Ever got phished? This is literally nothing to be proud of but it is absolutely common now for every one of us to receive phishing emails almost daily, if not a few in a day.
“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” –Abraham Lincoln
Phishing emails and what are they?
What is phishing? Phishing is a type of social engineering attack where the attackers attempt to steal user data, login credentials, credit card details and/or any other sensitive data. Phishing occurs when an attacker pretending to be someone they are not, usually using a renown name or brand name to attract you. Their objective is to ultimately have you click into opening an email, instant message or text message, and eventually trick you into clicking a malicious link, which can lead to the installation of malware, the freezing of a system as part of a ransomware attack or the revealing of sensitive information.
An attack like this, commonly done through phishing emails, can result in devastating results. It could mean unauthorised purchases, stealing of funds or even identity theft for individuals. And for corporate or governmental networks, phishing is often used to gain a foothold, usually seeing a bigger attack. Attacks such as an advanced persistent threat (APT) event will see employees bring compromised in order to bypass security perimeters, distribute malware inside a close environment or gain privileged access to security data. Such attacks can cause an organisation to face severe financial losses in addition to declining market share, reputation and consumer trust.
How to recognise a phishing email?
Legit companies don’t request sensitive information over emails
When you receive an unsolicited email from an institution asking for your details by requesting you to click into a link or attachment, this is highly likely that it’s a scam! Companies will not send you an email asking for your passwords, credit card information, tax details, nor send you any unknown link or attachment to log in or download.
Legit companies call you by name
Most of the time if not all, phishing emails do not address you by your name, but uses generic salutations such as “Dear customer”, “Dear account holder”, “Dear valued member”. If it is a legit company, and one that you have been dealing with, all their correspondence would address you by name, and most probably direct you to contact them via phone.
Having said that, there are also hackers who avoid using a salutation altogether. This is commonly seen with advertisements. See an example of a phishing email below. Can you spot that it is potentially malicious?
Other than going through the email content thoroughly, always check back on the email domain used to send you this email.
Legit companies use domain emails
As the example above shows, it is important that we check back on the email domain used to send us that particular email, other than properly going through the content in the email. You can check the sender’s email address by hovering your mouse over “from” to see their email address. Make sure that there are no alterations made (like additional numbers or letters) to a known company or brand name. A clear example to recognise is between the below two email addresses:
Do note that this isn’t a foolproof method. You may also come across with companies who make use of unique or varied domains to send emails. There will also be occasions where smaller companies use third-party email providers. So, it is important that you get to know the companies which you have engagements with, and to read through your emails in detail before taking any actions.
Legit companies know the right spellings
One of the easiest ways to recognise a scammy email is by the bad grammar used. An email from a professional organisation should be well written, without obvious spelling or grammar issues. You may think, what is the purpose of using bad grammar in a phishing email? There’s actually a purpose behind this. Hackers generally aren’t stupid or naive. They jump on the advantage of the uneducated, believing them to be less observant and thus, becoming easier targets.
Legit companies will not force you to their website
A lot of the times, phishing emails are coded as a hyperlink. Hence, accidentally clicking anywhere in the email or deliberately doing so will open up a fake webpage, or even download spam onto your computer.
Legit company links match legitimate URLs
A good point to take note; check before clicking into a link sent to you in an email and make sure that the text in the link is identical to the URL displayed as the cursor hovers over the link. From this, you can identify whether you will be taken to a legit website, or one that could be malicious. If a hyperlink’s URL doesn’t match the context of the email, or looks suspicious, don’t trust it.
To ensure additional security, check that the links begin with https:// when you hover your mouse over embedded links before clicking into it.
Phishing emails are commonly seen now. Having a good security system for your website is important, but it does not mean that it can filter out all possible attacks. It takes one careless click, or a misread and you will be fooled by a phishing attack which could cause harm to the data you’ve been protecting. Depending on scope, a phishing attempt could possibly escalate into a security incident where you’ll find difficulties recovering from.
Ensure that everyone in your company knows and understands the patterns of phishing emails to avoid being attacked.