Updated: Feb 29, 2024
Email phishing is all too common. This post will support you in recognizing email phishing and how to take steps toward protection.
What is phishing?
At its most basic level, phishing is fraud. Email phishing is illegal attempts to get you to send compromising data (think usernames and passwords, SSNs, etc.), click on links, or download malware onto your computer. Ultimately, it works so scammers can log into your accounts, gain access to your personal or company information, and steal from you. They may steal your money or your identity, and it happens more than you think.
This infographic from the Federal Trade Commission shows the damage done by scammers in 2023.
Bummer, right? But you can protect yourself and your company from scams like this!
How to Spot an Email Phishing Scam
Sense of Urgency
Emails that demand urgent action are attempting to get you to ignore your critical thinking skills and start acting foolish.
What to do: Stop and think!
Think:Â Would this person/company typically rush me like this? If they aren't your boss and hounding you about a deadline, the answer is probably no. Treat this like a scam.
Spelling, Grammar, and Formatting issues
Look for errors in these areas:
Spelling: Perhaps the spelling closely matches a brand name but is a bit off, or random words are misspelled, and it doesn't look like a typical typo
ie. Arnazon instead of Amazon
Sentence context: Does it sound like a native English speaker wrote it, or could it be from a translation site? Are words used in the proper contexts?
Lack of editing: If you are emailed from a company, this email should have been copy-edited. If it feels amiss, chances are it could be!
Formatting: If the overall look of the email looks unprofessional, is off-center, or logos seem to be fuzzy or placed incorrectly, these are all signs that this is a phishing scam.
Generic or Unfamiliar Greeting
Look for changes in tone if the email is from someone you correspond with regularly.
For example, I know that my boss always emails me with 'Hi Brittany' or 'Hey there.' If there is a very different greeting or you sense a shift in tone, look into the rest of the email.
Alternately, generic greetings coming from a company should also raise some red flags for you.
ie. Hi Dear, Dear Customer, Hello User
Inconsistencies in Email, Domain Name, and/or Link
Always, always, always look at the email address of the sender. Emails from someone at a company will have the company in their domain name.
ie. @microsoft.com, @amazon.com
Your superior or colleagues will not be emailing your work email from their personal email (or what was created to look like their personal email).
If the email does look correct but something still seems off, call or text that person to ensure they are the sender. It is possible that person's email was compromised, so wait to email them until you have confirmation from the sender.
If you are emailed a link, you can hover over the link to see where it will take you BEFORE CLICKING. Make sure the link or button is taking you to where it says it will.
Suspicious Attachments
It is good practice to only download attachments from senders you know and trust. If you download an attachment or click on a link from an attacker, you could be subjecting your computer to malware that can steal your personal or company information.
Requests for Login Information, Payment Updates, or Other Sensitive Data
Even though our banking, Netflix, loans, and other institutions consistently remind us that they will never ask for personal information, we continue to see people falling prey to these types of phishing attacks. Attackers can mimic websites, email templates, and logos in order to convince you that your account has been compromised. Then, you click on that suspicious link and... it has.
What to do: If you have gotten an email that concerns you about account information, log into their portals the way you typically would, not through the email.Â
You can always call the company, institution, or person and make sure they are asking for information from you.
It Seems Too Good to be True
Did you just win a cruise that you didn't enter a contest for? Is that Nigerian prince actually trying to give you their fortune? Did you just win the lotto but you never bought a ticket?
Even though we would all like to make a quick buck, as the old saying goes, 'If it seems too good to be true, it probably is.'
It's a scam. Don't click. Don't download. Don't give your information away.
So, how do you protect yourself and your company from phishing scams?
Train and retrain your employees
Your company is only as strong as your most vulnerable employee, so use the software, the multi-factor identification, and make sure you continue to talk about phishing scams and how to recognize them. In fact, maybe send them this blog post!
Enable Multi-Factor Identification
Most major email hosting should offer multi-factor identification. This is the easiest and most practical way to keep unauthorized persons out of your mailbox.
Let the software help! These are a couple of HDH Consulting's favorite partners:
Proofpoint is a cloud mail filter that intercepts messages between mail servers and the client-side mailbox (like a person filtering your mail in the post office)
IRONSCALES is an email security platform that scans data to look for threats
At HDH Consulting, we are always here to discuss your email security and see how we can help. Let us be your partner in IT management!
