Email Phishing: Think Before You Click
Phishing attacks are more commonplace than you might think. Whether it’s scamming someone into sending payments to fund who knows what or simply spreading malware or viruses, these phishing attacks are a part of doing business; therefore, it’s important that you take measures to avoid some of the most clever tricks in the book. Let’s examine some of them.
Defining Phishing
Phishing attacks are attacks that come in the form of actual legitimate emails. Cybercriminals try to trick users into handing over important credentials, sharing important information, and downloading malware. Phishing emails are particularly dangerous because they can seem quite real. A phishing attempt for your PayPal information could look just like your everyday PayPal message. To make matters worse, phishing emails instill a sense of urgency in their targets, spurring them to take immediate action to pay an overdue bill or change a stolen password.
How to Spot a Phishing Attack
Even the best of us can be tricked by phishing scams from time to time, and it’s all because they can take so many different forms. Thankfully, there are plenty of ways you can prepare your team to identify phishing scams. Here are some tips to consider:
- Maintain strong, unique passwords: If your account is ever hacked, then the least you can do is make sure that the password you use for that particular account isn’t used anywhere else. The current recommendation is at least 8 characters long,
- Check the email address in the header: Make sure that emails appearing to come from a particular domain are, in fact, actually coming from that domain. For example, whatshisname from PayPal should have an email address of whathisname@paypal.com. However, you need to make sure that emails aren’t coming from a subtle domain like something@eba.com. Of course, you have to be exceptionally careful about any messages asking you to click links or submit sensitive information.
- Don’t automatically download attachments: Most malware will find its way onto your network through email attachments. If you haven’t specifically requested an attachment, it’s safe to say that you should be more than a little skeptical if you receive one in an inbox. If you have any reason to doubt the authenticity of the attachment, you should take a moment to reach out to the sender in an alternative form of communication and confirm that it works.
- Look before you click: If the email has a link in it, take a moment to hover your mouse over it before you click. This gives you the true nature of the link. Here are some examples of legitimate and suspicious URLs:
- Paypal.com - This is safe. That’s PayPal’s domain name.
- Paypal.com/activatecard - This is safe. It’s just a subpage on PayPal’s site.
- Business.paypal.com - This is safe. A website can put letters and numbers before a dot in their domain name to lead to a specific area of their site. This is called a subdomain.
- Business.paypal.com/retail - This is safe. This is a subpage on PayPal’s subdomain.
- Paypal.com.activecard.net - Uh oh, this is sketchy. Notice the dot after the .com in PayPal’s domain? That means this domain is actually activecard.net, and it has the subdomain paypal.com. They are trying to trick you.
- Paypal.com.activecardsecure.net/secure - This is still sketchy. The domain name is activecardsecure.net, and like the above example, they are trying to trick you because they made a subdomain called paypal.com. They are just driving you to a subpage that they called secure. This is pretty suspicious.
- Paypal.com/activatecard.tinyurl.com/retail - This is really tricky! The hacker is using a URL shortening service called TinyURL. Notice how there is a .com later in the URL after PayPal’s domain? That means it’s not PayPal. Tread carefully!
- Beware of urgent or threatening language: Phishing emails often use urgency or fear to pressure you, such as “Your account will be suspended in 24 hours” or “Immediate action required to avoid loss.” Legitimate companies usually don’t ask for sensitive information this way, especially not urgently.
- Generic greetings and poor grammar: Phishing messages often use generic greetings like “Dear Customer” instead of your name, which trusted companies will usually have on file. Look out for unusual phrasing, typos, or poor grammar, which are common in phishing attempts.
Of course, all organizations handle domains differently, but these rules above should give you an idea of what to look for in illegitimate addresses.
Training your employees to identify these phishing emails will go a long way toward keeping your business secure. Staying vigilant and being cautious with unsolicited messages or unexpected emails will help your employees avoid falling for phishing scams. Digital Sky Solutions can help you implement solutions designed to limit the threat of phishing attempts and help your employees stay aware of the dangers. To learn more reach out to us.