The thought of phishing emails is enough to panic most seasoned cyber security professionals. Afterall, they spend a lot of time and money to beef up security technology, only to have it all undone by an employee who clicked on a bad link in an email. While up-to-date patching and anti-virus software can reduce the risk of infection, training employees to be vigilant of phishing emails is also critical to protecting your network. Here are 10 tips to make your staff aware of phishing emails, and preventing them from unknowingly infecting your network.
1: Don’t trust the display name
I’ve had this happen before. An email that has the name of the CEO in the header asking me to wire money. On closer inspection, the email address was not in fact the email of the CEO. Always confirm that the email is actually coming from the person you think it is. If it's not obvious in the header, ask the person directly.
2: Look, but don’t click
This is great advice for checking that the links that are coming to you in an email, are actually going to the site they are claiming to be going to. Once you click, it might be too late. Using your mouse, hover over links and message headers. If the link description and text don’t match, don’t click on it! And make sure you report it to your IT department!
3: Why grammar and spelling are important
Remember when your schoolteacher would tell you grammar and spelling counts? Turns out your teacher was right. In general, hackers are less careful about spelling and grammar than your typical businessperson would be. Which is a great clue in determining the legitimacy of any email. Also, keep in mind that many attacks are coming from off-shore, where English may not be a hacker's first language. If you are finding it difficult to understand the email due to numerous grammatical errors, it is a big clue that it is probably a phishing email.
4: Generic Greetings can be sketchy
If the address line or salutation tends to be generic, then it could be a mass phishing email, sent out to the many to catch a few. While it’s rare to be specifically targeted by a phishing email (it can happen), always check on how you are addressed. If the sender user words like “valued customer” or “dear sir or madam” then it is likely a spam or phishing email.
5: Does the email request personal information
If you receive an email asking for a whole bunch or personal information, it is not a legitimate email. Most reputable companies will never ask for your personal information over email. If you are not sure, always call the company and verify that they actually sent you the email in question.
6: Beware of urgency
If you receive an email that tries to sound like there is some emergency and you need to act fast, don’t. As per my first example, if you receive an email from someone pretending to do business with you asking for money, check that they are actually a vendor. This situation recently came up with the Waterloo Brewing company, where an employee was duped in transferring $2.1 million over to pay fake invoices. It is always better to double check and ask, “is this legitimate” rather than be taken advantage of.
7: Email signature
Most legitimate senders will include a full signature block at the bottom of their email with their contact information. If this information is missing, it could be a clue that it is not coming from a legitimate business.
8: Careful with attachments
Hackers like to trick people into opening attachments that spread malware. It could be made to look like a photo with a sensational title or made to look like a legitimate excel file. Beware of opening attachments, particularly from sources you don’t know. If you aren’t expecting a file, then you probably shouldn’t open it.
9: Don’t believe everything you read
This is some sage advice my momma gave me back in the day. It’s still true in our technology age. If you are sent something that looks and sounds too good to be true, it likely is. Wal-Mart isn’t emailing everyone $500 gift cards. If you see something in your inbox that falls into this category, report it to your cyber security department.
10: When in doubt, ask
As an employee, you will never be in trouble for asking if an email is legit. If anything, your CEO may thank you for coming to them and letting them know you received a fraudulent email from someone claiming to be them, rather than blindly send the money out. Asking questions will actually not only help keep you employed, but also help keep the business safer from these types of attacks.
Want to learn more about preventing phishing attacks? Contact us about our Cyber Security Awareness Training!