How to spot the signs of a phishing scam
Posted 11 Nov 2019
Have you ever received an email from a Nigerian prince offering to send you money? Or received a message from PayPal asking you to verify your account? If so, you’ll undoubtedly be aware of the dangers of phishing. But whilst some phishing emails are glaringly obvious, some tricksters are now using increasingly deceptive techniques to ensure that their emails look legitimate.
Phishing is about using fake emails to gain access to login credentials or personal data.
In a business capacity, inadvertently allowing a hacker access to this information could be disastrous. Phishing scams have become so commonplace that a recent report from cyber security firm CybSafe reported that 43% of small businesses in the UK have been targeted by phishing scams in the past year. Of those who were targeted, a staggering 66% fell victim to the scam, showing that both IT and HR departments have much work to do when it comes to educating employees about how to spot the signs of danger.
At Lucid Systems, we spend considerable time educating our clients about the dangers of phishing. As experts in business IT support services, we know that prevention is always better than cure, so it’s important that we help our clients to know how to differentiate between legitimate and phishing emails.
In our latest blog post, we explore a few practical ways that you can spot the signs of a phishing scam.
Is the email sent from a public email domain?
The first thing you should always do is check the senders' email address. Legitimate emails will always come from a business name domain (such as lucidsystems.co.uk). With the exception of independent contractors, you will almost never receive emails from a gmail.com or outlook.com account.
If you have doubts about the legitimacy of an email, make sure you click on the sender’s name to reveal the email address.
You should also check if the email domain is spelt correctly.
Many tricksters use similar-sounding URLs to gain confidence, but if you look closely, you may be able to see some clear signs that the email is a phishing scam. For instance, if you received an email from lucidsystens.co.uk you may think that it was from Lucid Systems, but a second glance would show that it’s been spelt wrong, and therefore unlikely to be genuine.
If you’re still unsure about the organisation’s domain name, we would always recommend typing the domain into a search engine or contacting the organisation directly to ask if it is genuine. It's always wise to err on the side of caution if you are unsure about the legitimacy of an email.
Are there links to dangerous links or unknown attachments?
Phishing emails work by asking the respondent to open an infected attachment or by asking them to click on a suspicious link.
In today’s society, we’re regularly bombarded with links that seemingly make our professional lives easier. With the implementation of apps, QR codes, and email marketing, it’s easy to see how employees would take it for granted that links would be safe. But the reality is that 90% of all cyber security data breaches are caused by human error. This is because many employees are simply not paying enough attention to internal IT and security policies and are clicking suspicious links which can lead to catastrophic breaches.
According to our Ipswich neighbours, Willis Towers Watson, when it comes to cyber security, businesses should allocate their budgets in three ways; into technology, processes, and people.
“In 2019, companies will allocate 39% of their cyber security budget to technology, 31% to process, and 30% to people.”
The insurance giant believes that general untrained staff are the “biggest threat to cyber security” and more work should be done by companies to ensure that all employees at every level of seniority should be adhering to stringent IT policies.
This is something that we agree with, and we work closely with our clients to establish strong and secure policies that are designed to protect businesses against the growing threats of cyber-crime.
As standard, at Lucid Systems, we would always recommend NEVER opening any attachment which you’re unsure of. When we work with our clients, we implement pop up software which provides warnings about a file’s legitimacy, but it is still concerning how many employees may still override these and proceed.
When it comes to suspicious links, email marketing has made it harder to immediately detect if the link is going to where you expect it to be. It’s incredibly easy to simply click a button but we should all train ourselves to be more observant about email marketing links if we wish to remain safe online.
A top tip is to hover your mouse over the button and see if a destination address appears in a small bar at the bottom of your browser. Similarly, if you’re using your mobile phone to access your emails, you can simply press and hold the button and a pop up will appear with the link to confirm it’s legitimacy.
Automated phishing scams may be full of grammatical errors
Automated phishing emails use technology to send out thousands of messages simultaneously. They don't rely upon the sender replying to activate the scam; they are focused upon sending suspicious links or attachments. When it comes to automated scams, you may spot more grammatical errors than usual. This is because the scammers may originate from other countries where English isn’t their first language, so may be using online translation tools to convert the message into different languages. The danger of using automated translation tools is that whilst it may provide the right message, it’s not always the right context.
Of course, we are realistic, and we know that typos and spelling mistakes can happen – particularly if you’re quickly writing a business email from your phone. But if you do receive an email that is full of errors, you should always ask yourself if it is consistent with any previous communication that you may have had from that organisation. Does the email include logos? How are you addressed at the start of the email? For instance, PayPal will only ever use both first name and surname in any email communications. If your contact usually refers to you in a certain way, is this the same in this email?
If you are in any doubt as to the legitimacy of the email, then you should always try and contact the organisation using a different method of communication – perhaps phone, WhatsApp, or live chat. If you suspect it’s a phishing scam, it’s ALWAYS better to be safe than sorry.
At Lucid Systems, we work closely with businesses throughout Suffolk, Essex and Greater London to help them implement stringent IT policies. As part of our regular work with clients, we can provide education and support for your employees around the prevention of phishing scams.
To find out how we can support your business IT needs, please get in touch.
by Amy Dawson