For employees, knowing how to spot phishing attacks can help to protect against being duped by hackers. It can also help to defend their company from substantial loss of revenue, legal fees, regulatory fines and loss of business.
Understanding how to spot phishing attempts starts with understanding what phishing is. A phishing attack is a scam that uses email to trick recipients into clicking on a link, opening attachment or otherwise taking action that produces harmful results. These emails appear to come from a source the user normally trusts – a bank or credit card company, or a shipping company for example. The email may ask users to do something simple like change the password on their account, or provide personal credentials in order to get access to information.
What is spear phishing? Spear-phishing is similar to a phishing mail attack but targets a specific individual with information learned about them from their web presence. Spear-phishing email may appear to come from a friend or a trusted business colleague. In the case of CEO fraud phishing, the email sender may seem to be a chief executive or chief financial officer, asking the user to transfer money or to share privileged information.
Successful phishing and spear-phishing attacks can cost a company millions of dollars, destroy business reputations, undermine customer trust and result in legal action and regulatory fines. Clearly, knowing how to spot phishing attacks can help to prevent these devastating consequences.
Here are a few phishing tips that can help users understand how to spot phishing techniques.
1. Look for inconsistencies in links, addresses and domains. Phishing emails often have email addresses that are different than the name on the email account. They may also use domain names that appear to be slightly off in some way. Users can hover on a link to check the address before clicking – oftentimes, links will lead to sites that have nothing to do with the purported sender's domain.
2. Watch out for bad spelling and grammar an unfamiliar language. Phishing attacks often originate in other countries – watching out for unfamiliar language or inaccurate spelling can help to identify phishing emails.
3. Be suspicious of demands for urgent action. Phishing attacks often demand an urgent response and may even threaten recipients with negative consequences unless they respond immediately.
4. Be wary of attachments. Be completely sure of a sender's identity before opening any attachment, even from one that appears to be from a trusted source.
Even with intensive training on how to spot phishing attacks, in the fast pace of the business day, many employees will inadvertently click on a link, open an attachment or share sensitive information in an email reply. That's why, in addition to providing training on how to spot phishing attacks, it's important to have automated anti phishing solutions that protect employees from these dangerous threats.
Mimecast provides anti phishing software as part of a comprehensive, SaaS-based service for email security, archiving, continuity and compliance. Mimecast's technology automatically blocks malicious URLs and suspicious attachments, and identifies anomalies in email content, headers and domains that may signal a phishing or spear-phishing attempt.
Mimecast solutions are easy-to-use and can be quickly implemented – as a cloud-based solution, there is no hardware or software to purchase and no capital investment to make.
Learn more about how to spot phishing attacks and about Mimecast's anti-phishing technology.
How does phishing email work?
A phishing email is a fraudulent message designed to lure a recipient into visiting a website where their sensitive information can be collected by attackers and where malware may be downloaded to their computer. Phishing email mimics the design of a reputable company, making it appear as if the message was sent by a person or organization that the recipient knows and trusts. Typically, a phishing email will encourage the recipient to act quickly to take advantage of an offer or to avoid penalties and negative consequences, and require them to enter passwords, bank account numbers, credit card information, Social Security identification or other personal data into forms on a fraudulent website. Once that data is collected, attackers may use it to access the recipient’s accounts and steal identities, data and money.
How to spot a phishing email?
There are several ways to spot to phishing scam.
How to spot a spear-phishing email?
While phishing campaigns send emails to many people and hope a few will bite, spear-phishing campaigns are highly targeted to fewer individuals. Attackers may research targets and use information from online profiles and social media to fill an email with enough detail that the recipient believes it’s from a trusted source. Spear-phishing email recipients are usually higher value targets who have the potential of providing data or taking actions that can deliver a significant amount of money, access or data to the attackers. An email may be part of a spear-phishing attack if:
How to spot a phishing website?
A website used in a phishing attack will likely have many of the hallmarks of a phishing email, including:
How to block phishing email?
The best approach to preventing phishing attacks is to adopt multiple layers of security that include: