Email phishing scams are carried out online by tech-savvy scammers and identity theft criminals. They use spam emails, fake websites and email to dupe users into providing sensitive information, like banking passwords and credit card numbers. Once you take the phisher's bait, they use this information to create fake accounts to steal your money or even your identity. For businesses phishing scams can lead to data breaches that result in the loss of confidential business data and customer information. It has cost some company’s millions. The Scoular Co. lost $17.2 million in June 2014 as a result of phishing. Even large companies with extensive resources can be succesfully targeted by phishers. In May 2017 DocuSign, the digital signature technology provider, were targeted. A hacker gained access to a ‘non-core’ system that was used to send communications to users via email and stole users’ email addresses.It is unclear exactly how many email addresses were stolen, the DocuSign website indicates the firm has more than 200 million users.
1. Without opening the email, look at the name of the sender. Does it EXACTLY match other emails from the same party? If not, it could be packing malware.
2. You are asked to reply with confidential data - A legitimate business will not ask you to furnish your username and/or password or to click a link to change your password. If an email requests banking information, be suspicious. Don’t fall for it.
3. You are offered something valuable at little or no cost – The Nigerian prince comes to mind. Or you have won some sweepstakes that you never entered. Remember that even if you know the sender, the sender’s address book could have been hijacked and used to disseminate phishing emails.
4. The email threatens you with dire consequences if you do not comply:
5. The email purports to be a "Confidential" or "Private" request. – The sender is trying to keep you from verifying the email with another party. Don’t believe it.
6. An email contains an attachment that purports to be an order confirmation or receipt – This approach is also used for supposed package shipment documents. Think: have you ordered anything from that company? If so, do past emails have the same format and look? It is better in general to access information on an official website than to click links in an email or download an email attachment. In most cases it is possible to go to an official website to verify the email contents and get further information.
8. Is it tax season? - During tax season there is a bump in spear phishing and telephone scams by “tax authorities” requesting financial information or providing tax “receipts” that are malware in disguise. Since January, at least 68 US companies have announced that they fell victim to a spear phishing attack responsible for stealing the W-2 U.S. tax records of their workers. One or more employees receive an email appearing to be from the CEO with subject lines such as: “Request for all employees’ W2.” If the employee falls for the scam, the attacker attempts to file tax returns for all workers before the workers do. Then the attacker steals the victims’ tax refunds.
9. The sender’s email address does not seem to match the contents - Does it make sense that an email from UPS would come from an address such as firstname.lastname@example.org? Probably not. How about from email@example.com? Notice the periods. This is not from UPS, it is from up.s. The "from" address in an email can be faked. Do not assume that if it comes from a known address that it is legitimate.
10. The wording of the email is awkward. – Does the content appear to be proper English (or whatever language it should be)? Check the tone and grammar. Does the email sound like it was translated from a foreign language? Then it could come from a non-native hacker.
If the message is suspicious, there are some steps you can take:
While phishing techniques are getting more sophisticated, there are lots of things users can do to avoid being phished. IT pros need to ensure their organization deploys a powerful spam filter that scans inbound and outbound email, provides RBL blocking and pattern filtering. Spam filters vary in effectiveness and are only part of the solution to preventing intentionally malicious attacks — especially phishing emails.
Are you an IT professional that wants to ensure your data and devices are protected? Talk to a specialist or Email us at firstname.lastname@example.org with any questions.
Sign-up for email updates...