I was just revisiting a blog post I wrote that covered the 4 types of IT security. Somehow I overlooked one of the most common ways hackers attack companies: Phishing Emails. This common security threat deserves its own post just to make sure you have the information you need to protect your home and business networks.
Remember the days when you’d hear a “DING!” on your computer and the infamous “You’ve got mail!”… Those words filled you with excitement and the instant gratification of not waiting on the mailman. You would jump to find out who was reaching out to you and what information they wanted to share with you.
Fast forward a few years and email has become the most used communication tool in the world. Even with all the social media we have access to now, Email remains our day-to-day staple. With that it has also become the most targeted platform for hackers. Why? Because email is virtually ubiquitous and it’s easy to make an email look like someone you know.
Remember your parents taught you not to talk to strangers to keep you safe. These days, email security is similar. You’re better off only interacting with emails you expect, from people and companies you trust. Hackers have figured that out, so if they can send an email that “looks” like someone you know, you’re more likely to fall for their scam.
Fear not – we’re going to give you some tips to spot those phishing emails and how to stop them if you accidentally open or click on something you shouldn’t have.
What is a phishing email? A phishing email is a scam email that lures the recipient through a legitimate-looking email to take the bait of providing sensitive information or unknowingly installing malware. Hackers use this information to gain control of a person’s bank account, email, computer, etc.
To stick with the analogy of “looking like someone you know"... Hackers will send you an email that appears to be from your boss, bank, a vendor, the government, etc. Some of the best examples I have seen mimic an employee’s boss’s email asking them to wire money to a bank account. You’d be surprised how often this works because the hackers are pretty damn good at spoofing the email.
Another example of a phishing email will have links they want you to click on that opens up the user’s PC to give the hacker remote access. From there, they have access to your social media accounts, email contacts, virtually everything on your computer.
Scary right? Don’t be alarmed. Having a little knowledge of what to look for will help protect yourself from phishing email attacks.
Here are the top 5 clues for how to spot a phishing email – and tips to prevent email fishing from impacting your life and your business.
Make sure to cross-check the email domain on any suspicious email. This is the name after the @ symbol in the email address. It should match the name and company of the attempted sender (be on the lookout for minor misspellings!). If you are unsure, try looking up the company’s email domain through a search engine.
For instance, our domain is tkg.com. So if one of my team members receives an email from todd[at]tkgg[dot]com, they know to check with me because of the suspicious second G.
Hackers and scammers tend to use online translation machines that don’t return perfect grammar or spelling, making misspellings and incorrect grammar common characteristics of phishing emails. Take a quick look through every email you receive for these kinds of identifiers. If the email reads poorly, think twice about interacting with it.
If you receive an unexpected email to your inbox, it is best practice to check all the hyperlinks before clicking on them. Occasionally, both the sender and the body of the email can appear legitimate, but the phish is hidden in the links.
If you hover over each link—without clicking on it—you can see if the URL will lead to the website you would expect based on the sender. For example, if you receive an email from Bank of America, the hyperlinks should bring you to bankofamerica.com. If not, you’re better off to ignore the email or check with the sender to see if it was legit.
This might be the most important rule – do NOT open any attachments until you are 100% sure the sender is legitimate.
If the email is indeed a phishing attack, the attachment will contain malware that will expose to your computer the second the document is opened. It doesn’t hurt to check with your IT team or contact the sender through an alternative channel for them to verify the attachment.
If you clicked one and think, even for a second, that it was spam, reach out to your IT team right away. Don’t hesitate. Being a little embarrassed that you fell for it is much better than putting your company at risk.
Rewards or scare tactics are two common phishing approaches that demonstrate a sense of urgency to get you to click faster. They don’t want you to have time to go through these steps to protect yourself. A few examples include offering a monetary reward or demanding account reactivation as soon as possible. Or, by imitating your boss’s email address, a phisher can use their authority to scare you into opening a harmful attachment. Either way, take pause before clicking on these “urgent” emails.
Leveraging these five steps can help you personally protect yourself. In a business environment, I’d recommend you take it a step further and provide end users with training. This training is called Phishing Simulation. It’s a great way to guard against phishing attacks by seeing how effectively your employees can tell if an email is phishing. This will help you direct training where it is needed.
It is important to continue to learn what to watch for as cyber criminals are constantly changing tactics. Make sure to have a good IT partner to lean on to help with cyber protection needs and strategy. Stay safe out there!
If you’re looking for an IT partner to increase your business’s cybersecurity, contact The Karcher Group today.