Phishing is big business.
Phishing is one of the most common methods of cyber-crime, yet despite how much we know about these ‘scam emails’, people still frequently fall victim.
Tactics are becoming ever more refined, so spotting a phishing email is hard, and a spear phishing email even harder to detect.
A multi-layered defence strategy is recommended to block these threats before they even reach individuals, yet it’s inevitable that some do get through. It is essential therefore that staff remain vigilant and understand the necessary precautions that need to be taken to protect their organisation from attack.
Phish your users. See the results. Create a culture of awareness.
Creating a culture of awareness is paramount. ITHealth highly recommends employing phishing simulations to help protect your organisation by exposing employees to fake phishing emails and assessing employee susceptibility. When phish testing is run in conjunction with phishing training, the results are proven to double employee awareness versus running training alone.
For NHS and local government organisations, ITHealth is currently offering a free managed trial of Sophos Phish Threat – which includes a series of automated attack simulations and security awareness training – to help evaluate how vulnerable your end users are to phishing and identify any training gaps.
Ten tell-tale signs of phishing.
Although phishing emails come in all shapes and sizes, fortunately there are some “tells” you can look for to help suss out potential scams. Such tells are as follows:
- It just doesn’t look right. Is there something a little off with the emails? Too good to be true? Trust your instincts if they tell you to be suspicious.
- Generic salutations. Instead of directly addressing you, phishing emails often use generic names like “Dear Customer.” Using impersonal salutations saves the cybercriminals time so they can maximize their number of potential victims.
- Links to official-looking sites asking you to enter sensitive data. These spoofed sites are often very convincing, so before revealing personal information or confidential data examine the site to make sure it’s real.
- Unexpected emails that use specific information about you. Information like job title, previous employment, or personal interests can be gleaned from social networking sites like LinkedIn and then used to make a phishing email more convincing.
- Unnerving phrases. Thieves often use phrases meant to scare you (such as saying your account has been breached) to trick you into acting without thinking, and in doing so revealing information you ordinarily would not.
- Poor grammar or spelling. This is often a dead giveaway. Unusual syntax is also a sign that something is wrong.
- Sense of urgency. For example: “If you don’t respond within 48 hours, your account will be closed.” By convincing you the clock is ticking, thieves hope you’ll make a mistake.
- “You’ve won the grand prize!” These phishing emails are common, but easy to spot. A similar, trickier variation is asking you to complete a survey (thus giving up your personal information) in return for a prize.
- “Verify your account.” These messages spoof real emails asking you to verify your account with a site or organisation. Always question why you’re being asked to verify – there’s a good chance it’s a scam.
- Cybersquatting. Often, cybercriminals will purchase and “squat” on website names that are similar to an official website in the hopes that users go to the wrong site, such as www.google.com vs. www.g00gle.com. Always take a moment to check out the URL before entering your personal information.