The editors of humor magazine Mad, a periodical well known for its self-deprecation, jokingly recounted that it was about two days after the second issue’s publication that they began receiving letters musing that Mad “wasn’t as good as it used to be.” The story was an exaggeration (or was it?) built on the reality of the magazine’s decidedly inconsistent quality and evolving audience through the years. Similarly, the first instance of phishing probably didn’t arrive immediately after the broad adoption of email by the public, but it was only a matter of time before scammers would take advantage of both the technology and human nature.
Katalyst recently explored why it’s critical for organizations to keep employees informed and steps they can take to minimize threats. But with hackers’ increasingly sophisticated efforts to dig into data, we present a primer on how to spot a phishing email when it makes its way into your inbox.
Caution Over Carelessness
If you only take away one piece of advice from this article, make sure it’s this: if you even remotely question a message’s integrity, do your due diligence. If it seems like a trick, don’t click!
“If it doesn’t look right, it probably isn’t,” says David Payette, founder, and CEO of UpPhone. Inconsistent font size, poor grammar, and logos that appear off are often hints that something is amiss. “The truth is that most phishers simply don’t have the skills or take the time to make a really good forgery,” Payette continues. “The ‘trust your gut’ strategy isn’t foolproof…but it could make all the difference when it comes to keeping your confidential information safe.”
Trust your gut and trust the experts at Katalyst, who have worked with companies in training employees and helping them not only recognize phishing but learn how to respond (or more appropriately, not respond).
What Should You Look For?
Sender details
The most immediate hint of hesitation might be available before you even open an email. If a message purportedly from a company arrives not via their own domain but a more general one such as Yahoo or Gmail, it’s almost certainly illegitimate. Less obvious are instances where scammers use similar-looking characters—a 1 in place of a lowercase l, a 0 for an O—but those with sharp eyes and strong training will know to look for this.
Similarly, another clear-cut clue can be found in the “To:” field. If that field is empty or contains an address other than your own, it’s likely that you’re one of many targets of a “spray and pray” con. There’s also the curious phenomenon of “spoofing,” a shockingly simple technique in which a scammer can suggest an alternate email address from which the message will appear accredited. Not all email providers allow this option, and it’s also not impossible—though not necessarily intuitive—for recipients to determine the exact sender.
Typos and style
Typos can slip past even the bset of us (see?), but any self-respecting organization will ensure that its communication is professional and grammatically correct. Don’t reward a hustler who was too lazy to proofread an email that uses the wrong “there/their/they’re.” Companies also typically personalize correspondence. An email that begins with something like “Dear Amazon User” should immediately raise a red flag.
However, don’t assume that proper spelling automatically means that things are on the level. There are plenty of examples of phishing that would pass an English test. “Not all spam looks crude and unprofessional,” says Thomas Evans, Engineer Emeritus/Security Trainer at Ashton Solutions. “Spammers are getting better with their language skills, so poorly constructed emails are not nearly as common as they once were.”
Warnings/urgency
Scammers have become savvier over the years, but that’s not by choice. The general public knows enough to not pass along their bank account information to any Nigerian princes. Because of this, one common tactic they now use is expressing a sense of urgency that will instinctively send even the most clear-thinking recipient into a panic. By alarming users and suggesting that their information is at risk and the situation requires an immediate resolution, someone who otherwise would ascertain it’s a hoax might be too frenzied to look for signs of phishing.
Keep in mind: it is very rare that a company will request payment information or personal details unprompted. If you didn’t specifically pursue a password reset or make a recent purchase, why would they have reached out? Unless you are 100% positive the message is legitimate, open a new browser window and manually load the website to see if you come across a similar prompt. Better yet, look up the company’s phone number and speak to someone to verify the message’s integrity and bring attention to the possible scam.
Links and attachments
Any unexpected link or attachment must be viewed with skepticism. It is straightforward to modify a hyperlink to appear as though it leads to another site. Hover over the link to see a preview of where it will actually take you. If your email provider doesn’t allow this option, forward it to your IT team for review. As mentioned in our previous phishing article, it’s better to delay responding to a valid message than to put your company at risk.
Attachments are usually more dangerous than links, and it is common email etiquette not to send them without prior warning or request. “No attachment is safe,” says Evans. ”There is no type of attachment that cannot be modified to be malicious. Before you open any attachment, be as sure as you can be it is legitimate.”
Do your part to combat spam and phishing by reporting it to the FTC. Stay safe and stay smart!
Special thanks to Phil Bosco, founder of SecurityIllusion.com
