Phishing attacks remain one of the biggest threats to business cybersecurity for one simple reason: they work. They operate by impersonating a well-known source and then getting you to enter personal details and sensitive data or click a link which installs malware or downloads a virus. Over the years, cyber criminals have become more and more professional so phishing emails can look legitimate and be hard to recognise. A 2019 study by Small Business Trends found that 1 in every 99 emails is a phishing attack. When you consider the number of emails sent a received on a daily basis, this is quite alarming. Therefore, training employees to recognise a phishing attack is vital. However, it can be difficult to know how to recognise a phishing scam. Below is a real-life example of a phishing email, followed by a list of things you should look out for.
Sender’s Email Address
Oftentimes, a phishing scam can be flawless – apart from the sender’s email address, which can be an immediate giveaway. This can be seen in the sample phishing email above, which I received from someone claiming to be the courier DPD. For example:
- Public email domain – If the sender is using a public email domain, it is likely to be a scam. Official company emails will never come from a @gmail.com address.
- Incorrect domain name – If the email sender’s domain address is spelt incorrectly, or if the company name does not appear in the domain, it is likely to be a scam. For example, an email from firstname.lastname@example.org is a phishing email purporting to be from PayPal. A real PayPal email would be email@example.com, as the company name is in the domain.
- Misspelt domain name – An email address can often look legitimate at first glance, with the correct domain and all. However, upon closer inspection, there might be a small spelling error, proving that it is a scam. For example, firstname.lastname@example.org, as opposed to email@example.com. Scammers know that an omission this small will not be noticed by many unsuspecting people.
Poorly Written Email
Although cyber-criminals are becoming more sophisticated, their writing is often poor. If an email looks unprofessional, chances are, it’s a scam. Phishing emails often contain spelling mistakes and grammatical errors which a professional email would not. They may also contain awkwardly worded sentences which don’t make sense. They may also be poorly formatted. Legitimate companies take the time to proofread and edit the emails they send out. If it is glaringly obvious that the email was not carefully crafted for communication between a company and their customers, it is a phishing email.
Suspicious Links or Attachments
Often, phishing emails will contain links or attachments which will direct you to a page where you enter your personal information. Firstly, it is important to remember that a legitimate company will never ask you for personal information or payment via an email. Secondly, you can usually tell whether the link is suspicious by hovering over it with your cursor. If the URL does not match the company’s website, it is a scam. For example, if you get an email purporting to be from Apple and the link URL does not direct you to apple.com, it is phishing. This can be seen in the sample phishing email above, where the URL did not re-direct to the DPD website.
A link might also look suspicious. Emails from professional companies will usually not contain unformatted links. If a link looks like it has not been formatted properly to match the rest of the email, it is suspicious and you should not click it.
Threatening or Urgent Tone
An email containing threatening or aggressive language, or that has a sense of urgency, should be treated as suspicious. Cyber-criminals will often send phishing emails that have an urgency about them, or that need to be dealt with right now. For example, emails where you have to ‘claim your prize’ within a time limit are phishing scams: creating a sense of urgency means the victim doesn’t have time to think about the legitimacy of the email. Cyber-criminals can also use scare tactics to try get people to give away their personal information or money. For example, they may send an email claiming to be from your credit card company, telling you that your card has been compromised and you need to act now. Think about how most companies communicate with their customers: a threatening or aggressive email will be phishing.
Receiving phishing emails can often be stressful, especially when they are threatening. However, it is important to think about context when recognising phishing. For example, in the sample phishing email above that I received from someone claiming to be DPD, I knew immediately that it was phishing for 2 reasons:
- I had no outstanding online orders.
- In the past, DPD have always contacted me by text, never by email.
So, if you receive an email from someone claiming to be Netflix or PayPal when you have never had an account with either of those companies, you can be sure that it is phishing. If you are not sure, it might be a good idea to have a quick Google of ‘company X phishing scams’. This will tell you if there is a known phishing scam affecting a business. After I received the sample email below, I visited DPD’s website and lo and behold, they are aware of phishing scams such as the one I received, as you can see below.
Compare With Previous Emails
If you receive a suspicious email claiming to be from a company you have received emails from in the past, you can compare emails. For example, if you have an Amazon account and you receive a suspicious looking email from them, compare it to emails that you have previously received from Amazon. Phishing emails will have noticeable differences, such as font style or colour and formatting. If the style of the email is different to what the company usually sends, it is a scam. If you are still unsure whether the email is phishing, call the company. Businesses are aware of phishing and they will be happy to ensure that your account with them is secure.
Personal Information Requests
Legitimate companies will never send you an email asking you for sensitive personal information, such as bank details. Any emails you receive asking for personal information, or asking for money, should be treated with suspicion as they are likely to be phishing.
If you suspect an email is phishing, do not click on any links. Report the email as phishing and delete it.
If you think you have been phished, you should immediately change your passwords, backup your data and run a virus scan on your computer.
Cardonet can provide you with a comprehensive range of cyber security services to help you stay secure and, at the same time, help you demonstrate compliance with industry and regulatory standards. To find out more about our Cyber Security Services, please click here.
If you are concerned about how phishing has affected or could affect your business in the upcoming year, call us on +44 203 034 2244 or +1 323 984 8908. Alternately, you can contact us online. We will be happy to help you overcome your hotel IT challenges so that you can improve your guest experience and set your hotel apart. Cardonet have been working with businesses for the past twenty years to help them overcome their technological challenges. We have engineering bases in the United Kingdom, Europe and Southern California and our group of highly experienced engineers are available 24/7 to assist and ensure that your IT infrastructure is secure and running seamlessly.