Training your team to spot a phishing email is key when it comes to avoiding scams. With 32% of all cyber-attacks involving phishing it just shows that even though people think they know what to look for, scams can be so hard to spot.
Look at the email address
If an email domain ends with @outlook.com, @yahoo.com or @gmail.com it’s not a legitimate organisation. Even Google won’t email you with an address that ends in gmail.com. You should always look at the email address and not just the sender’s name. Cyber criminals have lots of tricks to make themselves look legitimate and they hope people don’t look into too much detail.
However, it’s so tough to spot the really good fake emails from legitimate ones. If they have a logo, use the company name, use the same layout and even have links to the website you could be tricked into thinking it’s from a real company. However, if you look at the email address it won’t say @PayPal for example. It will say something like email@example.com. So always expand the details and look at the email address, especially when they are asking for financial information or login details.
Look at the language
If an email has bad spelling and grammar it’s quite possible it’s a phishing attack, especially if the content claims it’s from a real company. Big businesses have teams of people who send out emails to customers and they have to have excellent spelling and grammar. It’s similar to the Nigerian prince scam that often gets mocked by people. You still receive those emails because unfortunately, people still fall for them.
Look at the links
You can hover over a link or a button to see where the actual URL takes you without clicking on it. If you’re ever unsure of an email link, always do this and if it doesn’t send you to a simple address such as ‘linkedin.com’ and has loads of numbers in it – don’t click on it!
Look to see if the email demands action
This applies to business emails as well as personal ones. If an email pings into your inbox that looks legitimate but demands urgent action always check to see if it’s come from a real person. The current trend sees cyber criminals posing as someone from HMRC or TV License operators saying you’re either due a refund or owe money and you need to do something now. HMRC will never email you information like this and neither will TV license operators.
Most workers will always drop whatever they’re doing if they think an urgent email such as a payment transfer comes in from their boss. Make sure your team know that this is not how the company operates and they will never ask to send money via email. If you get an email like this you should always create a new email (don’t reply to the sender) and ask if this is accurate.
Look at the greeting
Increasingly you will notice that scammers are sending emails which include your name in the first line of the message. However, not all of them do. Sometimes scam emails will just say “hi” and not include your name. Other times your email address will be used after “hi”.
This impersonal approach to contacting you is another sign that it’s likely to be a scammer behind the email.
Look at the branding
Scam emails are often pretending to be from big brands, companies, supermarkets, retailers and deal sites or from trusted government departments. Checking branding and keeping an eye on the quality of branded logos, etc., in the email can strongly indicate if the email is a scam. Is the branding on the email the same as it is on the company or government website? Does it match the last genuine email you received from them? If the answer is no, be suspicious.
Look at what they are asking for
If an email is asking you to update or re-enter your personal or bank details out of the blue it is likely going to be a scam. Personal information includes things like your National Insurance number, your credit card number, Pin number, credit card security code, your mother’s maiden name or any other security answers you may have entered. Most companies will never ask for personal information to be supplied via email.
SO WHAT CAN YOU DO?
Spam filters aren’t enough to stop all scam emails from coming through and you need to educate your team, provide training and deploy additional security features.
With Sophos Phish Threat you can test your team without causing any damage to your systems. You can register 100 users for the evaluation and it will send realistic and challenging emails to them to see if they fall for a phishing scam. It will also give you automated reporting on the results and give training options as well.
2. Advanced Email Protection
Advanced Email Protection works by opening folders and links in the cloud to see if they’re safe. If they are it will release them to your inbox but if it picks anything up it will block it. This isn’t always 100% accurate so you should still check emails if you’re not sure.
3. Have a plan in place
If a member of staff does fall victim to a phishing email, make sure they know that it must be reported immediately. Create an incident response plan and make sure it includes regulatory responsibilities just in case sensitive information is sent out.
Call CSG to find out more on 0330 400 5465