Did you know that phishing (i.e., scam) e-mails account for about 91 percent of all cyber attacks? In other words, nearly every cybersecurity issue you could think of—from viruses, to ransomware, to full-blown data breaches—starts with users accidentally clicking malicious links in e-mails.
On the technology end, we combat phishing e-mails with spam filters and antivirus scanners. But these security features aren’t perfect. Inevitably, you’ll find phishing e-mails in your inbox, and the only true “patch” is end-user awareness.
By understanding the signs of a phishing e-mail—and sharing them with your staff and clients—you will be well positioned to protect your sensitive information against cyber threats. With that in mind, let’s review five signs of a phishing e-mail and then cover what to do when you’ve spotted a phish (or when you think you’ve spotted a phish).
1) Unexpected Request
Generally, we’re familiar with the e-mails we receive. We recognize the sender or the content. But when it comes to phishing, we’re often faced with an unexpected request. Let’s review a common scam to illustrate this point.
You receive an e-mail from a “friend” stranded in a foreign country. He or she just needs a one-time wire transfer of a few thousand dollars to make it home safely.
How often does this scenario actually take place in real life? Requests like this one are unusual for a reason—they aren’t legitimate.
A majority of phishing e-mails prompt recipients for action ASAP; that way, there isn't time to process what you're reading and doubt its veracity.
But how many times have you sent an e-mail that was actually urgent? Typically, urgent requests are left to phone calls or in-person meetings. Urgency just doesn’t make sense for e-mail. This is one of the biggest telltale signs of a scam.
3) Poor Grammar, Spelling, or Syntax
Keep an eye out for typos and strange syntax—they are common features of malicious e-mails. Most phishing e-mails are sent from foreign countries, where computer crime laws may not be as strict as they are in the U.S. Even if U.S. law enforcement tracks down an attacker, the country in which the attacker resides may not cooperate. Scammers are much safer attacking us from abroad. Fortunately, their language can be a dead giveaway.
4) The Hover-Over Link Doesn’t Match
Attackers want to convince you that you’re going to a legitimate website, when instead they are really sending you to their malicious one that could install malware on your computer or prompt you into revealing your password. So, if you hover over a link within an e-mail and the URL doesn't match the description of the link, it might be a phishing site.
When the URL doesn’t look familiar, don’t take a chance. If the e-mail regards an online account that you log into regularly, simply open up a new browser window yourself and log in as normal. (Don’t click that link!)
5) The Request Asks for Sensitive Information
Phishing e-mails often ask you to “verify” your credit card number, social security number, or account password—something legitimate services would never ask you to do. Never (ever!) share sensitive information through e-mail.
I Spotted a Phish! Now What?
Now that you know the signs of a phishing e-mail, what should you do if you spot one? Just delete it! Many users feel the need to report phishing e-mails to their firm’s Technology team, but reporting can cause a number of problems:
- If a suspicious e-mail is forwarded, it increases the chances that the malicious link will be clicked.
- It can hurt productivity if one person or team is trying to dissect a suspicious e-mail while another is waiting to hear back.
If we all get in the habit of recognizing and deleting suspicious e-mails, phishing will become a weaker, less impactful threat altogether.
Not Sure if It's a Phish?
Sometimes, detecting phishing e-mails can be tough, even when you’ve seen a million before. We have two recommendations for those especially tricky situations:
- Simply delete the e-mail. If an e-mail is causing you to hesitate for that long, it’s usually because something is “phishy.” Trust your gut. In the event that you accidentally delete a legitimate e-mail, the sender will get in touch with you again, at which point you’ll have more information to work with.
- Verify with the sender "out of band." In other words, simply call the sender. Don’t use a number provided from the e-mail because it could be fake. If you don’t know the legitimate number, try researching the official website of the business or individual.
Awareness Is the Key to Prevention
Many phishing e-mails tempt us with irresistible offers, but here’s a legitimate deal that no one can pass up: If we can keep the signs above in mind when checking our e-mails, we can prevent 91 percent of cyber attacks from ever getting to our networks. Following this simple plan can go a long way in securing your information.
Have you ever been a victim of a cyber attack? What preventive actions have you taken to secure your information? Please share your thoughts with us below!