Phishing has been used as a way for criminal hackers to gain sensitive information since the mid-1990s. It uses deceptive emails and websites to trick victims into clicking malicious links, downloading attachments or sending sensitive information.
Phishing emails can impersonate well-known brands or even people you know, such as colleagues. The goal is to trick the recipient into believing that the message is important and convince them to click a malicious link/attachment or provide sensitive data such as banking details and passwords.
Phishing attacks are becoming more sophisticated, making them harder to detect. In 2017, 48.2% of phishing emails were opened by recipients, an increase of 12% on 2016.
With the average attack costing a mid-sized company $1.6 million (£1.1 million), phishing can deliver a large return on investment, motivating criminals to develop more sophisticated and creature lures.
No matter how many security defences an organisation has in place, no email filtering technology is 100% successful. This leaves it up to the user to identify a phishing email.
Although phishing emails are becoming more complex and difficult to detect, they are never perfect. There are a few things you can look out for that will help you differentiate between a phishing email and a legitimate one.
The email is sent from a public email address
Look at the sender’s email address, as this can help identify if the person is truly who they claim to be. Often, the criminal will use a public email address such as gmail.com. If your bank or colleague is going to email you, it will come from a company email account with the company name in the email address.
If you receive an unexpected email or an email from someone you don’t know asking you to open an attachment, do not open it. These attachments can contain malware that can harm your computer and capture your personal data.
The creation of a sense of urgency
Phishing emails often ask recipients to verify personal information, such as bank details or a password. They can create a sense of urgency by warning that your account has experienced suspicious activity or pretending to be someone you know who is in urgent need of financial help.
These are massive warning signs. If you are ever unsure, contact the company or person using the contact details you already have for them or that are on their legitimate website. Never use any contact details or click any links provided in the email.
Links to unrecognised sites or URLs that misspell a familiar domain name
Phishing emails may ask you to click a link within the email. By hovering your mouse over the link or address, you can see the linked site’s true URL. These URLs can be slightly misspelled or completely different to what you are expecting, so always double check before you click.
Poor spelling and grammar
You can often detect a phishing email by the way it is written. The writing style might be different to that usually used by the sender and it might contain spelling mistakes and poor grammar.
One of the reasons behind the large increase in phishing attacks is the lack of basic knowledge about them. People are fundamental to cyber security, so it is vital that they can detect security threats and know how to respond.
Increase employee awareness
Improve employee awareness with our Phishing Staff Awareness Course, which shows staff how to identify and respond to phishing scams. The course breaks down how phishing emails work, how to spot them, what action to take when you receive one and what could happen should you fall victim.
To establish how vulnerable your employees are to phishing emails, you can run a Simulated Phishing Attack. The results will enable you to take immediate remedial action where possible to improve your organisation’s cyber security posture.