By now, we all know that a Nigerian prince isn’t sending personal emails to your inbox offering millions of dollars in exchange for helping him get his royal fortunes out of the country. But studies show most users are overconfident in their ability to detect phishing scams. For example, Russian hackers used emails disguised as Gmail security updates to trick Hillary Clinton’s campaign chairman John Podesta into exposing his thousands of emails during the last presidential election.
Hackers are becoming more cunning and sophisticated as they evolve their tactics to deceive unaware employees and individuals. Tens of millions of phishing scam emails are sent to inboxes every year and, according to GreatHorn’s Spear Phishing Report, the average employee encounters at least one risky email per day.
It only takes one click to let a hacker in. That’s why news of major cyberattacks continues to hit the headlines, and it’s clear organizations need to better equip their employees to detect these scams.
Here are some clues — some are obvious — to look for when determining whether an email is legitimate.
1. Fake password reset requests
As mentioned above, Podesta received an email that looked like a Google security alert but contained a misleading link to a fake login page. The email was initially sent to the IT department, as it was suspected of being a fake but was described as “legitimate” in an email sent by a department employee.
2. Fake invoices
An email with an attached fake invoice is the No. 1 type of phishing scam, with one in four malware spam campaigns taking this approach, according to Symantec’s Internet Security Threat Report.
3. Unexpected attachments
If you receive an email that contains an attachment you weren’t expecting — even from someone you know — step away from the mouse!
4. Inconsistent URLs
If the URL within an email displays differently when you hover over it, it’s likely an attempt to hack your computer.
5. Information updates
Emails claiming that you need to update your account are classic attempts to obtain access to personal information and should cause immediate suspicion. They may appear to come from the IRS, a bank or other institution. Most institutions will never request this type of information via email.
6. Misspellings and poor grammar
We all make spelling errors on occasion, but when an email is riddled with obvious grammar mistakes and poor sentence structure, it’s a clue that an email was written either by a computer program or a foreign hacker who’s not associated with a professional organization and may be making a poor attempt at using Google Translate.
7. Something’s just … off
Is the formatting of the email different than usual with strange spacing or margins? Is the company logo pixelated or are the colors off?
If you’ve subscribed to an email list from a reputable company and regularly receive correspondence from it, be wary if those emails suddenly show up in your inbox looking different than they normally do.
8. W-2 form requests
This scam is especially prevalent around tax season. The email may appear to come from a company’s internal HR department or highlevel executive requesting an employee’s W-2 form. When released, the scammer can file fraudulent tax returns and claim any potential refunds.
9. An email from the CEO
Who wouldn’t comply with the CEO’s request? Wait! Chances are, that request to transfer funds, pay an invoice or release sensitive information on his or her behalf is really coming from a scammer. Hackers are becoming masters at researching a company’s high-level personnel and then impersonating them. This type of scam accounted for more than $5 billion in losses between October 2013 and December 2016, according to the FBI.
10. A tone of desperation
Don’t fall for emails claiming that your “immediate action is required.” If the email claims that your account has been compromised or the account will be closed unless you respond right away, it’s a sure sign something’s up.
There are countless more types of email scams out there. Here’s the bottom line: If an email seems phishy, don’t take the bait. If it appears to come from someone you know, or from an organization you’ve dealt with before, don’t reply. Instead, contact the individual or company some other way to follow up, or manually access your online account by separately entering a known URL into your browser.
Also, don’t forward a suspicious email to ask if it’s legitimate, even to your own IT department. Instead, pick up the phone or send a separate email explaining your concern. Then, delete the email and empty your trash. And if you want to take a proactive approach to securing your networks and systems, reach out to us here at the Gordon Flesch Co. We’ll help you reel in your security concerns.
Chera Pupi is the managed IT sales manager for GFConsulting, a division of the Gordon Flesch Co. She is a veteran managed IT services sales expert who was recently named to The Cannata Report’s 2018 Young Influencer List.