It’s 9am on a Monday morning, and the first thing you do after fighting rush hour traffic and going on a quick coffee run is check your email. Amid the flurry of incoming messages from clients, you see an urgent email from Google saying it detected suspicious activity on your account, and will deactivate it immediately unless you confirm your password. That’s the last thing you need with your busy schedule, and you comply without giving it a second thought.
Unfortunately, “phishing” scams such as these are all too common in today’s day and age, and aren’t just a problem for your company’s IT department. Phishing is any fraudulent attempt, typically through email, to trick unsuspecting individuals into handing over personal or financial information, such as account credentials or credit card numbers. Orchestrated by criminals pretending to be reputable companies, organizations or government agencies, phishing attacks cost mid-sized businesses $1.6 million on average and can expose confidential company and client information.
While phishing attacks have become increasingly sophisticated over the years, a vast majority of them still contain noticeable red flags. Here are a few major ones to look out for:
Generic or vague opening lines. Be skeptical if the email begins with a generic, non-personalized greeting, such as “Dear Customer” or “Dear User.” Phishing emails are typically sent out to a number of different people, and an email specifically meant for you shouldn’t sound like a mass send.
Incorrect email address or website. Double check the sender’s email address to confirm that it is a legitimate company address. It should be a red flag if the person contacting you claims to be from Amazon’s customer service department, but their email address is firstname.lastname@example.org. Additionally, many spam emails embed a link to an unsecure website that asks for sensitive information. Hover over all links to make sure it links to the company’s actual website. And remember to avoid clicking on the link, as it could lead to a website that distributes malware.
Spelling and grammar mistakes. “We have recieved notice that you’re recent payment was declined.” Chances are that your bank, the IRS, and legitimate companies like PayPal proofread and spell-check their emails before sending. If the email you receive is riddled with spelling errors, poor grammar, or awkward phrasing, then it could mean that the person emailing you isn’t who they say they are.
Threatening language. “Failure to update your credit card information will result in immediate account suspension.” “Urgent action required!” Commands and threats such as these are scare tactics meant to create a sense of urgency and intimidate busy employees into providing sensitive information. Be cautious of emails that attempt to convince you to take quick action by evoking strong emotion.
Strange attachments. Clicking on an infected zip file means downloading malware onto your computer, which could infect it with destructive viruses that spread to other computers in your company’s network. If the email seems convincing but you’re still not sure if the attachment is safe, it never hurts to double check with the sender or your IT department before downloading.
Charitable solicitations made through email. Oftentimes, phishing scams will attempt to exploit current events or tragedies in order to scam unsuspecting people. Be wary of email solicitations from charities you have never heard of before, or charities you have never contacted or supported in the past.
Dealing with a phishing attack on your company is not only time-consuming, but can also be costly and have a disastrous impact on your business and clients. This is why it’s vital for your team to recognize common warning signs of phishing, and to always err on the side of caution when confronted with a suspicious email.