Can You Recognize an Email Phishing Scam?

Can you recognize a phishing email scam? Businesses across all industries are vulnerable to phishing campaigns. Companies that handle an incredible amount of sensitive information, from medical and financial data to merger and acquisition (M&A) data, are at the highest risk.

Firms have to tackle phishing campaigns to avoid the devastating consequences successful attacks can cause. These include a damaged reputation, lost client trust, and regulatory penalties—not to mention the potential loss of millions of dollars.

Hackers do their homework by gathering publicly available information about a company, its employees, and counter parties. LinkedIn, Out of Office messages, and even a firm’s own website make it easy.

By the time most companies realize they’d been successfully attacked, it is too late.

What is phishing?

Phishing is an effort to collect private and sensitive information from you: financial information, social security or login credentials to sites containing that kind of information.

Phishing campaigns are carried out by email spoofing; an email that looks legitimate and directs the recipient to enter personal information at a fake website. Once a link is clicked, malware and spyware are distributed through the links or attachments meant to steal information and perform other malicious tasks.

Specifically, spear phishing is a personalized phishing attack that targets a specific organization or individual.  Law firms are prime targets for spear phishing attacks.

There are 2 types of spear phishing

Business Email Compromise, is also known as CEO fraud, whaling and wire transfer fraud.  In these attacks, criminals impersonate an employee, usually an executive or manager and fellow employees are the targeted.  Employees are asked to wire money, send sensitive data about clients, customers, employees, vendors or partners and thus launch malware and spyware.

Impersonation:  These attacks impersonate a trusted, well-known entity such as Office 365, Gmail, or DocuSign.  It could also impersonate an individual such as a colleague or business partner. These attacks attempt to get the recipient to provide login credentials or click on malicious links.  A common example is claiming an account has been frozen and a password needs to be reset.  If the recipient clicks, the crooks will obtain access to accounts where they can then steal data or launch more targeted attacks against your company.

According to the 2021 Verizon Data Breach Investigation Report, phishing was present in 36% of breaches. Other reports show that over 90% of cyber-attacks begin with a phishing email and more than 97% of users cannot recognize a sophisticated phishing email. These stats alone make it clear why your firm must have cybersecurity training.  Make sure your staff can recognize an email phishing scam.

Why are phishing attacks hard to detect?

Traditional email security relies on reputation analysis, block lists, and signature-matching of malicious attachments and URLs. Spear phishing attacks are carefully designed to pass these checks and go undetected.   Oftentimes, emails start with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment, or payload included and they sail through a firm’s legacy defenses and SEGs, and don’t immediately appear suspicious to the target.

The reason for this technique? It allows them to identify weak spots and deliver the real attack email a few weeks later. Alternatively, if criminals find that they don’t get a bite from the initial bait email, they will likely move on.

So, how do you protect your firm?  Education!  Experts recommend users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization.

We break down 5 tactics employed by hacker and offer tips on how to recognize an email phishing scam to protect your firm.

  1. Go to the Source

If you receive an email that looks to be legitimate, but you just want to be sure, you can check the email address of the sender. By looking at the email address to see what the domain of the sender is, you can easily determine if it is a legit email or if it is someone trying to pretend to be someone else. The giveaway is in the “” portion of the email address. Scammers will try and make the email address as authentic as possible so you should always double-check and verify the email address to make sure the sender is authentic.

  1. Look for Bad Spelling

Review the email closely.  The spelling and grammar in an email is a good indicator if the email is legit or if it is a fake. Sometimes the emails are very convincing but little things like a comma where a period would normally be or the way currency are typed (i.e. 3,00 instead of $3.00) is another clear indicator that the email is probably not authentic.

  1. Stay Calm and Don’t Give Away Personal Information

Emails that ask you to send sensitive Personally Identifiable Information (PII) are a red flag. Companies, financial institutions, etc. will never ask for this information via email.  You should also look for other not-so-obvious signs that would signify that the email isn’t authentic. These signs include things like random graphics or greetings that say “Dear Customer” instead of your name.

  1. Delete, Don’t Open or Forward

Sometimes, the email has a virus embedded in it and just opening the email will activate the virus without you even knowing. Don’t open the email, simply delete it. You should then notify your IT department and manager immediately that you have received a phishing email but DO NOT forward them the actual email. This will prevent the possible spread of the virus to other computers and users. Your organizations’ IT department will then take the necessary precautions and steps to limit the threat and make a note to prevent it from getting through your security in the future.

  1. Train and Test Your Employees

User security awareness training helps every employee recognize, avoid, and report potential threats that can compromise critical data and systems. As part of the training, mock phishing and other attack simulations are typically used to test and reinforce good behavior.  EMCO Technology can provide this kind of testing and training to your team.   Using specific applications, we can deploy several types of email tests to your team to identify those who are vulnerable to Phishing attacks.   The results will not only show you the vulnerabilities, but we will then show your employees how and why the succumb to an attack.  This simple, easy to understand training will educate the employee to prevent them being a future victim.

If you follow these tips and strategies, you will be sure to help to prevent any spread of scams and viruses across your firm.

Do you think you are prepared?  Take this FCC Quiz to see

If you fail the quiz, book a no obligation call with us and let’s discuss how to better protect your firm.

Code Phishing – The Growing Scam of the Pandemic

As the world of technology continues to expand, so does the number of threatQR Codes vectors that could possibly compromise the security of an individual and company alike. As the landscape for the threats continues to change, the more important it is for everyone to be more vigilant and aware of the potential dangers that are beginning to pop up more and more. One of the major ways that are being targeted is being utilized more and more by restaurants and other retailers alike. QR codes have now become just one of the latest ways that attackers will try and gain access to devices of unsuspecting customers alike. QR codes have now become just one of the latest ways that attackers will try and gain access to devices of unsuspecting customers.  This is known as code phishing and it’s the growing scam of the pandemic.

QR codes are bar-code like objects that are used for a number of things. They can be used to easily navigate to a specific website for a retailer or to data storage as well. They are not only used in retail, they are also used in video games as well as other activities like geocaching. While these companies and activities can be legitimately using the QR codes, hackers are using the public’s blind trust of seeing them at stores and restaurants to gain access to unsuspecting victim’s devices.

An example of how they do this is particularly at restaurants. Since COVID-19 began and then restaurants began reopening again, many of them utilize QR codes for customers to see the menu. By doing this, it makes it much easier for customers to see the whole menu for the restaurant. However, hackers know this and will create their own QR codes and drop them on tables or on the floor near tables. They are hoping that a customer will scan it with their device and once they do, it will either download data to their device without the user knowing it or it can even navigate them to a fake website that the hacker has set up in the hopes of the customer entering personal information like email addresses or passwords.

Once a hacker has access to the device, they can gather any and all the information that they would like. They can use the information entered by the user to start phishing attacks by email spoofing or even just gaining access to your email to read and exploit using your email address or even gain access to your financial information. There are things that you can do in order to help prevent it from happening to you or your organization. gathered a list of ways to prevent this from happening to you. They recommend “scanning QR codes of trusted sources only, regularly update your device’s security as well as remain vigilant.” Another way to limit your exposure is using a QR code reader. Apps like Kaspersky’s QR code Reader and Scanner offer the ability to scan QR codes with a little more confidence. has rated this app one of the best because “it offers Kaspersky’s safety checks that ensure a QR code doesn’t lead to a dangerous link or malicious content” as well as “keeps a history of all QR scans done within the app.”

Reach out to us if your business needs software, hardware or training to keep your business safe.