The bad guys are working overtime out in cyberspace right now, which greatly increases your chances of encountering a phishing email (or twenty) over the next several weeks. Knowing what to look for is the best way to avoid a bad click and the resulting consequences, so we dissected some examples that we received just last week, pointing out the red flags they contain.
Some phishing emails are so bad that they are instantly recognizable (i.e. the Nigerian prince scam), but others are very sophisticated and much more difficult to spot. Even though not all phishing emails are created alike, familiarizing yourself (and your team) with the common tactics does go a long way towards avoiding a disastrous click.
To help with spotting them, we took 4 recent examples of phishing emails that we received, and highlighted the red flags and/or tactics they contain. This helpful guide is something you can download, share and keep for future reference. Further down in this article, we cover the global red flags as well as tips for avoiding phishing scams.
It’s also a good time to note that as part of your network security strategy, your anti-spam and anti-virus should be always be kept up-to-date. These filters will prevent known malicious email from ever reaching your network, and also cut down on the email traffic that bogs down your team. But if you aren’t running the latest version, then the software isn’t able to block those recently identified signatures.
(NOTE to Corsica customers - we have your anti-spam/anti-virus covered!)
Review of the Red Flags of a Phishing Attack
You’ll see in the PDF download the specific red flags we highlighted in each of the four examples. Generally speaking though, the most common red flags or tactics used in these scams include:
- The message creates a sense of urgency or extreme urgency – click this NOW or risk something
- Deceptive URL’s - Linked text is sending you to a different URL than what it appears to
- Vague or generic message, often designed to pique your curiosity
- Awkward phrasing in the body copy
- Misspelling or grammatical errors
- Contains a “too good to be true” claim of a reward, prize or deal
- Message is not personalized to the recipient (NOTE: this is NOT true of all phishing emails…spear phishing emails are highly targeted, often towards high level business executives)
- You are being compelled to validate or confirm your account by entering your personal information
- Attempts to get an emotional reaction from the recipient – usually either fear or excitement
- Sender’s name and/or domain name are deceptive - possibly only just slightly off of what you would expect (ex: pay.pal instead of paypal).
- An unsolicited email with an attachment
- Anything about the email that seems “off” or just odd…it could be that the greeting isn’t in keeping with what you’re used to getting from the supposed sender; it could be that you think it’s strange that the supposed sender is inviting you to a party; or it could just be a gut feeling. Whatever it is, trust that feeling and verify before proceeding.
Tips to Avoid Falling Victim to a Phishing Email
The very best way to avoid a bad click in a phishing email is to stay vigilant.
Train yourself to carefully review emails, particularly when that email is asking you to follow a link. Just because it has a link in it doesn’t make it unsafe – but it does make it necessary that you stop and evaluate it just a little longer before you decide whether or not to click.
If you remember to think before you click, you and your network are much more likely to stay safe.
The other “big picture” tip for avoiding these traps is to make awareness and education a priority throughout your entire organization. Social engineering tactics work really well, particularly when the person being targeted is unaware or uneducated.
When all it takes is one bad click to take down your network, it’s critical that everyone who has access to a computer understands the risks, is aware of the consequences, and is educated about phishing scams.
Other specific ways that you can guard against an accidental click in a malicious email include:
Always carefully review the sender’s email address.
A sender’s name or domain name that are even one character off from the norm are most likely malicious. For example, a sender of microsoft.com@microsoft should raise an immediate red flag.
Do an online search.
The bulk of the phishing attacks you will receive aren’t new. So it’s likely that a quick internet search is going to confirm for you the validity of the email. For example, if you receive an e-card from “Secret Admirer”, you’re smart to be suspicious. If you aren’t quite ready to just delete it and move it, you can open up your browser and type “ecard from secret admirer” into the search bar. Doing so will confirm this to be a known scam.
So with one quick search you’ve confirmed that you aren’t missing out on a real card and you’ve saved yourself – and the company – from a potential IT disaster.
Go right to the source.
In our Dropbox phishing example, the email domain is “dropboxservice”. With another quick internet search, I confirmed directly from the Dropbox official site that “dropbox” and “dropboxmail” are the only domains used by them in their emails.
So if you just aren’t sure, best bet is to verify whatever is in question directly with the source.
This can also mean calling your financial institution if you get an email or text saying your account is frozen. Or at minimum, logging into your account on your own and checking there to see if there are any messages or requests related to your account credentials or status.
Stay in control of where you land on the internet.
You can avoid most of the dangers of phishing emails by following one simple rule – stay in control of where you land.
Back to the Dropbox example, best practice would be to avoid clicking on the link in the email, and instead navigate directly to your Dropbox account in a clean browser window. Login and check from there to see if you have a new document waiting for you.
Maybe you got an unsolicited email but you’re interested in the product, service or article. Navigate directly to that company’s site on your own and locate the information from there.
This only takes a few extra seconds to do, and can save you big in terms of the costly and unwanted downtime a cyber attack creates.
Have established SOP’s around financial transactions.
We’ve noted that phishing emails can be difficult to detect, and spear phishing emails take this to a new level of sophistication. We’ve seen examples of spoofed emails that make it seem as if someone from inside a company is requesting that the CFO transfer money. We’ve seen it work too.
Best practice for any business is to have an established validation process around requests for any type of financial transaction. Require that any email request be verified directly with the supposed sender, either by phone or in person. Or have it cleared through a second member of the department.
Whatever the procedure, this extra step isn’t overly time-consuming and can save you from major losses if you are targeted by one of these highly sophisticated scams.
Share These Examples
We definitely recommend downloading and saving this review of real-life phishing email examples (use the button below to accept the PDF guide). Learning from these examples could make the difference between an email that gets spotted (and deleted) and one that causes a true IT disaster.
Stay Safe with a Sound Network Security Strategy
End-user education and training, anti-virus software and patch management are all components of a modern network security strategy. Having a layered approach is key to keeping your business safe, giving the advanced persistent threats that exist today.
You can learn more about Corsica's IT solutions - which includes comprehensive network security solutions -- here.
We also have additional cybersecurity resources available in our Cyber Awareness Resource Center. There you can find additional guides, e-books, article links and even on-demand training webinars, all on the topic of cybersecurity. All of these information-based resources are available for free.