How to spot an email phishing scam

by | Dec 21, 2021 | Business, Cybersecurity

It takes just a couple of clicks to compromise your entire IT network. That’s it. Breaching your security can be so easy. Our advice to you is to shore up some easy to tackle security best practices. 

You do not have to be a victim. 

Email phishing is a tactic employed by hackers whereby they send an unsolicited email pretending to be someone else and try to trick you to give up personal information or sensitive company data. If they access this information they can use it to[steal your identity, access your online accounts or install malware.

According to the FBI, in the US, people lost $57 million from phishing scams in 2019. The Canadian Anti-Fraud Centre said that Canadians lost $37 million. 

Canadians also lost more than $13 million in investment scams and $11 million by extortion, with criminals using ransomware to demand companies pay up or lose valuable data,” according to CTV News.

Social engineering within phishing emails is very risky. These email messages are constructed to appear relevant and seem genuine. Often, the recipient is more trusting of the email message and willingly performs the specific task requested in the message. The results are often devastating. If the recipient clicks on a link to a malware-infected website, opens an attachment with a malicious payload or divulges their login credentials, an attacker can access a corporate network undetected. 

To the company that become victim, the damage is monetary, and then reputational, as being hacked must be made public. 

An email message where a CFO or CEO appears to be requesting a financial action can look very real. Any time, under any circumstances, it is important to take the small extra step and phone, walk to the sender’s office, have a Zoom or Teams meeting and just make sure that the request is legitimate.  

In a phishing email, cybercriminals will typically ask for your: 

  • Date of birth 
  • Social insurance numbers 
  • Phone numbers 
  • Credit card details 
  • Home address 
  • Password information (or what they need to reset your password) 

Examples of requested actions in a phishing email include: 

  • Using a new wi-fi hotspot 
  • Enabling macros in Word document 
  • Updating a password 
  • Responding to a social media connection request 
  • Clicking an attachment 

The human link remains the weakest one in the chain of security. Yes, you read that correctly. Not your hardware and not your software and not necessarily your connection to the internet although all are important, but the user continues to be the biggest risk factor in security. The good news is that the user can be educated about better habits. 

For example, being able to identify a social engineering scam is important because malware can result in identity theft, a takeover of your business network and have very real and costly consequences, in the case of a successful ransomware attack.  

Email phishing is a tactic employed by hackers whereby they send out an unsolicited email message pretending to be someone they are not. Then they try to trick you to give up personal information or sensitive company data. If they get access this information, the scammer will likely use it to steal your identity, access your online accounts or install malware on your computer. How would you like to be known as the individual responsible for a major breach? Rhetorical question, you do not want that.  

So, what do you need to be on the lookout for? 

Firstly, most email messages will appear to be legitimate. The scammers will use familiar company names and logos, like Facebook or UPS, Amazon, PayPal among many other familiar brands. Or the email will appear to come from a colleague, like your accountant or your CEO. 

Secondly, always be wary of emails that contain links and attachments from unknown senders. If there is a link, double-check it or, if it’s embedded, hover over it and check it to see if you can find any suspicious elements in it. Never click on a link or open an attachment from an unknown source. Think twice about opening anything sent to you via an email message. 

Thirdly, the email will almost always request sensitive information. Ask yourself, is this type of request normal? Generally, no one will ask for sensitive information via email. So, if you are tempted to reply, double-check with a fellow employee, or call the vendor directly to verify the request. If the email message appears to come from someone within the company, walk down the hall and check in with them.  

What can you do to prevent a phishing scam? 

Be highly vigilant of any unsolicited email messages, especially messages that request personal information or sensitive company data.  

Another step that you can take is to participate in ongoing security awareness training. For example, Smart Dolphins hosts live, instructor-led webinars over Zoom for clients as well as the broader business community. The instructors are subject matter experts.  

Finally, ensure your IT provider has invested in centralized security tools, such as a firewall, spam filters, anti-virus, and patch management and that these tools are up to date. Simply reach out and ask them to explain how and when they are updating everything. 

In addition to the above, take note of poor grammar, demands for urgent action and odd greetings or salutation. A common red-flag greeting is over the top formality. Remember, it only takes a couple of clicks for hackers to take advantage of the weakest link in your organization: computer users. We encourage all professionals to participate in annual security training. Threats are constantly evolving so staying current is important. Every organization needs a human firewall. 

If you are concerned about any of your co-workers or staff members knowledge or street smarts when it comes to security reach out to us for educational support. All events are posted on our website at: https://www.smartdolphins.com/training/