Cybercriminals use tons of different strategies to infiltrate business networks to steal data or money. Even though phishing emails are one of the oldest tricks in the digital book, it is still one of the most common tactics because of its effectiveness.
Phishing emails are fake emails sent to you by scammers. They are designed to trick you into clicking on malicious links or divulging sensitive information. The attacker then uses the information you provide to steal from you or extort you or initiate something bad for your network like ransomware.
As a business, educating your staff on how to spot phishing emails must be at the top of your to-do list early and often during employment at your company. Your employees should be able to spot phishing emails to prevent potential security breaches and prevent losing money.
Want to learn more about phishing emails? Read this other post of ours for more information.
Here are a few practical tips to help recognize phishing scams so you can avoid becoming a victim:
The devil is in the details. If the sender’s email is suspicious or unfamiliar, take caution.
The first step in the phisher’s playbook is to make the emails look as legitimate as possible. They’ll use email addresses that closely resemble legitimate organizations or individuals.
Like in this obvious example:
In the screenshot example above, the sender’s name is manipulated to make the recipient think it is a trusted source but does not match the sender’s email address. They attempt to distract you from the sender’s email address by providing some information in the sender’s name that appears to be safe. But upon closer inspection, the sender’s email address is unfamiliar and not to be trusted.
This other example isn’t as obvious:
The sender’s name is Corporate Office. That is an immediate red flag because I know there isn’t an AZCOMP “corporate office.” However, a newer employee might easily fall for this. But then the email address contains our actual domain of @azcomp.com. That is a trick called “spoofing.” These hackers have successfully spoofed our email address. But then, once again, using the email address email@example.com is easy for me to spot as a fake because I know that address doesn’t exist. Other employees may have no idea if that is a legitimate email address.
Lesson number 1 – if you have any doubts or questions, just delete the message or ask someone.
What are the principles of identifying a suspicious email address?
- Pay close attention to misspellings or variations in the domain name. For example, an email claiming to be from “yourbank.com” could be a phishing attempt if the actual domain is “your baank.com.” More specifically, as an example, they could use an email address like firstname.lastname@example.org when the real email address is email@example.com.
- Be careful when the correct domain name is in the email address, but other words are included. For example, instead of “firstname.lastname@example.org,” the email may come from “email@example.com.” In the example below, the sender’s email address is firstname.lastname@example.org. Microsoft.com is a real domain name, but it’s been sneakily altered to alerts-microsoft.com. I don’t know if the email address of @ alerts.microsoft.com is real, but that would be trickier to determine if the email is fake or legit.
- As we talked about earlier, be careful of spoofing. Spoofing is where they create a phony email server using your company’s actual domain but then use a fake email box. Our business domain is azcomp.com. In the past, we have received emails from fake email boxes like email@example.com, firstname.lastname@example.org, or email@example.com. Those email addresses don’t exist here. Don’t trust emails coming from addresses like that.
Phishing emails often employ urgency or threats to manipulate recipients into taking immediate action. Be cautious of messages that insist on urgent action or threaten negative consequences if you don’t comply.
Legitimate organizations typically communicate important matters professionally and avoid alarming tactics.
For example, if you have an account with Netflix, and there is something wrong with your account, they likely won’t send you an email asking you to click a link from the email to update your credit card information urgently. Instead, they will send you an email informing you that they’ve noticed your credit card will expire in the next 30 days and will ask you to log in to your account by going to the Netflix website and will tell you to get it figured out within the next 30 days.
A common tactic used by phishers is to request personal or financial information. Legitimate organizations rarely ask for sensitive data via email, such as credit card details.
Exercise caution and only provide such information after verifying the authenticity of the request through alternative channels, such as a phone call to the organization’s official contact number.
If you’re ever suspicious, use the phone number on the back of your credit card to call the credit card company. Or find the phone number on their authentic website. Or log in to your account from their authentic website.
Many phishing emails originate from non-native English speakers or automated systems, resulting in poor grammar, spelling errors, and awkward sentence structures.
Take note of these linguistic red flags, as they can indicate a phishing attempt. Legitimate organizations typically maintain a higher standard of writing in their official correspondence.
Hovering over hyperlinks in an email can reveal the genuine destination URL, even if the email text suggests otherwise.
Phishing emails often employ deceptive tactics by masking malicious links with innocuous text. Before clicking on any link, hover your cursor over the link to ensure the URL matches the stated destination or leads to a legitimate website. If you’re looking at emails on your phone, you can press and hold the link with your finger to get the URL to display without clicking the link.
Here’s an example:
The intention was to trick the target victim into clicking the “download audio message” link.
But if you hover over it, you’ll see the URL is a dead giveaway. If they were a little more sophisticated, they could have manipulated this link to look like it was www.azcomp.eratak.in/.
That spot with the 00info in the URL is called a subdomain. Anybody can take a URL they own and then make any subdomain they want.
Using a recognizable name in a subdomain, coupled with a fake domain, is a way to trick you into thinking the link is legitimate.
Do not click links if any part of an email seems suspicious. Another way to say this is if you’re not 100% convinced any email is legitimate, do not click links.
For this article, the last thing we’ll discuss is attachments.
Attachments in phishing emails can contain malware or viruses that can compromise your system’s security. A long time ago, there were only a few specific file types you needed to be cautious of. It was mostly a .exe file type.
Now, almost any attachment type has the potential to be dangerous. Even if the file is a .pdf, .doc, .txt, .MOV, or .mp4, or any other file type, the file could have malware or spyware or ransomware coded into it. Be very certain you trust the file before clicking to open it.
Exercise caution when receiving unexpected or suspicious attachments, even if they appear to be from a trusted source. If in doubt, contact the sender through a separate email or phone call to confirm the authenticity of the attachment.
About AZCOMP Technologies
At AZCOMP Technologies, we understand the importance of safeguarding your business against cyber threats. We are a trusted IT service provider based in Phoenix, Arizona, specializing in the healthcare and dental industry. We offer comprehensive IT services and security solutions.
Our team can help train your employees to identify phishing emails, implement robust security measures, and provide ongoing support to protect your business.
Reach out to learn how we can assist you in creating a secure and resilient IT infrastructure that safeguards your sensitive data and dramatically decreases your risk of a cybersecurity disaster.