Phishing is more than just the obvious scams you find in your spam folder. Reliable security solutions are a big help. They can certainly cut down on the classic “spam and scam” threats. And even if something does get through, surely everyone knows that poorly written emails asking for your bank account info or passwords are scams. Right?
If phishing were that simple, it would be extinct. But that’s not the case. Phishing seems to be getting more effective. Some of 2016’s most noteworthy attacks were the result of relatively basic phishing scams. According to a report released by Verizon last year, 30 percent of targets opened phishing emails in 2015 (up from 23 percent in 2014). 12 percent clicked on malicious attachments (up from 11 percent in 2014). And according to the Anti-Phishing Working Group, phishing attacks reached an all-time high during the 2nd quarter of 2016.
That’s bad news for anyone betting on the odds to keep them secure.
Phishing works because it changes to stay relevant. Criminals create new scams. Spear-phishing – highly personalized phishing emails – are becoming more sophisticated. And phishers only need to succeed once to achieve their goal. So even if your endpoint protection and “conventional wisdom” catches 99 percent of what gets thrown at you, the one percent is more than enough to ruin your day, week, quarter, or year.
So security products are a big part of the puzzle. But awareness is needed to complete the picture – especially amongst people most likely to be targeted. This can include c-level employees who have access to all the important information at a company. But it should also include people who regularly receive emails from people outside the company. People in human resources, for example, can regularly receive emails with attachments from people they don’t know. Not being able to open those attachments makes it tough to do their job, so they’ll feel more pressure to click.
So here’s a few “tells” that can help you spot a phishing email.
- What’s going on with the domain?
Phishing emails typically either have a malicious attachment or direct users toward a malicious website. If you’re sent a link, hover your cursor over it for a moment so the URL shows up. Or view the email in plaintext (either way will show you the URL). If the domain looks suspicious, do some additional checking before you click. For example, a WHOIS Lookup can help you spot fake domains. Consider that, as well as any strange characters or other anomalies with the URL, a red flag.
- Is the sender a real person?
Another thing to consider is whether or not the person’s identity is real. A quick Google search should help you find any social media profiles they might have. Depending on what information you have about the person (for example, their profession, their location, etc.), you may or may not be able to verify that the person is real.
- If the sender is a real person, are they who they say they are?
If you’re able to find some social media profiles, you need to consider whether the email is actually from the person. One way to do this is to respond to them using a different method of communication. You can DM through a social media channel. Call them if they have a phone number. If you can’t do this, you should proceed with caution.
Also, always double check the “from” field. Spear-phishers often trick email clients by setting the “reply-to” field in an email. So it says the email is from one person even though it comes from another. So if you get an email from someone that doesn’t match their regular address (even if you know the person or have them in your address book), treat it with suspicion.
Now, these aren’t foolproof. Sometimes you’ll get a message from someone claiming you have a mutual acquaintance, asking you to confirm some information or something of that nature. It might sound paranoid to some, but it’s better to err on the side of caution and try applying some of this advice to anything that just “feels wrong.” When it comes to security, an ounce of prevention is worth a pound of cure.