5 Tips to Spot and Stop a Phishing Email
Updated: Sept., 2023
Phishing describes a cyberattack in which criminals try to obtain sensitive or personal information from you or your staff with fraudulent email, text message, or phone call. It’s also the most popular form of attack in the world, with an estimated 500 million fraudulent emails sent every year.
One of the best defenses against phishing is a well-trained staff, who know how to spot a phishing attack before it wreaks havoc on your business. Below, we’ll look at the 5 red flags that tell you an email can’t be trusted.
1 – Obvious Grammar and Formatting Errors
While this seems like it should be an obvious clue that the email is a fake, thousands of end users fall victim to emails addressed to “Dear” or “Dear Customer” with no other identifier in the greeting.
This is the unfortunate result of a world desensitized to the personal touch associated with human interaction.
But the errors in a phishing email can take many forms. Some will contain different fonts and font sizes from paragraph to paragraph or even sentence to sentence. They may also lack appropriate punctuation or contain misspelled words. In some emails, the attacker will rely on words like “kindly” as in “Kindly reply by the end of the day with the information requested.”
Any of the signs above indicate that the sender is from a non-English speaking company, which is major red flags. Selecting gullible targets means a higher likelihood the scammer will get the information they need. In other words, if the end user doesn’t notice misspelled words, inappropriate or missing punctuation and varied font, they may be more likely to click a link or attachment intended to harm their credentials.
2 – Claims That There is a Problem or Reward with an Associated Sense of Urgency
Phishing emails will regularly claim that there is a problem with an account, an overdue invoice or that suspicious activity has been noted. Next, they’ll indicate that urgent action is required to fix the issue.
Any diligent staff who isn’t properly trained will immediately become confused or scared and, to clear up the situation, quickly enters personal information to correct the error, giving the hacker exactly what they want.
Eligibility for free items is another common bait for the phishers. “Click Here to Claim Your Free Pizza” is a good one especially when sent out on a Friday or just before a holiday. Gift cards from popular web retailers are also prime bait. It’s become so problematic that large online retailers like Amazon have designed entire web pages to help their consumers spot fakes.
Often the supposed reward will expire if not claimed immediately or within a short time frame.
3 – There’s a Suspicious Attachment or Link
A phishing email may contain fake invoices, attachments, or links, often ones that make it easy for the user to enter information or payment details.
Phishing emails frequently are impregnated with malware or ransomware that, once a link or attachment is clicked, will download viruses to the user’s computer. Some viruses will enable the hacker to sit silently behind the scenes (referred to as Advanced Present Threats) and gather data: user patterns, keystrokes and other personal information.
In these attacks, the hacker gathers data over several days, weeks, or months until the hacker deems it safe to execute their attack. This delay is strategic on behalf of the cybercriminal in that the user will likely not remember the suspicious email they clicked on that could be associated with their hacked bank account.
According to the Verizon Data Breach Investigations Report, 30% of phishing messages get opened by target users and 12 % of those users click on the malicious attachment or link. These numbers tell us that phishing methods work, time and time again.
4 – There’s Something Off in The Web or Email Address of The Sender
Hackers will try to mimic a legitimate web or email address as closely as possible to fool the end user. Unless the end user looks closely, the bogus information is easily missed. Here’s an example provided by Stay Safe Online:
@airbnb.work as opposed to @airbnb.com (notice the .work opposed to the .com).
Hackers will sometimes add an additional letter, number or symbol to a legitimate URL or email that blends in, so the phishing email is easily missed. The problem of fraudulent domains is so common that we wrote a whole blog post about them, which we encourage you to read.
5 – The Signature Lacks Detail
Legitimate emails will typically contain the information you need to contact the sender. Many phishing email attempts will appear to come from an internal domain, a CEO or CFO.
These emails can be potentially devastating to SMB’s as the target is usually someone in HR or accounting who is eager to respond and please their superior. End users should be on the look-out for an email from a high-level executive in their own organization who is sending them communication with an informal or absent signature.
You Received a Phishing Email, Now What?
- If the email came from someone within your organization, or someone you know. Pick up the phone and call the sender (don’t reply to the email).
- If the email contains a link, copy and paste the link into isitphishing.ai. This will help you determine if the link is malicious.
- If the email contains an attachment, don’t open it. Think the attachment actually might be legit? Go to the sender’s trusted website directly (by entering the address in browser manually) and download the attachment.
- Forward it along to your IT support team or provider for review.
How to Stop Phishing Emails
Businesses who want to stop phishing emails have a few strategies at their disposal.
- The first way is to utilize an effective email filtering system. Filtering inbound and outbound email is essential to protecting not only your business’s confidential information but also its reputation. Hate getting spammed? Your customers will hate getting spammed by you via an outbound email hack even more.
- The second method is to train users with security awareness training and test them via simulated phishing. Industry research indicates that 80% of companies say awareness training has reduced their staff’s susceptibility to phishing attacks.
- For businesses who utilize a managed IT services provider, ask your provider if security awareness training is included in your contract. Testing employees also helps overcome the perpetual “Rules don’t apply” or “That stuff only happens to other people” mentality. And managers of employees who regularly catch the test phishing attempts can use this for employee recognition!
>> Curious to learn more? Click here for our Complete Guide to Managed IT Services.
Get Expert Help to Face Phishing Threats with Confidence
Studies for many years in a row have shown that cyberattacks are becoming more targeted, more severe, and more sophisticated. By partnering with an experienced IT support provider like Astute Technology Management, you can ensure your business stays safe and secure.