The vast majority of cyber-attacks start with either a phishing email and/or a social engineering attack.
You might think you know the initial “tell-tale” signs of phishing emails and what to look for if a suspicious email lands in your inbox:
Incomplete or incorrect logos
Links with long URL addresses
Asking for personal and or sensitive information.
But that’s only part of a much bigger and rapidly changing picture. Attackers prey on our basic instincts. This includes greed where monetary incentives are offered, or our desire to help others – “Would you like to contribute to the latest natural disaster recovery programme? Please complete the attached donation form’ or “I’ve been having issues fixing the network and I need to reset all accounts. Please provide your username and password”. So if an email doesn’t have any of these then it can’t be a phishing email, right? Wrong!
Attackers have wised up to these “tell-tale” signs and phishing emails are becoming increasingly hard to spot. The spelling is perfect, the logos look great, URLs - if you see them at all - look fine and if you click on the link, and you shouldn’t, the chances are it will probably work. Firewalls, software and ‘anti-phishing services’ used to prevent these emails arriving in our inboxes sadly won’t stop every single one; some will slip through and if we can’t spot them we are putting our employers, their clients and our own information at risk.
The result of a successful attack can be wide-ranging and sometimes catastrophic – ranging from losing client information, identity theft, fraud and the targeting and loss of your organization's commercially-sensitive information or IP. Organizations are seeking ways to test employees’ awareness of phishing emails.This is sometimes achieved by sending a ‘spoof’ phishing email to their users, and seeing who’s taken in by it and clicks the links. This approach clearly has merit; it’s easy, for example, to measure progress when the exercise is later repeated.
But one of the major drawbacks is that users become accustomed to looking for emails similar to the one in the test. This can result in them missing other types of phishing emails, leaving the company open to attack. It’s better to build awareness about the various types of phishing emails and educate your employees to remain vigilant.
How to spot a phishing email
Here are a few ways you can spot phishing emails now:
Your great, great long-lost Aunt who you never knew about probably didn’t leave you 10 million guilders in inheritance. If it seems too good to be true then it probably is.
If a bank is asking you to verify or share account details then be aware:
No bank will ever ask you to verify or pass on any account information online via email or over the phone.
And of course, if you don’t bank with that particular bank then it’s more than likely a phishing email!
If an organization that you have an account with is asking to verify information call them on a legitimate number to check whether they sent the email. Don’t use the number contained in the email.
If you receive something unexpected which includes a link don’t click the link or open attachments.
What to do if you receive a phishing email
Employees need to notify their technical team when receiving phishing email so they can take action. Due to the fact that mostly our employees are the ones targeted, it is essential that employee are constantly updated through awareness sessions. In case you are interested in awareness sessions you can always contact us.
Sharing is caring
If you believe this content would help your friends, relatives or colleagues share it with them and increase awareness.