Can You Recognize an Email Phishing Scam?

Can you recognize a phishing email scam? Businesses across all industries are vulnerable to phishing campaigns. Companies that handle an incredible amount of sensitive information, from medical and financial data to merger and acquisition (M&A) data, are at the highest risk.

Firms have to tackle phishing campaigns to avoid the devastating consequences successful attacks can cause. These include a damaged reputation, lost client trust, and regulatory penalties—not to mention the potential loss of millions of dollars.

Hackers do their homework by gathering publicly available information about a company, its employees, and counter parties. LinkedIn, Out of Office messages, and even a firm’s own website make it easy.

By the time most companies realize they’d been successfully attacked, it is too late.

What is phishing?

Phishing is an effort to collect private and sensitive information from you: financial information, social security or login credentials to sites containing that kind of information.

Phishing campaigns are carried out by email spoofing; an email that looks legitimate and directs the recipient to enter personal information at a fake website. Once a link is clicked, malware and spyware are distributed through the links or attachments meant to steal information and perform other malicious tasks.

Specifically, spear phishing is a personalized phishing attack that targets a specific organization or individual.  Law firms are prime targets for spear phishing attacks.

There are 2 types of spear phishing

Business Email Compromise, is also known as CEO fraud, whaling and wire transfer fraud.  In these attacks, criminals impersonate an employee, usually an executive or manager and fellow employees are the targeted.  Employees are asked to wire money, send sensitive data about clients, customers, employees, vendors or partners and thus launch malware and spyware.

Impersonation:  These attacks impersonate a trusted, well-known entity such as Office 365, Gmail, or DocuSign.  It could also impersonate an individual such as a colleague or business partner. These attacks attempt to get the recipient to provide login credentials or click on malicious links.  A common example is claiming an account has been frozen and a password needs to be reset.  If the recipient clicks, the crooks will obtain access to accounts where they can then steal data or launch more targeted attacks against your company.

According to the 2021 Verizon Data Breach Investigation Report, phishing was present in 36% of breaches. Other reports show that over 90% of cyber-attacks begin with a phishing email and more than 97% of users cannot recognize a sophisticated phishing email. These stats alone make it clear why your firm must have cybersecurity training.  Make sure your staff can recognize an email phishing scam.

Why are phishing attacks hard to detect?

Traditional email security relies on reputation analysis, block lists, and signature-matching of malicious attachments and URLs. Spear phishing attacks are carefully designed to pass these checks and go undetected.   Oftentimes, emails start with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment, or payload included and they sail through a firm’s legacy defenses and SEGs, and don’t immediately appear suspicious to the target.

The reason for this technique? It allows them to identify weak spots and deliver the real attack email a few weeks later. Alternatively, if criminals find that they don’t get a bite from the initial bait email, they will likely move on.

So, how do you protect your firm?  Education!  Experts recommend users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization.

We break down 5 tactics employed by hacker and offer tips on how to recognize an email phishing scam to protect your firm.

  1. Go to the Source

If you receive an email that looks to be legitimate, but you just want to be sure, you can check the email address of the sender. By looking at the email address to see what the domain of the sender is, you can easily determine if it is a legit email or if it is someone trying to pretend to be someone else. The giveaway is in the “@domainName.com” portion of the email address. Scammers will try and make the email address as authentic as possible so you should always double-check and verify the email address to make sure the sender is authentic.

  1. Look for Bad Spelling

Review the email closely.  The spelling and grammar in an email is a good indicator if the email is legit or if it is a fake. Sometimes the emails are very convincing but little things like a comma where a period would normally be or the way currency are typed (i.e. 3,00 instead of $3.00) is another clear indicator that the email is probably not authentic.

  1. Stay Calm and Don’t Give Away Personal Information

Emails that ask you to send sensitive Personally Identifiable Information (PII) are a red flag. Companies, financial institutions, etc. will never ask for this information via email.  You should also look for other not-so-obvious signs that would signify that the email isn’t authentic. These signs include things like random graphics or greetings that say “Dear Customer” instead of your name.

  1. Delete, Don’t Open or Forward

Sometimes, the email has a virus embedded in it and just opening the email will activate the virus without you even knowing. Don’t open the email, simply delete it. You should then notify your IT department and manager immediately that you have received a phishing email but DO NOT forward them the actual email. This will prevent the possible spread of the virus to other computers and users. Your organizations’ IT department will then take the necessary precautions and steps to limit the threat and make a note to prevent it from getting through your security in the future.

  1. Train and Test Your Employees

User security awareness training helps every employee recognize, avoid, and report potential threats that can compromise critical data and systems. As part of the training, mock phishing and other attack simulations are typically used to test and reinforce good behavior.  EMCO Technology can provide this kind of testing and training to your team.   Using specific applications, we can deploy several types of email tests to your team to identify those who are vulnerable to Phishing attacks.   The results will not only show you the vulnerabilities, but we will then show your employees how and why the succumb to an attack.  This simple, easy to understand training will educate the employee to prevent them being a future victim.

If you follow these tips and strategies, you will be sure to help to prevent any spread of scams and viruses across your firm.

Do you think you are prepared?  Take this FCC Quiz to see  https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/quiz/phishing

If you fail the quiz, book a no obligation call with us and let’s discuss how to better protect your firm.