InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Digital thieves use phishing email or text messages to trick victims into clicking on malicious links, opening/downloading malicious files, or giving away sensitive information. Crooks often update their tactics, but some common telltale signs can help
users recognize a phishing attempt. In this piece we highlight 10 ways to identify a phishing email and avoid falling victim to an attack.
Although a number of global law enforcement and public/private initiatives work to reduce phishing and other online criminal activity, it remains incumbent on the victim company to educate and defend itself against these digital thieves.
The first step is to educate employees to recognize and avoid falling victim to phishing attacks. To that end, the following are 10 ways users can identify a phishing email.
1. Odd Sender Address
Phishing emails may initially look like they come from a company or person you know or trust. Sophisticated attackers will identify where you shop or when you leave reviews online and use that to target you, knowing you really use that site. The “from”
field in an email can always be faked. To determine the real sender, look at the email message header and check to see if it is from an unknown address. Examples include:
2. Common Phishing Subject Lines
Look at the subject line. Is it similar to one of the common phishing subject lines below? Does it make you curious or grab your attention? There are many beyond this short list so think before you click – and be suspicious:
3. Awkward Body Text
English may not be the attacker’s first language, making it easier to identify some phishing messages if they read awkwardly. Things to check:
4. Generic Greetings and Signatures
A generic greeting, like “Dear Customer” or “Most Valued Sir,” along with a lack of contact information is a red flag. An organization you deal with on a regular basis will have your name in its customer relationship management
(CRM) software and will end the message with official corporate contact information.
5. Spoofed Hyperlinks and Websites
Check the email yourself by hovering over (but not clicking) on images and links. If the URL revealed doesn’t match the URL you were expecting, it may be a spoof to a fake site. This is not always effective, because many companies will use a content
delivery network (CDN) or the link may come from the CRM (i.e., Salesforce). But if it does not look normal, don’t click on it.
6. Poor Spelling, Grammar and Layout
Poor grammar and sentence structure is an indication the sender is a non-native speaker. Reputable companies take pains to ensure their messages are correctly drafted in the native language of the recipient.
7. Unsolicited Attachments
Always be suspicious of emails instructing you to open attachments. Malicious code and macros can be executed by opening the attachment, even if it only looks like a PDF or text file.
Frequently, attackers will create a false sense of urgency to get victims to open the message or attachment without thoroughly examining the message first. Such messages may include statements like:
9. Requests for Username, Password, Email or Sensitive Info
Unexpected requests for sensitive information rarely come through email or other digital means. When they do, it should be easy to call back and confirm the sender. If something doesn’t look normal, be suspicious. Scammers will create fake login
pages that look legitimate and then ask you to enter your credentials to “confirm” them in their system. Don’t fall for it.
Emails that tug on your emotions are “hooks.” These scams will say something like “you have been selected a winner” or “click here for a free iPad.” They will also often tug on your heart strings with appeals for help
or assistance from an unrecognized charity.
RELATED CONTENT: How to Create an Effective Anti-Phishing Program
Remember that with phishing, the best defense is your own suspicion. If you think something is too good to be true, it is. To ensure you keep ahead of the scammers, check out these resources:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.