The prevalence and sophistication of phishing attacks is consistently on the rise, and scams frequently target both businesses and consumers in an effort to gain access to personal information and steal data and/or money. Attacks are often leveled at the most vulnerable among our population – elderly people. They also frequently succeed when they take advantage of individuals who are busy, distracted or lacking in cybersecurity education.
Omega Systems’ Security and Compliance Officer Rick Mutzel recently weighed in on this rising issue, talking to WFMZ-TV 69 News after a local Pennsylvania woman was scammed out of more than $100K.
Phishing emails are carefully researched and contrived to target specific recipients. Hackers will scour social media profiles and conduct online research to identify future victims’ personal details (family connections, old employers/colleagues, hobbies) – anything they can use to tempt you into falling for their scheme.
The only way to strengthen your defenses against such attacks is through cybersecurity awareness and education (which is why annual security awareness training should be a critical component of your risk management program!). With a keen eye and understanding of common warning signs, employees can act as a key first line of defense in your business’ cybersecurity strategy.
Here are some of the most common signs that an email or message may be a scam:
- Unfamiliar Greeting: The sender spells your name wrong, or uses a first and last name, or calls you by your full name when you usually go by a nickname. Something might seem “off” with the tone of the greeting.
- Grammar and Spelling Errors: Messages originating from a professional source should be free of spelling and grammar errors. Be sure to double check the sender email address carefully – often just a single letter is misplaced or missing.
- Inconsistent Email Addresses, Links & Domain Names: If a link is embedded in the email, hover over the link to verify the destination URL. If the email is allegedly from Website A, but the domain of the link does not include “websiteA.com,” that’s a huge red flag. If the domain names don’t match, don’t click. Corporate employees may want to pass these suspicious emails on to their IT departments (or outsourced MSPs) to investigate further.
- A Sense of Urgency: Hackers may use threats or a sense of urgency to fluster users into opening and taking action on fraudulent messages.
- Suspicious Attachments: When an email with an attached file is received from an unfamiliar source, or if the recipient did not request or expect to receive a file from the sender of the email, the attachment should NOT be opened. A good rule of thumb is to send a separate message to the supposed sender and ask them to verify what/if they sent you something.
- Generic Greetings: In some cases, instead of personalizing their attacks, hackers will use generic and impersonal greetings such as ‘Dear Customer’ or ‘Valued Employee’ to save time and maximize their number of potential victims. Regardless of the greeting, be sure to verify the sender email, domain & other information before taking any actions.
- Unusual Requests: No one should ever ask you for your personal information via email. Do not send any personal information, login info, passwords, social security numbers, or money, before confirming that request with the sender. This is one of the most glaring red flags within a phishing email. Likewise, if a message asks you to install or patch something on your computer, forward that message to your IT team.
- You’re a Prize Winner: Hackers will often use bribery to tempt you to open a fraudulent email. If you get a message telling you that you will benefit from a discount or win a prize by clicking on a link or opening an attachment – do not open and report it to your IT team.
- Vague Message: Be on the lookout for vague messages such as ‘here’s what you requested’ or an attachment titled ‘additional information’. Hackers often rely on vague messaging to persuade recipients into clicking on malicious attachments or links.
- Request for Credentials, Payment Information or Other Personal Details: One of the most sophisticated types of phishing schemes is when an attacker creates a fake landing page that directs recipients to click on a link in an official -looking email. The fake landing page will have a login box or request that a payment is made to resolve an outstanding issue. Again, this should raise a red flag. Do not enter any sensitive or financial information without prior verification from the sender.
Phishing awareness training and testing reduces the likelihood that an employee in your organization will compromise the security of your data. We strongly advise that businesses incorporate managed phishing tests into their annual training regiments to help further educate employees on the dangers of phishing scams.