Phishing emails have cost businesses $3.1 billion since January 2015. What’s the main reason for this compromise? Untrained users. For example, many of us forget to pay attention to the “from” field in emails, one of the biggest tell-tale signs of a phishing attack.
Verizon’s 2016 Data Breach Investigations Report found that targeted phishing emails have a 30 percent open rate and 12 percent click rate on malicious email attachments. Unfortunately, no matter how sophisticated our email strategy is, phishing emails will make it to the inbox. Therefore, a critical part of email security strategy must be education. Use the example below to follow our ten tips for identifying phishing emails:
Tip 1: Investigate the Display Name
Faking the display name of an email is a classic phishing ploy for hackers. A phishing email makes it into your inbox because email authentication defenses won’t block it. This is because, in the example above, “Bank of America” doesn’t own the domain “comcast.net.” Once it has been delivered, the email will appear legitimate because the display name is what’s presented in most user inboxes and mobile phones. Rather than relying on the display name, check the header from email address as well – if it looks suspicious, flag it.
Tip 2: The Header From Email Address
Not only can the display name be fake, but the header from email address (and the domain) can be as well. Keep in mind that just because the sender’s email address looks legitimate (e.g firstname.lastname@example.org), it may not be. A familiar name in your inbox isn’t always who you think it is!
Tip 3: Review The Salutation
Who is the email addressed to? Is it to a vague “Valued Customer?” Legitimate businesses will often use a personal salutation with your first and last name, so beware if it doesn’t.
Tip 4: Urgent or Threatening Language is Another Tactic
Promoting a sense of urgency or fear is very common in phishing emails. Examples include subject lines that asks you to take action on an “urgent payment request” or claim your “account has been suspended.”
Tip 5: Don’t Give up Personal or Company Confidential Information
Legitimate businesses will never ask for personal credentials through an email. Hackers will utilize this phishing scam, especially regarding bank and IRS correspondence! Furthermore, most businesses will have policies in place to prevent external communications. So don’t “reset,” “sign in,” or input username or password through email – it’s a scam.
Tip 6: Look But Don’t Click
Hackers love to embed malicious links in what looks to be legitimate copies. To expose this fraud, hover your mouse over the link. If the link address looks weird, don’t click on it. If you’re skeptical about the link, send the email directly to your security team.
Tip 7: No Clicking on Attachments Either!
Just like malicious links, hackers embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your passwords, damage files on your computer, or spy on you without you ever knowing. Curiosity killed the cat, so don’t open any email attachments you weren’t expecting.
Tip 8: Spelling Mistakes
Legitimate emails usually do not have major spelling mistakes or poor grammar – brands and corporations wouldn’t allow that. Read your emails carefully and if anything seems suspicious, report the email.
Tip 9: The Signature Line
Are you able to contact the company? Does the email provide details about the signer? If not, the email is most likely a phish. Legitimate businesses always provide their contact information. Make sure to check for them!
Tip 10: Be a Skeptic
Hackers are extremely good at what they do. Their expertise includes seemingly valid email addresses, language, and convincing brand logos. So be skeptical when it comes to your email inbox —if an email looks even remotely suspicious, do not open it. Instead, send it to your security team, and remember it is always better to be safe than sorry.