With ransomware infections from phishing attacks climbing at an unprecedented rate, educating your staff is paramount in protecting your organization. There is no time to wait.
Here are the top ten ways to detect a phishing email:
- Sender impersonations. Don’t simply trust the display name on an email. Cyber criminals often attempt to impersonate someone you may know or trust. Be sure to check the email address to confirm the true sender.
- Sender uses a public email domain. Legitimate organizations typically will not contact you from an email address that ends in a public email domain such as @gmail.com or @outlook.com.
- Generic salutations. Typically, a reputable company will use your name or an appropriate title to address you. Be cautious of emails beginning with “To whom it may concern” or “Dear sir or madam”.
- Requests for personal information. Legitimate organizations do not typically ask for this type of information over email (e.g. ssn verification, birthdate, login info, account numbers). Usually when companies need this information, it’s because they are verifying your identity for contacting them.
- Spelling errors. Attackers tend to be grammatically incorrect and make typing mistakes in their message. This is also a clever tactic used in sender impersonations, so verify the spelling on the sender’s email address for validation.
- Suspicious links. Hover over a link without clicking to reveal the destination URL. If the URL doesn’t match the linked content, do not click and report the email to your IT manager.
- Malicious attachments. Never open a questionable attachment (e.g. exe or encrypted zip file, macro-enabled documents). If you suspect malicious content, it’s always best to contact the sender separately for confirmation of file validity.
- Urgent requests. Phishing scammers often do their homework before they target you for an urgent request (e.g. the CEO needs an immediate wire transfer or gift card purchase). Always verify legitimacy before making hasty purchases or taking action from an email request.
- Unbelievable offers. If the deal seems too good to be true, it probably is. Beware of emails offering big rewards for little effort (e.g. cash prizes, dream vacations, etc.).
- Suspicious messaging. Last but not least. If an email feels off or makes you question its legitimacy AT ALL, it’s better to play it safe and ignore or delete it.
Arctic IT highly encourages you to share this list with your entire organization. We also recommend you conduct phish testing regularly to uncover the “clickers” and help to educate them.
If your organization falls victim to a successful phishing attempt, please notify your local FBI office right away and report the incident at IC3.GOV.
To learn more, connect with us today at firstname.lastname@example.org.
By Phil Jackson, Chief Information Officer at Arctic IT