BNMC Blog
Tip of the Week: Identifying a Phishing Message Before You’re Hooked
Phishing attacks are a fashionable strategy for many cybercriminals and have been for some time. From the infamous Nigerian Prince email scam to the generic urgent message from the bank, most people have seen at least one example of phishing hit their inbox.
While these potential threats are frustrating to look out for, that is exactly what needs to be done to prevent their success. Here are five tips to help you spot a phishing attack before it is too late.
Extreme Urgency
When somebody is trying to phish you, they often rely on you panicking and not fully thinking through the message. That’s why, whenever you receive an email labelled “urgent” and written in an intimidating tone, you need to take a few breaths and consider it a little more.
There is no questioning that email is an extremely valuable communication tool, but at the same time, would it really be how you sent someone an urgent, time-sensitive message over something like a phone call?
Even if it does come in via a phone call, any message you receive should be carefully considered before you act.
Attachments
Email gives business users so much utility, but that also lumps in those who make cybercrime their business as well. Email makes it much easier for a cybercriminal to send along a malware payload, hidden inside an attachment.
Therefore, you should never click into an email attachment that you didn’t anticipate receiving, and even think twice about the ones you did expect. Many organizations—like financial institutions and the like—are favorite ruses of cybercriminals, despite the fact that these organizations will either use a dedicated solution to reach out to you or call you directly before sending along an attachment. Unless you know with confidence what an attachment contains, it is best not to click on it at all.
Spelling and Grammar Errors
Let me ask you a question: if you were to receive any kind of written correspondence from a business, whether it was an email, a letter, what have you, would you take that business seriously if it was riddled with mistakes and misspellings? Unlikely.
Businesses are generally very aware of this, and usually put forth the effort to ensure that the materials and messages they send out are carefully edited before they distribute them for this very reason. Would you trust this blog if every other sentence featured a misspelled word or misused punctuation mark?
In a phishing message, however, the individual writing it is actively banking that their reader won’t be paying too close attention, making such errors less important. While this isn’t a hard and fast rule, it is a good way to keep your business safe.
Requests for Personal Information
In a similar vein, does it make sense that a business that presumably already has your sensitive information would reach out and ask for it again via email?
No, it doesn’t, and that’s why legitimate businesses tend not to do this.
While this is also a generalization and there will be exceptions, a scammer will generally be the only party to request sensitive and personal information over email. A legitimate business will have a different tool they use to collect this data if they need it, as they need to abide by the compliance and security requirements that are likely imposed on them by some regulatory body.
Suspicious Links
Finally, we need to discuss links, particularly those that come included in a surprise email. Links are remarkably easy to manipulate, so while you may think you’re visiting another business’ website or someone’s LinkedIn page you could very well be navigating to a website intended to deliver malware, steal access credentials, or even just get you to click into some lewd content that’s inappropriate for the workplace.
Here’s a list of red flags to keep an eye out for:
- 1) Everyone handles their domains a little differently, but use this as a general rule of thumb:
- a) paypal.com - Safe
- b) paypal.com/activatecard - Safe
- c) business.paypal.com - Safe
- d) business.paypal.com/retail - Safe
- e) paypal.com.activatecard.net - Suspicious! (notice the dot immediately after PayPal’s domain name)
- f) paypal.com.activatecard.net/secure - Suspicious!
- g) paypal.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dots after the domain!
- 2) Check the email in the header. An email from Amazon wouldn’t come in as . Do a quick Google search for the email address to see if it is legitimate.
- 3) Always be careful opening attachments. If there is an attachment or link on the email, be extra cautious.
- 4) Be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” be suspicious.
We hope this brief rundown helps you keep your business that much safer. For more cybersecurity and productivity best practices, reach out to BNMC at (978) 482-2020.
Comments