by Amanda Frain, on May 12, 2020 3:35:58 PM
Due to current events surrounding the COVID-19 pandemic, it’s a vulnerable time for companies. Employees are susceptible to fall for phishing and malspam attacks now more than ever. They cost businesses hundreds of thousands of dollars, ruined reputations and sometimes the business itself.
The best way to avoid falling for these attacks are to familiarize employees on what these phishing messages look like and knowing what red flags to look out for.
Read below for common red flags and for how to confirm it's a phishing attempt.
Common Red Flags
It isn't always easy to spot phishing attempts; some are REALLY well done. However, below are some common themes among phishing emails that you can take into consideration.
URGENT REQUESTS/PERSONAL DEETS
Be aware of any requests for personal information such as an urgent need for payment, your credit card number, passwords, or any bank information. Does your CEO usually ask you to run out for thousands of dollars in gift cards? Are you being sent an urgent/unusual alert to sign into an account?
Very important: Never put passwords, credit cards, or other personally identifying information into websites you are not 100% sure are secure and legitimate (and NEVER into emails or texts). Many times, you cannot take this action back.
BRANDING
Official brand logos within an email don’t necessarily mean the email was sent directly from that brand. It is easy to pull a logo from a brand’s website and use it in many ways in order to make a message look more legitimate.
Compare it to other emails you received from the company to see if it matches.
SPELLING/GRAMMAR
Spelling mistakes and grammatical errors are often a sign of a phishing scam. If something feels like it's awkwardly worded or just not right, it's better to trust your gut and validate.
If you see any of the above signs, PAUSE and use the below ways to spot if it's a phishing attempt. It will only take you a couple of minutes to do this and save you tons of [expensive, business destroying] issues down the road:
How to confirm it's a phishing attempt
IS THE EMAIL ADDRESS LEGITIMATE?
Does the email address come from the official company name or is it a little off? Most companies use an official domain name within an email address.
Ways to spot it:
Spamers will use a display name that looks familiar, legitimate or harmless. Inspect the actual sending email address (not just the display name). Be aware that they sometimes "spoof" an email that looks legitimate, but it isn't. If you don't take a second to double check, you can easily fall prey.
Example
Walter White's real email address is <WWhite@breakingbad.com>, but you look and see:
Walter White, <WWhite@breakinbad.com>
Notice it's missing the "g," but looks close enough to fool you.
WHERE DOES THE LINK TAKE YOU?
Phishing emails often urge you to click on a link within the body of the message leading you to fill in personal information or ask you to download a file in order to view a document. Always double check with your IT team regarding download requests.
Ways to spot it:
Don't be fooled by the hyperlink. Often times phishing attempts will cover a fake link by having it read as a legitimate looking link. You can spot this one by hovering over the link (don't click) to look at where it is actually sending you.
Legitimate websites always have the domain properly intact. For example, Apple.com/support or go.apple.com is legit because of the "apple.com" staying intact. However, "apple.support.com" or "goapple.com" is not an Apple site even though it is close.
Example:
Link says "www.dropbox.com" but when you hover the address says "dropbox.nm.com"
FILE DOWNLOADS
This also goes for file downloads. Do not download files without first hovering to check the file type.
Ways to spot it:
Hover over the attached file and look at the file type: .doc, .jpeg are normal file types. High risk files will be a .exe, .zip, or .scr.
Example:
A file labeled "Contract.pdf" is actually a "zip" file or other unknown file upon inspection.
What do you do if you catch one?
If you receive any suspicious emails containing the above report them to your IT department so they can be aware that your company may be a target. They should also have a protocol for next steps to investigate and ensure nothing was compromised.
You can report the phishing email to the proper authorities.
If you are just unsure, look up legitimate contact information (google or go to their known website) for the person or company you suspect is being used to phish and reach out to them to verify.
What if I took action?
The severity of this can depend and you will want to immediately contact an IT expert to get help combating this. You may have to do things such as update passwords from a different device, take your device offline, alert credit cards, and more.
How can you be preventative?
The number one way to prevent these slip ups is to do regular training on topics like these so employees can recognize the threats. There are phish threat services that let you test and train your team.
You can also invest in a more stringent email security solutions, but be aware that these can often produce false negatives so you will want someone monitoring the solution so you don't miss important communication.
Look at our Remote Employee Security Grader based off the Center for Internet Security's guideline.
Please reach out with any questions or concerns. We’d love to help! Springboard IT helps its clients address issues like phishing regularly and works with leadership to develop strategies to help combat cyber security concerns.
Springboard IT is Apple Experts, but we help with all aspects of the IT environment. We helped hundreds of organizations put in best practices and have these types of conversations regularly with our client. Let us help you secure your company.
Follow us on LinkedIn for more helpful posts and information like this!