiated conversation
A phishing email can read as though there has already been a chain of emails discussing a certain topic. This commonly manifests as updates to deliveries that haven’t been ordered, or marketing material that hasn’t been subscribed to. Here, the attack is relying on the business and/or forgetfulness of the individual.
Repelling a phishing attempt
To repel a phishing attempt, users must be able to recognise them. Making your users aware of the above aspects of phishing emails goes a long way towards this. However, staff training can go further. Employers should be putting theory into practice with trial phishing exercises and simulations. This way, users can see first-hand how cyber criminals are trying to achieve their goals. We advise employers create guidelines on how to recognise phishing emails, which are then made available to staff, suppliers, and customers.
It’s also important to communicate to staff the difficulty in spotting phishing emails. This is to encourage employees to report phishing incidents. If a person is embarrassed about getting fooled by some practice phishing emails, they could avoid telling someone when it happens for real.
While this is a great start, it’s best to take a multi-layered approach to phishing defence. Using technical measures in tandem with cyber security training, allows businesses to bolster their resilience without impacting productivity. Software like ironscales, for example, can reduce the number of phishing emails that reach employees’ inboxes.
Professional anti phishing services
A major development in phishing attempts in recent years is that they are targeting a wider range of business types. Even public service providers aren’t safe. If you are looking for anti-phishing solutions at all levels of your business, CyberWhite has you covered. Our team can give you perfect blend of automated and human defences to resist any phishing attempt.
Contact us today.