One of the recommendations I made in last week’s TechTips regarding the WannaCry ransomware attack was to make sure your employees are always reminded of the danger of opening emails from unknown entities.
In this week’s TechTips I am going to provide a bit more detail on how to spot a phishing email.
My hope is this information will help you, your fellow employees, and perhaps your clients be better prepared to prevent a virus or ransomware attack on your organization.
What is Phishing?
According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.” Cyber criminals use emails designed to look like they came from a legitimate bank, government agency, or organization. Typically, these emails ask you to click on a link that goes to a page where a form asks for personal information or account information.
Tips to Protect Yourself and Your Organization
Following are some tips to help you recognize phishing emails, so you do not get caught in a cyber criminal’s trap. Understand that these tips are not foolproof, but certainly will help you better understand the difference between legitimate emails and phishing emails.
1. A real company does not request sensitive information in an email.
Companies know that phishing emails are a real problem. Look at the legitimate emails you receive from your bank. They always tell you to log into your online bank account to provide them sensitive information. A real company will never ask you to click on a link that takes you to a website to enter sensitive information. If they do, stop doing business with them.
2. A real company knows who you are.
Phishing emails often have generic greetings. You do have to be careful here, however, because smarter cyber criminals may have done research on the organization and use a legitimate name and title in a phishing email.
3. A real company sends emails from their own domain.
If you have any doubt about a received email, always check the domain where the email is being sent from. You can test the email address by hovering your mouse over the “from” address. This is not a foolproof method as sometimes companies use other domains to send emails to customers.
4. A real company knows how to spell and use correct grammar.
This can be subtle. Most companies take great pains to make sure the spelling and grammar within their emails to customers are accurate and proper. If the text in an email seems off, it could be a tip-off to a phishing email. Also, the description of currency can be a tip-off. $100 USD is not a normal way to describe a price. Unless you do a significant amount of international business, using USD to describe U.S. dollars is not common.
5. A real company does not send image-only emails.
Some phishing emails look like they contain text but only include an image. The danger is that the picture could be one big hyperlink. You may be thinking you’re clicking on a link in the email when in fact you’re clicking on the image.
6. A real company does not randomly email attachments.
Receiving an email from a company with an unexpected attachment is another tip-off that the email might not be legitimate. While this is not always the case (you could receive an invoice via an email attachment) be very skeptical about the email if it contains an attachment you are not expecting.
Take these steps if you identify a phishing email
Following are some steps you should take if you receive a phishing email:
- Make sure you do not click on any links within the email or open any attachments. Also, be careful before you click on any pictures that might be contained in the email.
- Don’t reply to the sender.
- Report the phishing scam to your spam filter company (AppRiver in my case) and the FTC at firstname.lastname@example.org.
- Delete the email. Make sure you physically remove it from your computer. If you are using Outlook, make sure to use the Shift|Delete keys, not just Delete. Deleting an email in Outlook moves it to the deleted items folder. Using Shift|Delete physically removes the email from your computer.
- If you do business with the company mentioned in the email, you can check with the firm (an actual phone call?) to let them know their name is associated with a phishing email.
- If you are not sure a received email is legitimate (especially if it has an attachment that you are not expecting), send a separate email — don’t use reply! — asking the individual if they sent you the attachment. My personal rule? If I receive an email with an attachment I am not expecting, I delete it.
None of the tips mentioned above are foolproof. They will, however, provides you with a quick checklist you can use when evaluating a suspicious email. The greatest asset of an organization is their employees. The most significant security risk for an organization is their employees. We all need to be reminded constantly that not every email you receive is legitimate and could cause you and the organization great harm.
What other tips would you suggest to protect your organization against phishing emails?