10 ways to spot an email phishing scam

What can you and and your staff do to spot these scams and avoid disaster?

by Darren Thackeray

What are phishing scams?

Email phishing scams can be devastating things. Their sole purpose is to trick your staff into releasing sensitive information that can then be used against your company.  Many of these scam emails are easy to spot, but some of these malware campaigns are incredibly sophisticated, employing the use of fake websites and even entire user journeys designed to extract vital information. Once a cyber criminal has your password or credit card information, the next step is usually extortion or identity theft. For businesses of all shapes and sizes, the net result can be catastrophic. Phishing scams don't just target big businesses. They indiscriminately go after any vulnerability in any organisation, and while anti-malware software can certainly help as a first line of defence, it's really down to educating your staff and teaching them how to spot and avert such scams when they do inevitably get through. 

Did you know that 90% of all successful cyber attacks begin with a phishing email? What's more, the amount of phishing emails containing a form of ransomware grew to 97% during the latter half of 2016. What this tells us is that phishing scams are still a much-used vehicle for cyber criminals, despite their somewhat 'old school' reputation.

In May 2017, DocuSign, the digital signature technology provider, was targeted. A scammer gained access to a communications database via email and proceeded to steal users’ email addresses. We're not sure how many addresses were stolen, but according to the DocuSign website it has more than 200 million users. That loss of personal data isn't just a blow for the company, it's an enormous blow to their reputation too. If users feel their information isn't safeguarded, they're likely to go to a competitor. 

"90% of all successful cyber attacks begin with a phishing email."

So, how can your business avoid such scams? Starting with anti-malware and setting up spam filters is certainly an excellent place to start. If you have a dedicated IT resource, security is one of the first things they should take care of. If you don't, employing the likes of us here at Eurotech Services will give you all the benefits of a permanent IT department without the overheads. However, automated security solutions will only get you so far when it comes to phishing scams. Invariably one or two emails will always find a way through, and then the fate of your company could lie firmly in the hands of your dedicated staff. If they aren't up to speed on how phishing scams work or don't know how to spot a phishing email, your business could be in the firing line. That's why we work hard to ensure that we educate your team as well as create a defensive line on your network. 

Here a 10 telltale signs of a phishing email:

1. Variations in sender's name

Before you open the email, check the name of the sender. Most of us just give this a cursory glance, but it pays to get into the habit of giving it a closer look before we click to read the email. If it's someone who emails you regularly, check to make sure the sender's name perfectly replicates the other emails from the same party. While users can and do change their email 'sender' names from time to time it's not very common and could be the first giveaway that it's a scam. Some cybercriminals will go to great lengths to pretend to be a trusted source - don't let your guard down. 

2. Asking for confidential information

Banks and other financial institutions are forever reminding their customers that under no circumstances would they ask them to share sensitive information like passwords. This is to stop phishing scams in their tracks, and your business is no different. A legitimate contact or business would not ask your staff to share sensitive information like credit card numbers. Even if you know the contact, there's a good chance their address book could have been compromised if they suddenly ask for information like this. 

3. "Your computer has a virus!"

You shouldn't pay any mind to any browser pop-ups or emails that make this claim. Only trust these kinds of messages from your own anti-virus client. Usually, they'll warn of some dire consequence if you don't immediately download their software to 'fix' the issue. This is simply a way for them to infect your computer with their own malware which can lead countless problems. 

4. Offering you something for nothing

Many staff use their personal emails at work and their work emails at home. This isn't an ideal situation but can, at times, be unavoidable. Many inboxes get hit with too-good-to-be-true offers such as winning large sums of money or inheriting something valuable. Thankfully, most of these get caught by spam filters but one or two are still likely to get through. Read the subject line and note the sender - if it's about 'winning' something or offering something valuable and you don't recognise the sender, hit the delete/block button. 

5. Private requests

If an email specifically asks you to keep something secret or makes a 'confidential request', there's a strong likelihood it's a phishing scam. The sender is clearly trying to prevent you from validating their email with a third party - don't fall for it. 

6. Order confirmations and other attachments

This is a tricky one. Many of get receipts and order confirmation into our inboxes whenever we buy something and that's fine, but order confirmations with attachments should always be scrutinised. Many phishing scams pretend to be big retailers or service providers like Amazon for example, sending order confirmations designed to look like the real thing with an email attachment. If you've ever bought anything from Amazon, you'll know that they don't do attachments, but many people aren't aware. Before you click on an attachment, check the sender's name, company and whether you've actually done business with them recently. 

7. Offering you something for nothing

Is it time to do your taxes? During the 'tax season' there is always a jump in phishing activity, usually from scammers purporting to be HMRC trying to scare people into giving up sensitive information. Some phishing scams even pretend to be the CEO or CFO of a company, asking for employees tax details. If successful, the scammers can quite easily steal the identity of staff members online or even steal tax refunds. If your CFO emailed you asking for information like this, would you give it to him? The answer should be 'no'. If you're unsure, request a face to face meeting or speak to accounts. 

8. Non-standard file extensions

File extensions are those small suffixes you see on the ends of documents like .docx , xlsx, or .pptx. They clue you in to the format of the document and what software will be used to open it. However, there are some non-standard extensions that you should watch out for. If an extension ends in 'm' for 'macro' for example, there could be some embedded code that will trigger when the document is opened. Also, common formats like .pdf and .zip files can also contain malware and should ideally be scanned in your inbox before you open them. In any case, it's always best to follow the other steps outlined in this article and check the sender before opening and attachment. 

9. Sender address doesn't match content

This is one of the easiest tells of less sophisticated phishing scams. Sometimes you'll receive an email supposedly from a reputable source like eBay, but the sender address will be random and mismatched, like g.j@tragi.com. Sometimes, the scammer may go to length to try and replicate the domain as close as possible, like trying help@e.bay.com. That full stop in there should be a telltale sign. Always pay attention to the sender address, as this is something that can't be flawlessly replicated by attackers. 

10. Awkward, off-tone wording

Finally, simply reading the email can give the game away. If it's someone you know well then any difference in tone should be immediately noticeable. If a colleague always starts an email with 'Hi Jane," and then all of a sudden they say "Dear Jane," that should set alarm bills ringing. Similarly, a sign-off like 'best regards' when you're used to a less formal 'thanks' might also raise a red flag. Never underestimate the sophistication of some email phishing scams - they can go to great lengths to fool those who let their guard down. 

Phishing scams are getting more sophisticated, but there are lots of things you and your staff can do to avoid getting caught out. Deploying a powerful spam that monitoring inbound and outbound mail is an excellent start, providing RBL blocking and pattern filtering. However, remember that spam filters can vary in how effective they are and even the best ones in the world are only part of the solution. We live in an age where cyberattacks like ransomware and phishing scams are rife, and it's only by educating ourselves and our staff that our businesses will stay truly safe. 

If you own a business and you're worried about cyber security, why not give us a call on 01442 217 099? Not only can we provide protection and advanced network security, we can also manage all of your IT solutions and educate your team on everything they need to know. Simply put, we make business better.