
Phishing attacks are one of the most common and successful types of cyberattacks, and they can have a devastating impact on businesses. Proofpoint’s 2023 State of the Phish found that 8 in 10 surveyed organizations fell victim to at least one successful phishing email in 2022. Not only that, but the direct financial loss from successful phishing attacks also skyrocketed by 76%.
Read also: 5 Costliest phishing scams in history |
Given these alarming statistics, businesses need to conduct security awareness training so their employees would know how to spot and avoid phishing attacks. Make sure the training answers the following questions:
What is phishing?
Phishing is a type of social engineering attack that cybercriminals use to trick individuals into divulging sensitive information, such as login credentials, credit card numbers, or confidential data. These attacks typically occur through emails, instant messages, or phone calls that appear to be from legitimate sources, such as a bank, credit card company, or government agency. The same Proofpoint report found that in 2022, Microsoft was the most impersonated company, with its branding or products used in more than 30 million malicious messages.
Phishing emails typically contain a link or an attachment that, when clicked or opened, will install malware on the victim’s device or lead to a website designed to steal victims’ information. For example, employees may receive a phishing email that’s supposedly from Microsoft, urging them to click on the link in the email and log in to their Microsoft 365 accounts. Unwitting users may unknowingly provide their credentials on the fake Microsoft 365 login page.
Read also: 4 Common types of phishing attacks |
What are the common signs of a phishing email?
There are a number of things that employees can look for to help them spot a phishing email. These include:
Suspicious email address of the sender
Take a close look at the sender’s email address. Cybercriminals typically employ various techniques to disguise emails and make them appear legitimate. They may do this by slightly altering a legitimate email address, such as “@amaz0n.com” instead of “@amazon.com,” to make it look like the email’s genuine.
Another technique they commonly use is display name spoofing, which involves using a legitimate company or sender name in the “From” field of an email, while the actual email address may be entirely unrelated or from a malicious source. For example, a cybercriminal could send an email appearing to come from “Microsoft Support” (display name) but have an email address like “xyz@yahoo.com” (actual address) underlying it. Display name spoofing is particularly effective on mobile devices because the sender’s email address is usually hidden, and users are less likely to expand the sender’s name to view the actual email address.
Poor grammar and spelling
Traditionally, phishing emails were riddled with misspelled words and grammatical errors. However, many cybercriminals today have become more sophisticated, composing emails that have minimal glaring mistakes. Therefore, employees need to read emails carefully and look for subtle grammatical issues that may indicate a phishing email.
Urgent requests
Phishing emails often create a sense of urgency, pressuring recipients to take immediate action without thoroughly evaluating the authenticity of the message. These emails may use an aggressive tone or claim that failing to act promptly will result in negative consequences. On the other hand, some phishing emails use enticing offers, such as a free tablet for the first 100 customers, to lure the victim into taking the cybercriminal’s desired action.
Links or attachments in the email
If an email contains a link or attachment, employees should be very careful before clicking on it. Links in phishing emails often lead to malicious websites, and attachments in phishing emails usually contain malware.
Take note that some phishing emails would include a malicious link in the attachment (e.g., PDF or Word document) rather than the email body to bypass email security filters.
What should employees do if they receive a phishing email?
If an employee thinks they may have received a phishing email, they should follow these tips:
- Don’t click on any links or open any attachments.
- Don’t reply to the email.
- Flag the email as spam.
- Report the phishing email to the IT team.
- Delete the email.
SpectrumWise offers comprehensive security awareness training and customizable phishing simulations that can improve your company’s defenses against all types of cyberthreats. Schedule a consultation with us today.