The Employee’s Guide to Spotting Phishing
With phishing attacks on the rise worldwide, odds are you’ve experienced a recent attempt or two at someone trying to dupe you into clicking a link or revealing sensitive information. As cybercriminals get increasingly sophisticated with their methods and guise, it’s trickier than ever to spot a phishing attack—leaving businesses at an increased level of risk.
In this guide, we’ll dive into:
What is phishing?
How prevalent are phishing attacks?
Common types of phishing attacks
How employees can spot phishing attempts
What is phishing?
Phishing is a cybercrime that involves attackers attempting to trick someone into revealing sensitive information, granting access to a secure network, or downloading malicious software. Most often, successful phishing attempts go undetected until it’s too late—meaning the victim thinks they are clicking a safe link or granting information to a legitimate source. Once the bait’s been taken, hackers can breach the organization’s network and exploit sensitive data for ransom.
How prevalent are phishing attacks?
If it seems like phishing attempts are on the rise–you’re not wrong. Here are some statistics that show the prevalence of phishing over the past few years.
The average number of weekly attacks faced by organizations in the second quarter of 2022 was up 32% compared to last year [Check Point Software]
37% of successful cyber attacks are suspected to be started by employees falling for phishing lures [Palo Alto Networks]
In June 2021 alone, AI-based email security provider Vade observed 4.2 billion phishing attempts [Vade]
Common types of phishing attacks
Cybercriminals are always on the prowl for new and creative ways to target their victims. A vast majority of phishing attempts are via email, because it’s more difficult for law enforcement to track them to their original source.
Here are the most common types of phishing attacks employees encounter:
Spear phishing — Hackers target a specific person in an organization who has access to sensitive data or financial information (like accountants or HR). Here, they’ll often send emails impersonating a leader in the organization and ask the targeted individual to send them sensitive information.
The CEO ploy — Similar to spear phishing, hackers will again impersonate a company executive or CEO and ask a particular employee to perform a task (such as buying gift cards, transferring money, or inputting sensitive information).
Malicious links — Emails that contain a link to what appears to be a legitimate website or login portal, but is actually a cloned site made by the hacker to encourage employees to enter their login information.
Malware and viruses — Tricking employees into downloading malicious software that contains malware or viruses that can infect the organization’s network.
Wi-Fi spoofs — Beware of public WiFi. Hackers can create a spoof WiFi network that enables them to steal information and spy on the activity of those connected to it—and often, they look like a legitimate, company-owned WiFi network.
How employees can spot phishing attempts
An organization’s first line of defense is its staff—so it’s critical that employees are trained on the common signs of a phishing attack. Here are a few to watch out for:
1) Sender information
Hackers impersonating executives or organizations create email aliases that can look legitimate—copying names, email signatures, formatting and other details to appear to be the real deal. If you’re suspicious, look for incorrect spelling in the sender’s email or domain name. Pay special attention to misused characters used to dupe you (like uppercase I’s replaced in an email address to look like lowercase L’s).
2) Spelling and grammar errors
If an email is poorly written and contains spelling and grammar errors, it could be a scam. A theory is that cybercriminals intentionally input errors into emails so that they can identify their most gullible targets—meaning if someone ignores obvious clues like a poorly written email, they’re more likely to fall for the hacker’s entire ploy.
Notice the minor errors in the email below, like lack of spacing after a period, or failure to capitalize the company’s name.
3) Request for sensitive or personal information
If an email inadvertently asks you to provide personal information like login credentials, credit card information, birthdates or other sensitive data, be on high alert that it could be a scam. Most legitimate corporations will never ask you to write sensitive information in an unsecured email because of the known risks. When in doubt, throw it out.
4) Sudden and urgent requests
One technique cybercriminals use to get people to bypass logical thought is creating a sense of extreme urgency. This might look like:
Emails that notify you of late payments or billing issues with urgent action required
Threats of legal repercussions if immediate action isn’t taken on an account
Notes from executives requesting immediate access to sensitive information
If it was really that urgent, they’d call–so if you’re uncertain whether it’s legitimate or not, contact the sender over the phone to confirm.
5) Too good to be true offers
Did you suddenly win a free trip to Hawaii? Receive a link to claim your free $100 gift card to Amazon? Get 75% off that TV you’ve had your eye on? Buyer beware! These are all too-good-to-be-true tactics to convince you to click on malicious links or provide personal information to claim your prize. If it seems like a dream, it probably is.
6) Suspicious links
The best way to spot suspicious links is to check the destination address by hovering over a link before you click on it. For example, if you receive an email from Netflix, the destination address should begin with netflix.com. If you hover over a button or a link, or right click and select “copy link address” and then paste it in a Word document, you’ll reveal the true destination URL and determine if it’s legitimate.
7) Email attachments
Beware of opening email attachments if you’re not absolutely certain they came from a legitimate source. Cybercriminals can embed malware in emails by making the file look like a regular PDF or image file, simply by changing the file name. Always hover over the attachment to reveal the full file name and the extension at the end, and watch for the most dangerous types of email attachments:
EXE files
Compressed files
Installers
Office documents
For more information on why these file types are dangerous, check out this Forbes article.
8) Strange security alerts
If you receive a security alert from a company you’re an actual customer of, it’s easy to believe it’s legitimate and jump into action to secure your account—but that’s the exact psychology that many cybercriminals rely on. In these types of emails, always check the destination links and the sender addresses for legitimacy. If you’re unsure whether it’s legitimate or not, phone the organization’s customer support line or ask your IT department to confirm.
Train your employees on phishing
Your organization's cyber security defenses are only as strong as your weakest link—which is why ongoing staff training and penetration testing should be a critical part of your plan. Not sure where to start? Developing internal communications around cyber safety will help create awareness, and sharing articles like this one with your staff is a great first step.
For help developing and deploying a cyber security strategy that will minimize risk and protect your organization, reach out to our experts at IX Solutions today.