5 Ways to Help Your Employees Identify Email Red Flags    

Phishing has been around almost as long as email itself. The first phishing attack is commonly traced to the mid-90s, when attackers impersonated AOL employees to trick users into giving up their passwords. Soon after came emails from wealthy princes requesting bank account information. Fast-forward, and phishing has evolved into a far more sophisticated and widespread problem, ranking as the number one complaint in the FBI’s 2022 Internet Crime Report.[1] And the threat is likely to grow, as attackers’ use of innovations such as artificial intelligence-powered chatbots (AI chatbots) has made phishing attacks quicker and easier to produce — and more difficult to recognize.

Employees are constantly barraged by phishing emails that carry malicious links or attachments designed to drop malware, steal network credentials, or otherwise damage their company’s business. They are also besieged by the more sophisticated phishing attacks known as business email compromise (BEC), which spoof executives and brands to request money, sensitive business information, and other valuables.

In fact, 97% of companies surveyed for Mimecast’s State of Email Security 2023 (SOES 2023) say they experience email-based cyberattacks, and three out of four have seen such threats increase over the past year. To block these threats, security teams need to keep their staffs informed and vigilant on current trends and best practices. Otherwise, companies risk data breaches, downtime, and the losses that accompany them.

Nearly all (99%) of SOES 2023 respondents say they provide some form of cyber awareness training to staff. But if that training is out of date or insufficient, businesses may have unforeseen vulnerabilities just waiting to be exploited by the newest email scheme. Security teams need to use every tool at their disposal, from interactive video to phishing simulation to basic “how-to” guides. Below is a guide for security teams to share with staff on red flags in emails. 

Identify The Red Flags of Phishing 

Cybersecurity awareness training programs need to teach busy, preoccupied staff to reflexively identify red flags in emails. BEC attacks can be customized to fit intended targets, so it’s critical for businesses to tailor their training to the specific threats they face. Still, some universal rules can help protect business email users and their companies’ data. Here are five lessons for employees.

1. Carefully Read the Content

Attackers’ use of innovations including AI and machine learning (AI/ML) is expected to make phishing attacks harder to identify from an email’s content alone, but some red flags may still be present. Look for typos and misspellings, especially of official titles or departments, since those mistakes can signify an unfamiliarity with the targeted organization. Additionally, beware of any inconsistencies in tone throughout the email. Disjointed sections may point to a fake that was created by tailoring only the top of a template from a phishing-as-a-service toolkit from the dark web. Email that only uses generic messaging or that contains repetitive phrasing may also have come from a template or AI chatbot, especially if it seems to avoid any company-specific detail.

As a general rule, take note of anything out of the ordinary. For example, if a contact from a bank usually notifies users of a new secure message without including private information, an email that includes account numbers or balances may be fraudulent. Even something as simple as an invitation to a virtual meeting can be malicious, so check the specifics before clicking links. Is the weekly meeting scheduled for the usual time? Does the invitation use the usual collaboration platform? Any deviations from email norms may be worth following up on with the sender — in person or on the phone, not by replying to the suspicious email. 

2. Dive into the Details

Small, important details in a standard email can be overlooked by cyber criminals, like subject phrasing, logo attachments, or signatures. If an internal company email usually ends with a signature that includes specifics such as a phone number or title, look for any discrepancies before clicking links or opening attachments. Recipients should check if the email was also sent to unfamiliar or unrelated individuals or out-of-network accounts. If the email includes a phone number or address that doesn’t match the sender’s usual contact information, that could be a sign of an imposter. However, even if the contact information matches, that doesn’t automatically mean that the email is legitimate. Modern attackers can spoof almost any account — including texts and voice calls — so multiple methods, especially direct contact, can be useful for confirming the original sender.

3. Look for Suspicious Links and Attachments

Any link or attachment should be checked before opening, since even a single click can compromise a computer or network. URLs may direct a user somewhere else or have a slightly different spelling, even if the page is an almost perfect copy of a standard login page. Hovering over links or copy-and-pasting URLs may avoid some dangers, but it is generally safer to go to the website — if you know it is a trusted site — in a browser and login separately from the email, rather than click on a suspicious link. Similarly, do not download any attachments without vetting them first. For instance, an attachment titled as a PDF may actually be a program file that will install malware upon opening. If an attachment has anything out of the ordinary, such as ending with an unexpected extension like .exe or .zip, opening the attachment may download threats like malware or macros, which can take over a user’s computer and use it to spread malicious cyberattacks. Sometimes avoiding a ransomware attack can be as simple as calling the email sender and confirming that they sent the attachment before opening it. 

Some cybersecurity systems filter out or block most suspicious emails and can decrease the risk of malicious links through techniques such as URL scanning. With 80% of SOES 2023 respondents reporting attacks that spread from one user to other employees, each blocked email can save a company a major headache. And as AI and machine learning models improve, these systems will likely become even more effective.

4. Think About the Timing

Emails received after standard business hours may signify an increased likelihood of fraud, like an email from a supervisor sent at 3 a.m. For companies with a hybrid/remote workforce or with international offices, it may be more commonplace to receive overnight emails, but it is worth checking the sender’s time zone or looking for other red flags before satisfying any requests. Similarly, check that the email’s timing is appropriate, relative to its content. If payroll emails are always sent on Friday afternoon, for example, a Wednesday morning request for payroll information might be a red flag. Or, for an external example, receiving a vendor receipt months after an order was delivered could point to a breach in the seller’s cybersecurity system that is attempting to spread to customers.

Another common timing trope used in fraudulent emails is forced urgency, like requesting an immediate reply before the user has a chance to think about what they’re doing. Phishing emails often include subjects like “urgent action needed” or threaten “account termination” if the recipient doesn’t immediately provide personal information such as an account number or credentials. Such urgency should almost always be considered a red flag, and users should be cautious before clicking links or providing any authentication information. 

5. Trust Your Instincts

One of the most important skills an email user can learn is a simple one — if something seems off, they should trust their instincts. If an email looks strange, err on the side of caution and check for other red flags, contact the IT team, externally confirm with the sender before continuing — or all of the above. Many companies have procedures in place to report suspicious emails. Those procedures are often tailored to the specific threats a business faces and can be more effective in the fight against cybercrime than general rules. Additionally, IT teams can use flagged emails to learn more about potential attacks and create more effective procedures and cybersecurity awareness training programs going forward.

Phishing Email Red Flags - The Bottom Line

Email is one of the biggest cybersecurity vulnerabilities for businesses, and phishing remains the most common cybercrime reported to the FBI. But security teams can proactively train staff to identify red flags and minimize the risk of business email compromise. By carefully reading emails, remaining cautious of links or attachments, and checking details like timing and standard procedures, employees can avoid falling for common phishing email scams and stay vigilant in keeping their company’s data safe and secure. Learn more about Mimecast’s cybersecurity awareness training.

[1] “Internet Crime Report 2022,” FBI