1. Identifying a fake email address
Get into the habit of carefully checking email addresses on incoming emails. A cautious glance will train your eye to detect the subtle anomalies of a phishing email. This can be the difference between a successful phishing attack and keeping your business safe.
2. Clickbait subject
Pay heed to the subject field – they will often contain phrases of great urgency. In this case Important Billing Notice, but other examples might include Password check required immediately, Security alert, or A delivery attempt was made. These are carefully crafted to reel the victim in. It’s worth consulting a legitimate communication to ascertain the type of information your service provider will request of you.
3. How the email addresses the recipient
A key identifier of a phishing email is generic addressing of the recipient, such as Hello, as opposed to a direct, personalised address.
Phishing attempts are typically conducted on a large scale, which is why their impersonal address can be a giveaway.
4. Vague or generic content
The same applies with the email content. Vague information is a significant sign of phishing and denotes the possibility of a mass-email campaign. The requesting of personal information via email is also a key indicator, as most companies never ask for this.
5. An unnecessary sense of urgency
An urgent or threatening manner will often follow, stating that your service could be cut off in the event of non-compliance. This is the main method cyber criminals use to coerce money out of victims, creating a sense of urgency which is only heightened if the email is a spoof business communication.
6. Malicious URLs
Under the guise of helpfulness, a phishing email will often contain a URL claiming to go to a login screen in order to remediate the supposed problem. Never click these. Malicious URLs are often a vehicle for a malware payload or a way to draw victims into the attackers’ snare. By entering your details into false forms, you are effectively handing your credentials over to cyber criminals.
7. Inconsistencies in spelling and layout
Formatting errors are also an obvious sign of a phishing email. Our example highlights a difference in text size, denoting a hastily-assembled email message by a hacker. Be sure to look out for spelling and grammatical mistakes too – professional communications rarely contain these. Their presence denotes a crude phishing attempt.
8. Email signature
The email signature looks very convincing in this example; Virgin Media often signs off emails with The Virgin Media Team. However, that signature is often used for marketing or less urgent communications.
A legitimate communication of urgency will often be dealt with by an individual representing Virgin. In this case, the phisher has used it as a generic sign off to falsify authenticity. The same applies to any other phishing email you might receive.
Types of Phishing Scams
A spoofing scam fosters trust from an end-user by imitating a known contact. If the end-user then opens the seemingly legitimate link, often imitating a Dropbox or Microsoft SharePoint document, not only is the URL ridden with malware, but it also leads the user to a realistic imitation of the expected website. Because the site looks legitimate, the user enters their credentials, which are then harvested by hackers.
This is a relatively new type of phishing email that specifically uses board meetings as an email topic to target C level executives. The email will appear to come from the CEO and will ask Board members to reschedule the meeting via a link in the email. Once this is clicked, you have opened the door to your credentials for the hackers. The email may even have a subject headline or content that appears to be unique or specific to your business.
HMRC scams are often used to bait phishing victims, taking the form of a promised rebate if the recipient completes a tax refund request. Clicking through to the website, which also looks legitimate, reveals a form asking for personal details in addition to bank account details.
One of the more prevalent phishing scams, sextortion sees criminals sending out emails claiming to have recordings of the recipient watching pornographic content. To give authenticity to the threat, a criminal might send a previous password of the recipient’s, acquired from a past data breach, but claiming it to be a recent hack.
Weaponised Attachments Scams
A particularly dangerous phishing attack, cyber criminals have been able to weaponise PDF attachments. Once opened, the XML within the attachment runs a script, bypassing security and granting the attacker remote access to the recipient’s infected PC.
One perennial phishing scam comes from an email stating that a bank transaction was rejected. The victim, fearing a fraudulent transaction has been made in their name, will click on the link provided in the phishing message and leave their data vulnerable in the process.
The idea of winning the lottery is an appealing thought to most. As such, lottery phishing is popular. Offering the ability to ‘claim your prize’, lottery phishing emails typically request your name, address, bank account details, or PayPal information. Fraudsters can then sell this information on the dark web.