By Arturo Romero, Senior Security Engineer, Scantron Technology Solutions
As we move into the middle of Cybersecurity Awareness month, let’s discuss one of the bigger threats to businesses. I’m talking about those pesky phishing emails that we receive day in and day out: emails that convince us we need to reset our bank account password because it has been locked, or that there was a mistake with a payment being processed and that we should click the link the login to resolve the issue.
It would be nice if these emails had never evolved past the “foreign prince” wishing to bequeath us millions of dollars. Unfortunately, as technologies and IT environments evolve, so do those baiting emails. Here are five tips to help identify current trends in phishing emails.
- Look for misspellings or grammatical and formatting errors.
These are the easiest to spot and are the most conspicuous. Misspelled names, titles, and weird spacing can be tell-tale signs that the email you received from “Best Buy” or your bank may not be on the level. If you received an email from your bank and the signature is mis-aligned or looks abnormal, this is an indicator that the email is not legitimate.
- Check the sender.
If the email really did come from the organization it claims to be from, the email domain should match. What does that mean? If the email came from Visa, the from email address should read “@visa.com” and not “@gmail.com, @yahoo.com, @aol.com,” or any other publicly available domain. Be careful as sometimes scammers may put in effort and try something along the lines of “@visaforreal.com.” Stay vigilant—when in doubt treat emails as if they are malicious.
- Verify any links in the email.
Hover over any hyperlinks in the email to see what the web address really is. Scammers will often place a scamming URL as the actual destination for a link that looks real in text. If the destination address looks off, don’t click the link. In fact, don’t click any links in email, even if they do come from a legitimate sender. Directly navigate to your account using an address you know to be secure because it’s the address you usually use (e.g., att.com, amazon.com, etc).
- Don’t open attachments.
These attachments are typically Office files, but sometimes they can come as PDFs, images, or any other type of file. If you are not expecting an email with an attachment, treat it with suspicion. If you do receive emails with attachments, follow the first two tips to filter out bad emails.
- Ask yourself: “Did I do anything to warrant this correspondence?”
For example, did you actually make a change to your banking account? To Netflix? Did you order something from the sender? For example, if you receive an email from “@amazontruly.com” saying they can’t process your order because the payment information is incomplete, it is most likely a phishing email.
This is currently one of the most successful tactics, especially as the holidays approach and we shop online. In addition, due to the amount of information being shared online because of COVID-19, scammers have changed tactics and we’ve seen a lot of phishing emails pertaining to the pandemic. If you did not sign up to receive any info about COVID-19, more likely than not, the email is malicious.
These are basic practices that you can readily apply to help avoid getting caught by phishing scams. Scantron Technology Solutions regularly works with organizations to help them educate and inform staff about the risks of phishing, how to better identify malicious emails, and prevent phishing attacks from succeeding. The better your teams are in identifying them, the safer your organization will be.