What is Email Phishing?
Email phishing is a type of cyberattack.
The attacker sends an email impersonating someone that you, the recipient, trusts: this could be a colleague; a reputable organisation (like your bank or one of your suppliers); or a friend or family member.
The email will usually either ask for sensitive information (like employee log in credentials) or download ransomware to their device, in either case the goal is to give cyber attackers access to your business systems.
Why is Phishing still a problem?
Phishing attacks (by email and other media like text messages, adverts and phone calls) are becoming increasingly sophisticated and attackers are getting better at impersonating people we trust, including our colleagues.
As an employee or as someone who employs others, this is an easy route in for attackers to steal business data and potentially lock you out of your own accounts, both personal and professional.
Some cyber attackers target employees of companies in smaller towns, like Tonbridge, for this very reason: there are many employees and it only takes one unwary person to find a way in and compromise the whole business network.
If you get an email that seems genuine and demanding urgent action, just one click from you can create a huge security risk for you and your company.
6 tips for spotting Phishing Emails
Some phishing emails are easier to spot than others and, as phishing scams become more sophisticated the usual clues of poor spelling or poor grammar in the email aren’t as common as they were.
At work, we are often under time pressure and want to get through our email inbox as quickly as possible. That’s exactly the kind of pressure that makes it easier to fall for a phishing email.
All professionals should protect themselves by becoming familiar with the ways phishing attacks operate and you can spot the signs for yourself.
1. Pause before clicking a link or downloading an attachment
It’s good practice to pause and double-check any email that includes an attachment or asks you to click on a link, even if it’s from someone you already trust. Ask yourself: am I expecting a link or attachment from this person, or was this email unsolicited?
If you have any doubts at all, follow the rest of the tips below to gather more evidence.
If the email was from someone you know but unsolicited and you believe it may be suspicious, contact them using another method to check if they really did send the email.
In a work context, a better way to share and collaborate on documents is to use a cloud platform like M365 or something similar.
2. Spelling and grammar mistakes
While cyber attackers are getting more savvy, any email that has spelling mistakes or is poorly written could still be a sign its part of a phishing scam.
Also ask yourself if this is same tone of voice or way or writing this person or this organisation usually uses? If not, this could be a sign the email is a fake.
If you have any doubts, don’t do anything the email asks you to and report it to your IT department.
3. Email is not personalised
Email that have not been personalised are now much rarer, especially from third parties that already hold account details for us (like Microsoft or Google). Therefore a generic email that has not been personalised could be a sign of a phishing attack.
However, as we mentioned above, phishing email attacks are becoming more sophisticated, and therefore more of them include personalised emails to catch us out, so don’t use personalisation as proof the email is genuine.
4. Incorrect or mismatched sender email address
If you’re being asked to do something risky (like download an attachment or verify account details) make sure to check the email address of the sender.
Attackers often use email domains or website domains that are misspelled or subtly different to the official domain. This is because they can’t use the same domain, but they can choose one that looks very similar, especially to a busy reader.
5. Incorrect or mismatched link text
Phishing attacks that try to get targets to click on a link will almost always hide that link in a button or behind some other text like “Click here”. A really simple tip is to hover over the button or the link text, which will then show the target link (that is, the address the link will take you to). If it doesn’t look like the address you are expecting, treat it as suspicious.
6. Demand for urgent action
Attackers will use language that creates a sense of urgency, for example “we’ve noticed suspicious activity” or “your account is at risk” because this creates a sense of panic and pressure us to act quickly, before checking the details.
If the email suggests you need to act now or there will be negative consequences, definitely take more time to check it is legitimate. Likewise, if the email is asking you to bypass usual security measures to “protect your account”, treat it with suspicion.
What should you do with a suspicious email?
If you’ve been through the tips above and you have an email you’re not sure is genuine, here’s what you should do:
- Don’t click any links or reply to the email.
- If you know the sender, contact them using alternative means to check whether or not they sent it (use contact details you know are genuine – don’t reply to the email!)
- If the email was sent to your work email, report it to your IT department. If sent to a personal email, report it to your email service provider.
- Delete the email (it’s fine to do this once you’ve reported it)
Be cyberaware, stay protected
At Heliocentrix, as part of our extensive IT support in Tonbridge and throughout Kent, we offer cyber security awareness training for employees.
Contact us for all your IT support and security needs.
Further reading: