How to spot a phishing email: 13 red flags your employees should know
The importance of employee security awareness when it comes to phishing emails cannot be understated. We hear and read stories too often about employees being victims of social engineering schemes.
From downloading a malicious virus to falling for a wire transfer phishing scam, these occurrences not only have financial implications to an investment firm but can also impact an employee personally and directly.
Most employees who fall prey to social engineering tactics or a phishing attack never intend to hurt a company. They may be distracted, overworked or think that they will get in trouble if they are slow to respond to an email or ask for a higher-up in the company.
In cases of wire transfer scams, for example, often an employee doesn’t follow the appropriate checks and balances at the firm or is being too "responsive" to impress a colleague or boss. When it comes to wire transfers, employees should always pick up the phone to verify the request.
Beware of Sophisticated Scammers
Each week we learn about new phishing scams and targeted inbound fraudulent emails (example: subject line: debt fax from <your domain here>) that have the ability to impact a hedge fund if opened by an employee.
Cybercriminals keep getting better at circumventing security awareness training, using personal information and familiar brand names to create convincing fake emails.
Once the scammer gets an employee to engage, they can convince them to click on a link, download a file, click a link or perform an action that can put confidential information at risk.
Educating your employee base and testing your workforce to see if they fall for a simulated phishing attack can give you a better idea of how vulnerable your organization is to the loss of sensitive information or private customer data.
Pop Quiz: Phishing Email Example
The following is an example of the type of phishing or imposter emails that enter employees’ inboxes. Would your employees catch at least one of the items that make this email suspicious?
Note the sender’s email address, which includes ECIs domain, the balance due amount and the type of company (medical) sending the invoice.
You may (and hopefully do) have advanced email security mechanisms in place, but you still have to train your employees because scams are only going to get more sophisticated (think ECI's Fully Managed Phishing & Training Service!)
Security Awareness Tips for Your Employees
A phishing attempt can occur via email, phone, instant message, SMS or social media. Here’s what to look for:
Check the sender email address as well as “to” and “cc” fields. Misspellings can be used to trick you into thinking the email is from a trusted source.
Is it personalized? Be wary of generic greetings, as well as ones that use the last name as a first name or use an entire name first, last and initial. This indicates that personal information has been scraped from a list of emails.
Grammatical errors can be giveaways as well. Look for poor sentence structure, lack of punctuation, spelling mistakes or a gender-specific mode of address that is incorrect, such as Sir or Madam.
An overwhelming sense of urgency requesting personal information. This can be a request for data in order to send funds, or a worried tone explaining that a shipment can't go out without more data. Legitimate emails don't typically use scare tactics.
Links! Only click on those that you are expecting (same goes for attachments.) If you're unsure, reach out via phone if possible to verify that an email is from a legitimate company.
Suspicious emails from trusted sources can happen. If your friend/colleague sends a strange message, their account may have been attacked and is being used to send scam emails.
Be aware that landing on the wrong website can expose a firm to risks, so be on the lookout for these signs that could signal it is a malicious site:Culture of Security Awareness Whitepaper
Check for the presence of an address, phone number and/or email contact. Call the number and see what happens, or send an innocuous email and wait for a reply.
Check the web address for misspellings, extra words, characters or numbers that seem off or suspicious. It's very common for fake websites to be set up using a domain name with an extra letter or number attached, or using a hyphen.
Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser. Sometimes a link URL will be typed out, but the hyperlink is a completely different destination — one that might infect your computer with malware.
If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter account information or personal info on the site. If it is a company you know, type in the correct address that you know is valid and look for the green dot or padlock indicating a safe, secure site.
Be wary of websites that request lots of personal information, above and beyond what is necessary. This is especially true if you arrived at the website by any other means than typing in the address from a trusted source. An example of sensitive information you should never give up is your entire Social Security number.
Avoid ‘pharming’ by checking the address in your browser's address bar after you arrive at a website to make sure it matches the address you typed, as it is possible to hijack and redirect a URL. Scammers keep watch for expiring domains and take them over, squatting and using the previous site owner's credentials to trick people into giving up their data.
Be wary of websites that are advertised in unsolicited emails from strangers. In many cases, a phishing message is sent out as a bulk email to a vast database of emails just to see if anyone clicks a link. Verify that the sender is a legitimate organization before doing anything else, and watch for a potentially malicious attachment, such as a document or video.
Preventing Phishing Attacks
You can help protect your employees from falling victim to phishing attacks by making them aware of what to look for and reminding them frequently about these 13 red flags. However, that may not be enough.
To deliver even more cybersecurity protection against malicious emails, spear phishing, identity theft or compromised login credentials, consider phishing your own employees on purpose to make the lesson stick.
Once an employee has personally fallen for a scam involving a malicious link to a fake website, they will be much more aware about what they are doing and will take the extra few seconds to think before interacting with a suspicious email or text message.