You’ve probably heard the adage “work smarter, not harder.” Here at BAI Security, we believe in both. When phishing attacks are clouding your email waters, it can feel daunting to keep your team abreast, particularly when hackers are brewing a perfect storm of social engineering and scam tactics to obtain your company’s credentials.
In the past year, organizations across the world have been more vulnerable to phishing attacks than ever before. Among internationally polled IT security professionals, 80% noticed an increase in attempted phishing scams across the field, and 74% reported falling victim to phishing attacks themselves. A whopping three-fourths of the respondents went on to note that most of the attacks didn’t aim for company brass, but instead targeted IT staffers… 47% of whom fell for the phish.
On the defensive front, firewalls and antivirus software can only filter so much—the key is a human frontline. Your employees need to know how to catch phishers in the act, and to report any suspicious activity to their IT security department ASAP. Important above all is promoting personal security awareness at all times; after all, malicious emails are designed to get you to click and enter information without thinking about it.
So what can you and your employees be on the lookout for to avoid the bait and keep phishers hanging?
11 Key Indicators of Phishing Scams
1. It’s Harmless
When you have hundreds of emails coming through your inbox every day, it’s easy not to think twice about simple correspondence. But what looks like an article, a sales link, a video, or a picture may be more nefarious than it appears, and you should treat mundane attachments with the same level of scrutiny.
2. It’s Urgent
On the opposite end of the spectrum, phishing emails love to catch your attention with flashy, fear mongering text and CAPITAL LETTERS. “If you don’t do X by Y time, there will be CONSEQUENCES!” But take a moment to read through the “threat” at hand, and remember to check the formatting—urgent, notices don’t usually contain typos or grammatical errors.
3. It’s Someone You Know
Is this email from a person or department you recognize? Are they asking you to do something out of the ordinary, like log in to a new portal with your workplace credentials? Check again! Impersonation is a favorite tactic of scammers, but you can thwart them by reporting unusual activity and taking the time to confirm the request with the “sender” themself.
4. It’s Personal
The instant emotion we feel when a message concerns something personal to us is potentially a trap. Whether it’s about your paycheck, insurance benefits, or social media accounts, remember to take a magnifying glass to the little things. Do you recognize the sender and email domain? Are there some strange numbers in the username? Does the email contain rudimentary spelling or grammar mistakes? If so, you’re probably dealing with a scammer.
5. It’s A Hostage Situation
Some phishers like to threaten the same methods as ransomware attackers: something will be turned off, blocked, or withheld unless you comply. These emails can also concern low storage, mail deletion, or other seemingly mundane issues like changing a password. If you are concerned about your data on a certain platform, don’t click through the email; go straight to the source. Websites, email software, etc. will inform you if something is wrong, and they don’t use scare tactics!
6. It’s Familiar…
Although not quite the same scenario as using a coworker’s name or impersonating a service you know, one opportunity for phishers involves using well-known brands, like Amazon, UPS, DHL Shipping, PayPal, FedEx, or even your old university. If you’re uncertain, BAI recommends once again that you go to the source. These platforms rarely contact you unsolicited, and all of their websites have help available for you to check in on packages, personal data, and other potentially sensitive information.
7. … But Not Too Familiar
In navigating our fast-paced digital life, we can often overlook abnormalities in our inbox—for instance, personal items, like an Amazon receipt or a Kohl’s coupon, showing up in a seemingly “work-related” email. Think before you click, and remember: work-life separation applies to email, too!
8. It’s Appealing
Everyone likes the sound of a prize, a coupon, a raffle, or even exclusive access to an all-new service! But special offers like these are the perfect opportunity for scammers to catch your attention. Scan for strange-looking senders, basic formatting errors, and awkward wording, and as with all suspicious activity on your account, report immediately to your IT security department.
9. It’s Topical
Another temptation is any link related to current events, be that holidays, disaster relief, current political campaigns, or news headlines. Scammers favor topics that catch the eye—especially things that are timely. So skip the St. Patrick’s Day Parade video and visit your favorite candidate’s or charity’s website to donate directly and securely.
10. It’s “Official”
You may feel obliged to check out correspondence that appears to be from a C-level peer, something tax-related, or a federal communiqué. While BAI recommends all the scam-checking tactics explored above, if you’re feeling uncertain, avoid engaging and go to the source directly for confirmation. All a phisher needs is one click, and it’s up to you to make sure they don’t get that far.
11. It’s Heart Wrenching
Is a stranger in your inbox, imploring you for help, money, or maybe a credit card or Social Security number? It’s probably a phisher. Legitimate unsolicited email communications are rare, particularly on a work account, and incorporating a bit of pathos is a solid strategy for scammers to get you to overlook misspellings or sketchy senders. Save your money and compassion for a real cause, and remember to report.
Bigger Phish To Fry
Keeping employee awareness high and IT security defenses in play as an imbedded part of your workplace culture will free up your IT security team to tackle more expansive and emerging issues. The important thing is not to let phishers through the cracks, lest a “minor” breach spiral into a major problem.
BAI Security recommends our Social Engineering Evaluation, an innovative series of tests and tactics for your team designed to match the real-world methodologies of today’s cyber-criminals. This evaluation is the must-have for organizations looking to identify and remediate employee-based security vulnerabilities, crafted by our in-house team of seasoned security experts, with the goal of preparing your team to spot and defend against a skilled, determined hacker.
To take the first step toward a more security-conscious culture and ensure your people are ready to be your first line of defense, contact us today.