What is phishing?

Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link
that will download malware, or direct them to a dodgy website.
Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly
used to describe attacks that arrive by email. Phishing emails can reach millions of users directly, and hide
amongst the huge number of benign emails that busy users receive. Attacks can install malware (such as
ransomware), sabotage systems, or steal intellectual property and money.
Phishing emails can hit an organisation of any size and type. You might get caught up in a mass campaign
(where the attacker is just looking to collect some new passwords or make some easy money)
6 ways to spot a possible phishing attack
Phishing emails often appear normal, but it’s easy to identify warning clues if you know where to look. These are a few
clues you can look for to spot a possible phishing attack.
1. Suspicious email address
Even if the email seems legitimate, always check the full email address in the “from” field. For example, even if an
email says it’s from Apple Support, the email address might not be within the @apple.com domain. If the address is
suspicious in any way, this is a clue that you should proceed with caution and not take immediate action on anything
presented in the email, even if it purports to be urgent.
2. Generic greeting and language
Phishing emails are often sent to a large batch of people, so you might see generic greetings and requests. That way the
phishing attempt can appeal to the most people. For example, an “urgent matter that needs your help right away” is
unspecific. If someone in your organization legitimately needed your help, they would probably use language specific
to your role, industry or the organization. Lack of specifics should give you pause.
3. Typos
Emails from legitimate businesses don’t usually have glaring spelling mistakes, poor grammar or unnatural language.
For example, an email that says ZenDesk instead of Zendesk is a small clue that the person writing is not actually
familiar with the organization. This should get your spidey sense tingling.
4. Questionable links or attachments
As a best practice, never click on any hyperlinks or download any attachments from emails you aren’t expecting. You
can verify the validity of a link by hovering over the link and checking if the URL is consistent with what you’re
expecting.
5. No email signature
While this doesn’t always mean phishing, a lack of details about the sender can be a warning sign.
Think about past emails you’ve received from vendors, partners, sales reps, etc. — they always
provide contact information because they want you to contact them. If the signature is vague or
lacking necessary context, think twice before taking an action within the email.
6. Unreasonable request
Use your common sense — Does the sender’s request seem natural and reasonable? Are you being
strongly compelled to follow a link, open an attachment, or submit credentials? Does the message
warn of dire consequences if you fail to respond? Is this the kind of language the sender would
normally use? These can be clues that someone is masquerading as someone they aren’t, maybe
even a top executive at your company. If it seems funny, trust your gut and report it to your security
team right away.
7 Ways to Spot Phishing Email:
Socially engineered phishing emails often evade detection by email filters due to their sophistication. They have the right Sender Policy Frameworks
and SMTP controls to pass the filter’s front-end tests, and are rarely sent in bulk from blacklisted IP addresses to avoid being blocked by Realtime
Blackhole Lists. Because they are often individually crafted, they can even evade detection from advanced email filters with Greylisting capabilities.
However, phishing emails often have common characteristics; they are frequently constructed to trigger emotions such as curiosity, sympathy, fear and
greed. If a workforce is advised of these characteristics – and told what action to take when a threat is suspected – the time invested in training a
workforce in how to spot a phishing email can thwart attacks and network infiltration by the attacker.
1. Emails Demanding Urgent Action
Emails threatening a negative consequence, or a loss of opportunity unless urgent action is taken, are often phishing emails. Attackers often use this
approach to rush recipients into action before they have had the opportunity to study the email for potential flaws or inconsistencies.
2. Emails with Bad Grammar and Spelling Mistakes
Another way to spot phishing is bad grammar and spelling mistakes. Many companies apply spell-checking tools to outgoing emails by default to
ensure their emails are grammatically correct. Those who use browser-based email clients apply autocorrect or highlight features on web browsers.
3. Emails with an Unfamiliar Greeting or Salutation
Emails exchanged between work colleagues usually have an informal salutation. Those that start “Dear,” or contain phrases not normally used in
informal conversation, are from sources unfamiliar with the style of office interaction used in your business and should arouse suspicion.
4. Inconsistencies in Email Addresses, Links & Domain Names
Another way how to spot phishing is by finding inconsistencies in email addresses, links and domain names. Does the email
originate from an organization that is corresponded with often? If so, check the sender’s address against previous emails from
the same organization. Look to see if a link is legitimate by hovering the mouse pointer over the link to see what pops up. If an
email allegedly originates from (say) Google, but the domain name reads something else, report the email as a phishing attack.
5. Suspicious Attachments
Most work-related file sharing now takes place via collaboration tools such as SharePoint, OneDrive or Dropbox. Therefore
internal emails with attachments should always be treated suspiciously – especially if they have an unfamiliar extension or one
commonly associated with malware (.zip, .exe, .scr, etc.).
6. Emails Requesting Login Credentials, Payment Information or Sensitive Data
Emails originating from an unexpected or unfamiliar sender that requests login credentials, payment information or other
sensitive data should always be treated with caution. Spear phishers can forge login pages to look similar to the real thing and
send an email containing a link that directs the recipient to the fake page. Whenever a recipient is redirected to a login page or
told a payment is due, they should refrain from inputting information unless they are 100% certain the email is legitimate.
7. Too Good to Be True Emails
Too good to be true emails are those which incentivize the recipient to click on a link or open an attachment by claiming there
will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate the contact, the
likelihood is this is a phishing email.
Tips to Prevent Phishing Attacks
Here are 10 simple tips for identifying and preventing phishing scams.
1. Know what a phishing scam looks like
New phishing attack methods are being developed all the time, but they share commonalities that can be identified if you know
what to look for. There are many sites online that will keep you informed of the latest phishing attacks and their key identifiers.
The earlier you find out about the latest attack methods and share them with your users through regular security awareness
training, the more likely you are to avoid a potential attack.
2. Don’t click on that link
It’s generally not advisable to click on a link in an email or instant message, even if you know the sender. The bare minimum
you should be doing is hovering over the link to see if the destination is the correct one. Some phishing attacks are fairly
sophisticated, and the destination URL can look like a carbon copy of the genuine site, set up to record keystrokes or steal
login/credit card information. If it’s possible for you to go straight to the site through your search engine, rather than click on
the link, then you should do so.
3. Get free anti-phishing add-ons
Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about
known phishing sites. They are usually completely free so there’s no reason not to have this installed on every device in your
organization.
4. Don’t give your information to an unsecured site
If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any
sensitive information or download files from that site. Sites without security certificates may not be intended for phishing
scams, but it’s better to be safe than sorry.
5. Rotate passwords regularly
If you’ve got online accounts, you should get into the habit of regularly rotating your passwords so that you prevent an attacker
from gaining unlimited access. Your accounts may have been compromised without you knowing, so adding that extra layer of
protection through password rotation can prevent ongoing attacks and lock out potential attackers.
6. Don’t ignore those updates
Receiving numerous update messages can be frustrating, and it can be tempting to put them off or ignore them
altogether. Don’t do this. Security patches and updates are released for a reason, most commonly to keep up to
date with modern cyber-attack methods by patching holes in security. If you don’t update your browser, you
could be at risk of phishing attacks through known vulnerabilities that could have been easily avoided.
7. Install firewalls
are an effective way to prevent external attacks, acting as a shield between your computer and an attacker. Both
desktop firewalls and network firewalls, when used together, can bolster your security and reduce the chances of
a hacker infiltrating your environment.
8. Don’t be tempted by those pop-ups
aren’t just irritating; they are often linked to malware as part of attempted phishing attacks. Most browsers now
allow you to download and install free ad-blocker software that will automatically block most of the malicious
pop-ups. If one does manage to evade the ad-blocker though, don’t be tempted to click! Occasionally pop-ups
will try and deceive you with where the “Close” button is, so always try and look for an “x” in one of the
corners.
9. Don’t give out important information unless you must
As a general rule of thumb, unless you 100% trust the site you are on, you should not willingly give out your
card information. Make sure, if you have to provide your information, that you verify the website is genuine, that
the company is real and that the site itself is secure.
10. Have a Data Security Platform to spot signs of an attack
If you are unfortunate enough to be the victim of a successful phishing attack, then it’s important you are able to
detect and react in a timely manner. Having a data security platform in place helps take some of the pressure off
the IT/Security team by automatically alerting on anomalous user behavior and unwanted changes to files. If an
attacker has access to your sensitive information, data security platforms can help to identify the affected account
so that you can take action to prevent further damage.