Top 5 Tips for Spotting a Phishing Email
Phishing is the most common method of cyber-attack. 93% of all data breaches start with an email attack, but more shockingly, 97% of all employees can’t reliably identify phishing emails.
Cyber-attacks are on the rise, especially since the increase of remote workers.
Here we break down 5 ways to help you spot a phishing email.
1. Suspicious Attachments & Links
Phishing emails come in many forms (some more creative than others!) but the one thing they all have in common is that they contain a payload. A payload is basically the thing the scammer wants you to click and/or download. Payloads are usually infected attachments or links to fake websites, where sensitive information will be collected disguised as a login page.
The attachments are especially nasty, as they are usually infected with malware. These attachments can be very hard to spot, on many occasions hackers have been successful by disguising infected PDFs as invoices and payment notifications.
Top tip: Never download or open any attachment you are unsure of
2. Poor Spelling and Grammar
Poor spelling and grammar are usually dead giveaways for a scam email.
There is a theory, that cyber criminals include these errors intentionally to filter out more gullible targets. Their thinking is, that if the target cannot pickup on spelling and grammar mistakes, they are less likely to pick up on clues during the scammer’s grand finale…but again, this is just a theory.
So why are we telling you to look out for spelling and grammar errors? Believe it or not, the answer is that the scammers aren’t very good at writing.
Many cyber-attacks in the UK originate from non-English-speaking countries, where cyber-criminals will have limited access or opportunity to learn the language.
Top tip: Look for grammatical mistakes, not spelling mistakes!
When creating phishing emails, attackers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the right context.
3. The Sent Address is from a Public Domain
No legitimate business will ever contact you from a ‘@gmail.com’ address, or any other public domain for that matter! (With the small exception of some sole traders)
Every organisation will have its own email domain, for example legitimate emails from Amazon will be sent from “@amazon.co.uk”
If the domain name is the same as the name of the apparent sender, the email is usually legitimate.
The best way to check the email domain is legit, is to search for the company and check the web domain from the search engine.
However, this makes spotting phishing emails seem all too easy, but scammers have plenty of other tricks up their sleeves…
Top tip: Look at the email address, not just the sender
Especially if you are viewing on a mobile, always check the full sent from address and not just the name of the sender, this can give away the fraudulent domain hiding behind a trustworthy business name.
4. Misspelled Domain Name
Another clue can be hidden in the sender’s domain name, unfortunately this clue can be very hard to spot…
Anyone can buy a domain name. Although every domain name has to be unique, hackers have come up with clever ways of disguising trusted organisations’ domains into their scams. For example, an email from noreply@paypaluk.com would be indistinguishable, from the legitimate PayPal domain, to most.
Now this may look blatant while you are reding it, but to someone who is carelessly browsing their emails this trick works more than often.
5. A Sense of Urgency
Cyber-criminals know people procrastinate. Even if we receive a high priority email most of us will decide to deal with it later on. This works against the hacker, as the longer we know/think about something, the more likely we are to notice if something doesn’t seem right.
Looking at the phishing email again later with a fresh set of eyes or asking a college to take a quick look can be beneficial in spotting a scam email.
For this reason, hackers will create a sense of urgency in some of their phishing efforts, such as mentioning payment deadlines, or the email saying the recipient will receive a call in the next hour for example.
This technique is very effective in workplace scams. Scammers know that most employees will drop everything if the big boss sends an important email that must be actioned immediately! These scams are extra dangerous because even if the employee does suspect something is wrong, they may be too scared to confront their boss, we agree it is quite an awkward conversation to have, telling them you thought their email seemed like a scam…