Don’t get hooked by digital scammers! Today, we’re unravelling the essential steps to protect your organisation from attacks, giving you the top tips on how to spot a phishing email!
What is a phishing email?
There’s not much we can do to prevent a phishing email attack if we don’t know what that is in the first place! Spotting a phishing email is your first line of defence – so what exactly is it?
A phishing email is a fraudulent message sent by cybercriminals to deceive staff into revealing sensitive information such as passwords, credit card numbers or personal and business data.
Notoriously, phishing emails often appear like a legitimate source, like a bank or well-known brand, making them difficult to distinguish from genuine communications.
Phishing emails use a variety of tactics to reel in their victims, like creating a sense of urgency by referring to an account suspension or unauthorised transaction. On the other hand, phishing emails might also offer enticing rewards, like prizes or special offers, encouraging users to click on a link or download an attachment.
Phishing attacks might even take it one step further to fool your team, like redirecting them to a fake website designed to collect their personal information. And now – in today’s ever-changing digital landscape – QR code phishing attacks are also becoming an increasing threat that needs to be considered.
So, what can you do to prevent these attacks from occurring?
What are the 8 ways to spot a phishing email?
How can you spot a phishing email? Recognising phishing scams is vital to safeguarding personal and financial data. By understanding the characteristics of phishing emails and employing strategies to identify them, individuals can better protect themselves from these digital threats. Here’s 8 ways to spot a phishing email:
Email is sent from a public domain
If you’re looking for authenticity, the domain name (the small section after the @ in an email) should match that of the sender.
On the other hand, if you get an email from an address not associated with the sender, it’s likely a scam. This is a good start in spotting phishing emails.
A clear way to spot a potential phishing email is if the sender is using a public domain, ‘@gmail.com’, for example.
Always remember – the essential part of the address is after the @ symbol. This tells you the organisation from which the email has been sent, or if it comes from a personal account.
The domain name is incorrect
If public domains were the only issue, spotting a phishing email wouldn’t be such a hassle. However, there are other ways scammers can mess with domains that make phishing emails a pain to catch.
Anyone on the internet can buy a domain name, and there are plenty of ways to create addresses that are strikingly similar to the ones being mimicked, making it difficult to spot a phishing email.
For example, you may receive an email from “cbyersecuirtyonline”. To most people – especially those who are busy with their workflows – that may look licit, and the slightly incorrect spelling may go unnoticed.
Grammatical errors and poor English
In line with the changes to a domain name, sometimes the content of the email itself is a giveaway that the email is a phishing scam.
Most of the time, you can often tell an email isn’t authentic when it’s riddled with grammatical errors, weird punctuation and poor spelling.
Notably, most scammers use a spellchecker or language translator to give them the right words, but not necessarily the correct context to make the sentence read properly.
The difficulty is deciding whether the spelling mistake is a genuine slip-up or a poorly written phishing email. If there’s ever any doubt, you can always contact the sender using another line of communication – in person, by phone, or an alternative email address etc. – to check if they have indeed sent the message.
Suspicious attachments or links
When a phishing email is sent, it will always contain a payload – a malicious code with a specific action to perform on a targeted system.
Payloads capture valuable and sensitive organisation data, such as credit card details, phone numbers, passwords and login credentials. Here are some of the payloads you might come across…
Infected attachments
An infected attachment is a document sent that contains malware. This attachment could be an invoice, a PDF or an image – the list can go on. But the second it’s clicked, it’s game over…
Never open an attachment unless you are 100% sure the message is from a legitimate source.
Suspicious links
If the link destination doesn’t match the context of the email, you’ve got yourself a suspicious link.
What’s frustrating is that both real and scam emails can hide a link in a Call To Action button, so it’s not immediately clear where the link goes or if it’s genuine.
However, there is a solution.To solve this issue on a computer, you can hover your mouse over the link to check if the address that appears is legitimate. On mobile devices, hold down on the link, and a pop-up will appear showing the destination without following through to the destination.
Email is written in a way that creates urgency
A good organisation knows that it’s better to be safe than sorry, especially when it comes to data protection.
However, phishing scammers are also aware of this and will do everything in their power to get you to drop your guard as quickly as possible. That’s why phishing emails are likely to have a strong sense of urgency in their tone.
One example you may be familiar with is a manager asking you to send over information within the hour and that it’s an absolute priority to get this done.
Nobody wants to aggravate the manager, and you may feel inclined to send over the details just to avoid a potentially awkward chat later on. But by then, the scammers have already won.
Scammers know that an email from the boss means a lot, so don’t give them the satisfaction of falling for it. If you’re unsure, check with a line manager or speak to the person face to face.
Requests for confidential information
As a whole, the chances of someone at work asking for your details – passwords, bank details, etc. – out of the blue are unlikely.
Most organisations will never ask for personal information via email. And so, if you ever receive an email asking for these details, you should report the email immediately to a member of staff.
What to do if you click on a phishing link?
Mistakes were made, and you’ve been hooked. But don’t worry, it’s not the end all be all, as long as you act fast! Here are the essential steps you need to take if you’ve been reeled in by a phishing email:
- Don’t give out any information. Do not give any information out or interact with the website in any way. Leave the website immediately to avoid further issues.
- Switch off from the internet. Disconnecting from your Wi-Fi will allow you to safely investigate the attack.
- Check for malware. Use anti-malware software that can scan and detect if your device has been infected.
- Back up your data. Back up your files through an external storage device. That way, you can stay offline but ensure your data is backed up.
- Change your password. Update your passwords immediately. DO NOT perform these updates on the device affected by the phishing scam.
- Report! Once you’ve double-checked that your device is safe, go back to the email and click the “Report spam” button. Additionally, you can get in touch with the National Cyber Security Centre.
Protect your organisation from phishing attacks
Cyber security attacks continue to be a malignant presence across UK organisations.
According to the Cyber Security Breaches Survey 2024, in the last year alone, 50% of businesses reported having experienced some form of cyber security breach or attack, with 84% of them stating the most common type of breach was through phishing.
As technology becomes even more integrated into our day-to-day lives, traditional cyber security training just won’t cut it… That’s where we come in!
With CSA, you can take full advantage of our Phish999 service, which combines advanced AI technology and unique user awareness experiences.
Not only does Phish999 protect your organisation from harmful phishing attacks, it also educates and boosts your employee’s vigilance towards cybercrime!
Additionally, you can pair this with cyber security awareness training to further your employees understanding of cyber security best practices, educating them to prevent staff from causing cyber security incidents.
So, if you’re looking to fortify your network from data-damaging scams, speak to one of our experts today.