How to Spot a Phishing Attempt

Phishing is one of the most common, yet dangerous methods of cybercrime. It utilizes deceptive messages to trick victims into clicking untrustworthy links, downloading malicious attachments, or divulging sensitive information.

Despite cybersecurity experts’ warnings over the years, it seems that internet users still consistently fall prey to these simple but effective attacks. According to Verizon’s 2019 Data Breach Investigations Report, a third of all cyber-attacks involved phishing.

It is therefore absolutely critical that you’re able to protect yourself and your business from the inevitability that is a phishing campaign targeting you. Below we cover some tell-tale signs of such an attack.

1.) The message is designed to make you panic

It’s common for phishing emails to try to scare the recipient into a desired action. The email may claim that your account has been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you’re unsure, contact the company through other methods.

2.) Domain names are misspelled

The reality of the internet today is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are hard to distinguish from the one that’s being spoofed.

A subtle change of letter in the word, paired with a well-crafted html e-mail, can easily fool a hurried reader. Hackers regularly use discrete punctuation to differentiate their malicious domain source (ex. No-reply@wellsfargo.com vs. No-reply@wells-fargo.com).

3.) It includes suspicious attachments

Phishing emails come in many forms, but the one thing they all have in common is that they contain a payload. This will either be a link to a bogus website, as discussed above, or it will be an infected attachment that you’re asked to download.

An infected attachment is a seemingly benign document that contains malware. In a typical example, the phisher claims to be sending an invoice to a business or organization. It doesn’t matter whether the recipient expects to receive an invoice from this person or not, because in most cases they won’t be sure what the message pertains to until they open the attachment.

When they open the attachment, they’ll see that the invoice isn’t intended for them, but it will be too late. The document unleashes malware on the victim’s computer, which could perform any number of nefarious activities.

We advise that you never open an attachment unless you are fully confident that the message is from a legitimate party. If you receive any type of notification about the file’s legitimacy or the application asks you to adjust your settings, then don’t proceed. Contact the sender through an alternative means of communication and ask them to verify that it’s legitimate. It might take you a few more minutes to do so, but the ultimate cost will be much less.

4.) The message contains a mismatched URL

One of the first things you should check in a suspicious email message is the integrity of any embedded URLs. Oftentimes the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook and most web-based e-mail services). If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

5.) The message appears to be from a government agency

Cybercriminals don't always pose as a bank or business – sometimes they'll send messages claiming to be from a law enforcement agency like the FBI, or even impersonating the Internal Revenue Service.

Rest assured that government agencies don't normally use email as an initial point of contact. That isn't to say that law enforcement and other government agencies don't use email. However, law enforcement agencies follow certain protocols, and their primary means of communication is very rarely by e-mail, and never for the purpose of extortion.

6.) Phishing isn’t limited to your e-mail inbox

Just because you’ve successfully identified phishing attempts in your work inbox doesn’t mean you’re in the clear. A malicious link is just as dangerous on your social media accounts – especially if you’re prone to using these platforms on your work devices.

Hackers regularly compromise social media accounts in order to increase their attack surface. Once they have access to the account, they can send a malicious link to everyone who is connected to the compromised profile. That means that even if you receive a message from a trusted source, you need to use a discerning eye to determine whether or not to click. Be sure to ask yourself questions like, does this person normally contact me on this social media platform? Do I have another means of contacting them to confirm they did indeed send the message? Have they recently posted to announce that they are not the person responsible for phishing messages? 


Practice Makes Perfect

It has become painfully obvious that phishing attempts won’t stop anytime soon. They are quite simply too lucrative for hackers to pass up, given the ease with which they take advantage of their victims. Living in this new cyber reality, the most effective measure you can take to protect your business and your bottom line is to train your employees and yourself in cybersecurity awareness.

When users are trained to recognize the signs of phishing attempts, they become an organization’s best line of defense. Consider a security training solution that can simulate phishing attacks and allows you to follow them up with video-based training campaigns to educate employees who may need it. If you’re not sure where to begin, ask your Managed Service Provider (MSP) what type of solution would be best for your business.



Learn about ID Agent’s Phishing Simulations and Security Awareness Training, so you can help your employees to become your company’s strongest line of defense against attack!

ID Agent provides a robust suite of services to address the risks faced by MSPs and that of their SMB clients. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites.  SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.

comments
0