As an employee, you are your company’s first line of defense in protecting against cybersecurity risks, most of which come from identifying phishing emails. 25% of employees have admitted to clicking on a phishing email – we’re human, so mistakes happen. Unfortunately, 91% of data breaches start with a phishing attack, so knowing what to look for can reduce your chance of becoming an addition to the stat.
Here are eight questions to ask to help you identify a potential phishing attempt:
1. Is the sender familiar?
When it comes to identifying phishing emails, rushing can be your downfall, so slow down. If the sender is unfamiliar, do a thorough analysis. Check the display name and email address. Using banks, credit cards, and big retailers, scammers will impersonate display names to appear legitimate. Be sure the domain matches the organization’s name – @microsoft can become @microsaft or @microsoft123. Check online for legitimate URLs.
2. Is the greeting generic?
If you are doing business with someone, they should be using your name – it’s simple to personalize an email these days. If the email starts with “dear sir or madam,” you can be sure it’s not your bank or credit card company. Hackers may also avoid using a salutation altogether and move you directly to take action through a link.
3. Are there spelling and grammar errors?
These errors can be due to poor language translations, but they aren’t always mistakes. Sometimes they are meant to bypass spam filters that block keywords and phrases to prevent phishing attempts. They also weed out targets with greater attention to detail that are less likely to fall for their bait. Bottom line: legit businesses know how to spell.
4. Is the message urgent or threatening?
Pushing you for a quick response is a common trick to get you to act without thinking. Messages like “recent account changes” or “your package couldn’t be delivered” are screaming for immediate attention. Don’t respond, or click attachments or links, until you are 100% confident that the email is from a trusted source. If you can’t determine that, try contacting the organization through ways you trust.
5. Are they asking for personal information?
Never send personal information through email – reputable companies won’t ask you to do that. Be suspicious if they request you to provide login credentials, account numbers, payment information, etc.
6. Are the email domains consistent?
Always check embedded links in an email by hovering the cursor over them, but don’t click on them! If the link address doesn’t match the embedded link, it is most likely malicious and redirecting you to a phishing website. Remember, never click on a domain without a URL that starts with https.
7. Are there suspicious attachments?
Malicious attachments are an easy way for attackers to deploy malware onto your device and gain access to sensitive data. Look for file types like .exe, .scr, and .zip. Most reputable institutions will direct you to their website to download documents or files – they don’t randomly send you emails with attachments.
8. Is it an urgent internal request?
Don’t automatically trust emails from internal sources if you have concerns about the email – like requests for urgent attention or asking for sensitive information. HR-related emails are top on that list and most often involve a financial verification or change. Message or call to confirm the sender is legitimate.
Think the email you’re looking at is a phishing attempt?
Don’t just delete it. Flag it as spam mail so your email client will know to move these types of emails to your spam folder in the future, ensuring you don’t accidentally open them going forward.
Phishing attacks are becoming increasingly sophisticated, and you simply won’t always be able to detect them. If you think a phishing attack has fooled you, immediately report it to your IT department. Don’t let embarrassment hold you back. Your IT team will be able to determine if the email you received is legit, run a virus scan, and address suspicious activity.
So, should you lose sleep over phishing attempts? No, there are a lot of phishing emails out there, but fortunately, antivirus, firewalls, and spam filters stop most of them from ever getting into your inbox – so you won’t have to see them often. You only need to be prepared to defeat the few that get through. Stay educated and be cautious and discerning about what you open or click on.