In last week’s blog post, we talked about the rise of the phishing email, now one of the most common methods of digital attacks. We showed you how dangerous these emails can be, and what to do if you think you’ve fallen for one.
As a reminder, phishing emails are fraudulent messages that usually appear to be from some well-known, legitimate company or authority (like the IRS). But they actually come from scammers trying to steal account information and other personal data.
If a user clicks a link in a phishing email and tries to log into the (fake) page, the scammers immediately get access to whatever the user typed (usually a username and password).
While it’s good to know about phishing emails, the real trick is to be able to recognize phishing emails in the first place. If employees know the email’s a phony, they should know to delete it, not click through.
So, with that in mind, here are our top tips for avoiding getting phished.
Scammers don’t have the time (nor the editorial or marketing departments) to invest heavily in copy. And many attacks originate from countries where English isn’t the native language. The result? Many phishing emails just aren’t well-written.
Look closely, and you’ll see red flags like typos and poor or unidiomatic writing. Even if the spelling is OK, you might notice phrases that just seem sort of off—not like the polished communication you should expect from AT&T or Microsoft.
Scammers know that these messages have red flags and warning signs, so they do everything they can to get you to stop thinking. This is why those scam robocalls tell you the IRS has a warrant out for your arrest (don’t worry, they don’t): if you’re too scared to think, you won’t.
So if a message seems overly urgent — again, especially if this seems out of character for the company or it’s combined with typos and other weirdness — proceed with caution.
Most companies don’t attempt to solve truly urgent matters over email in the first place.
Say you get a somewhat urgent-sounding message, but you’re really suspecting it might actually be real. If it’s your bank, for example, you don’t want to just assume it’s fake and then later discover all your money is gone, right?
First off, don’t click the link. Whatever you do, don’t click the link. (Don’t call the number, either, if there’s one in the email.)
Instead, connect with the company or entity how you would’ve if you hadn’t gotten the email. Try a multi-layered security approach and call the number you already have saved, or manually visit their website (irs.gov, outlook.com, etc.).
Here’s why this works: if the company really, truly has some kind of issue they need to discuss with you, they’ll know. It’ll be flagged in the system when you call in, or you’ll see a message in your account when you log in.
If you navigate manually to their site or call in, you’ll know one way or the other whether the email was legit.
Hopefully you never get this far, but if you do click a link in an email and end up on a page asking you to log in, stop and think twice. Look around. Does the page look normal? Any weird fonts or broken images?
Fake landing pages might be reasonably convincing, but they usually can’t match the real thing pixel for pixel.
Last, and most importantly, you should be conducting some kind of digital threat awareness training with your team regularly. Your IT services partner can guide you to an appropriate resource.
If you don’t have a managed IT partner yet, we’d love to chat— and we can get you set up with this kind of training, too.