October is Cybersecurity Awareness Month. So, we thought educating others about what cybersecurity is all about and what you can do to prevent it.
Businesses both big and small are regularly targeted by remarkably sophisticated phishing attacks – and it’s not realistic to place the burden of fighting the battle on your IT department alone. Since it takes a human to respond to and thus become a victim of a phishing scam, it’s humans that need to be trained to recognize a phishing email when they see one. Your staff can (and should) be your main defense against criminals using phishing scams to access your firm’s IT systems.
What Is a Phishing Scam?
A phishing scam is a cyber-attack that tries to steal your identity or your money or infect your IT system with malware by convincing you to part with confidential information like passwords, bank details, credit card numbers, etc. Phishing scammers typically gain your trust by pretending to be a company you regularly deal with, a business acquaintance, a friend, or even a family member. They would often send a link to their website where you are then asked to enter the confidential information they are after. Sometimes this website can pretend to belong to a major company such as Microsoft, Apple, or your bank.
Common Signs That You Are Dealing with A Phishing Scam
Look out for the following warning signs:
The Sender Tries to Create A Sense Of Extreme Urgency
Con artists are well aware that most people love to procrastinate. When an email comes in and it doesn’t sound too urgent, we would often decide to deal with it tomorrow, or the next day. And giving people time to think about the email is the last thing a scammer wants because then the recipient might realize something sounds…. fishy. Even if you don’t think about the message again, you might still realize something sounds strange when you return to it again later.
This is why scammers often encourage you to act immediately……or risk losing a “golden opportunity”. After all, when you receive an email from Windows asking you to act immediately or lose access to your computer system, for example, you are unlikely to ignore it. We’ve noticed this approach in nearly every phishing email we’ve ever received.
This artificial sense of urgency works equally well in workplace scams. Con artists know perfectly well that an employee is going to act immediately if they receive an email from what they believe to be the CEO asking them to go to a URL and enter the IT system’s login details there.
This type of phishing scam is extremely dangerous because most people will not even doubt for a moment that the email is actually from the boss. And ignoring a request from so high up is just not something you do if you still want to have a job tomorrow.
The Email Contains an Attachment Infected with Malware
This is another very dangerous type of phishing email. It could, for example, pretend to be an invoice from a company you often deal with. Everything will seem above board – until you click to open the attachment. Then it will install malware on your computer which could e.g., steal private information or wipe all information from your computer’s hard drive.
The best line of defense again this type of attack is not to open attachments before you are 100% sure they were sent from a legitimate source. Even if that is the case, but there is something that bothers you about the attachment, do not open it.
If you, for example, get a pop-up message asking you to adjust your computer’s settings or enter your password, rather be safe than sorry. Contact the sender by phone or in another way to confirm that everything is legitimate. If you reply to the email it might not go to the person you believe you are dealing with.
The Message Contains a Suspicious Link
It’s often not difficult to identify a suspicious link. One example is if you hover your mouse over the link and the destination address doesn’t seem to be in any way connected to the information in the email.
Let us say, for example, that you get an email from PayPal, supposedly about an urgent matter related to your account. It contains a link with text similar to the following: “Urgently click here to prevent your account from being closed.” But if you hover the mouse over the link, it goes to a web address somewhere in Afghanistan. Even if the email uses Microsoft’s official logo, something is not right. Do not click on that link!
The Domain Name Is Spelled Incorrectly
Are you aware that anybody can register any domain name they want with a domain registrar as long as it doesn’t exist yet? While such a name has to be unique, nothing stops a scammer from registering a domain name that looks as if it is genuinely linked to a department within a well-known company.
It would, for example, be very easy for a con artist to register the name ‘PaypalSupport.com’ and from there send completely legitimate-looking emails to PayPal customers, trying to convince them to enter their usernames and passwords on the fake website. What will happen next is fairly easy to predict.
Another trick scammers often uses is registering a domain name that appears very similar to an existing one. Well-known producer Phia Bennin illustrated this when, instead of ‘gimletmedia.com’, he registered ‘gimletrnmedia.com’ (using ‘rn’ instead of ‘m’). This worked so well that he was able to trick not only the show’s hosts but also the company’s president and even the CEO.
Con artists are sometimes so good with this that they program the message to inform them when someone opens the email more than once on different devices without clicking on the link. Since that might indicate that the person is interested but just not convinced enough to click (yet), they will then follow up the original email with another potentially even more convincing one.
The Email Originates from a Gmail Or Other Public Email Account
Gmail is very popular among the general public and there is nothing wrong with that. If the bakery around the corner has a Gmail account to inform its customers when it has freshly baked bread, there’s no reason that should be a problem.
But if you receive an email claiming to come from Apple that was sent from a Gmail account, immediately put on your running shoes. The same applies to emails that purport to come from major companies like PayPal, Microsoft, etc. Even if the logo is the same and the rest of the email looks legitimate, chances are very good that you are dealing with a scammer.
Something that needs to be pointed out at this stage is that the name Google, Microsoft, etc. in the part of the email address that comes before the @ means nothing. The chances that an email that was sent from GoogleSupport@gmail.com or MicrosoftSecurityDivision@yahoo.com actually came from Google or Microsoft is about the same as that there is really a man living on the moon. The part that matter comes after the @. That should read Microsoft.com or Yahoo.com.
The Email Is Riddled with Spelling And Grammar Mistakes
A final way to spot a phishing email is when it contains poor grammar and spelling. Does that mean many scammers are semi-literate or not well educated?
The most likely answer is that they are simply not good at writing English. They are often from countries where English is not widely spoken and they typically have a background that allowed them little opportunity to acquire proper English language skills.
If you keep this reality in mind, it’s a lot easier to pick up when a writer simply makes a genuine typo and when he or she is pretending to be someone they’re not. When composing phishing emails, scammers would typically use an online translator or a spellchecker. This would make sure they use all the right words – but often not in the right context.
While all the words might be spelled correctly, the message could e.g., contain grammatical mistakes that a native English speaker generally speaking would not make. Here are a few examples:
– We are wanting to speak to you eagerly
– Please be contacting our Support Center without making a delay
This does not mean that every email that contains an error is a phishing scam. Everybody makes a mistake now and then, particularly when they are in a rush. The recipient, therefore, has to evaluate the mistake in its context and make a judgment call on whether or not it could be a hint that something darker is brewing.
To help with this, ask the following questions:
- Is it the type of error a native speaker is unlikely to make (e.g., the words are not used in the right context, or the grammar is incoherent)?
- Is it the type of mistake people make quite commonly, e.g., hitting the adjacent ‘h’ instead of the ‘j’ on their keyboard?
- Did the same error occur in a previous message you received from the same source?
- Is it likely that the message was written using an email template that would normally be properly edited and crafted?
If you are still not convinced, look for one or more of the other clues we discussed above. Alternatively, contact the sender via a different communication channel, e.g., by phone, in person, or by using the official contact address given on the website the sender claims to represent. If you simply reply to the potential phishing email, you are not addressing the core issue: the legitimacy or not of the sender.
The Bottom Line
Protect your business from malware and hackers with cyber security insurance for small businesses.
If your business computer system is compromised by a targeted or an accidental attack, you may be liable for the cost to notify the affected parties and provide credit monitoring, even if the data is not exploited. You could lose money to a phishing attack or lose business due to a ransomware demand.
Cyber security insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.
For more information about Cyber Security Insurance, give us a call.