Does something smell phishy? (Excuse the pun). Is there something about that email that just doesn’t look right? Is the email address or company domain (@companyname) spelt incorrectly? Is the email asking you to do something unusual urgently? Is the email full of spelling and grammar mistakes? If so, the chances are it’s a phishing email.
In simple terms, Phishing is a type of online scam where criminals impersonate legitimate organisations via email, text message, advertisement or other means to steal sensitive information. This is usually done by including a link that will appear to take you to a legitimate website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.
The term “phishing” is a spin on the word fishing because criminals are dangling a fake “lure” (the legitimate-looking email, website or ad) hoping users will “bite” by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames or other valuable information.
91% of cyber-attacks begin with a phishing email. Recently, the HSE fell victim to the biggest attack in the state’s history. A so-called Conti “double extortion” ransomware attack, which is commonly started by a phishing email.
5 tips on how to identify a phishing email:
1. The message is sent from a public email domain or a made-up variation of a popular domain. For example, from Gmail or Yahoomail domains. Look at the email address, not just the sender’s name.
2. The sender or domain name is misspelt. For example, the real email address is firstname.lastname@example.org but the email came from email@example.com Did you spot the double “v” instead of “w” in the email address?
3. The email is poorly written – hackers may be skilled cybercriminals but they are not aspiring Hemmingways. You can often tell if an email is a scam if it contains poor spelling and grammar. Most of these cybercriminals are located outside of Ireland and are non-native English speakers. They may also purposely spell words incorrectly to get through email filters. Some things to check for:
- Is it a common sign of a typo (like hitting an adjacent key) or something more deliberate?
- Is it a mistake a native speaker should not make (grammatical incoherence, words used in the wrong context)?
- Is this email a template, which could have been crafted and copy-edited?
- Is it consistent with previous messages I have received from this person?
4. It includes suspicious attachments or links – Phishing emails come in many forms. We have focused on emails in this article, but you might also get scam text messages, phone calls or social media posts. But no matter how phishing attempts are delivered, they all contain a payload. This will be either an infected attachment that you are asked to download or a link to a bogus website. The purpose of these payloads is to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers.
5. The message creates a sense of urgency. Scammers know that most of us procrastinate. We receive an email giving us important news, and we decide we will deal with it later. But the longer you think about something, the more likely you are to notice things that don’t seem right. Maybe you realise that the organisation does not contact you by that email address, or you speak to a colleague and learn that they did not send you a document. That is why so many scams request that you act now or else it will be too late. This has been evident in every example we have used so far.
Prevent phishing by educating your team
To combat the threat of phishing, Radius provides our clients with regular phishing simulation and security awareness training. It is only by reinforcing advice on avoiding scams that your team can develop good habits and detect malicious messages as second nature. With our Phishing Awareness Training Programme, these lessons are straightforward. The monthly subscription plan gives your team the tools to help defend your business against a cyber-attack