How to Recognize a Phishing E-Mail
In 2021, there are all kinds of threats to network security. Malware, including ransomware – a type of computer virus that holds your computer hostage- is becoming increasingly common. Phishing scams are also on the rise.
A phishing scam is, according to Oxford Languages, “the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.”.
A phishing email will typically:
- Ask you to log in to something by clicking on a link; or
- Ask you to submit personal or confidential information
Phishing attacks can lead to compromised security – not only for you but for your company. Cybersecurity is now more important than ever.
Phishing scams can get quite tricky. Even if an email appears to be from someone you know, it may not necessarily be safe. It is possible to ‘spoof’ e-mail addresses, making an email seem legitimate when it is not. Worse, the individual in question could be compromised. What is the best way to recognize phishing e-mails? Read on to find out.
Types of phishing attacks
There are three different types of phishing attacks:
- Basic phishing- Mass emails
- Spear phishing- Targeted messages towards a specific user or company
- Whaling- Attacks targeted at an executive or someone high up in a company
The truth is in the details
Spotting a phishing e-mail is often in the details:
- Check the sender (though, as we have already covered, the sender may appear legitimate)
- Does the e-mail have the same tone as other correspondence from this person or company?
- Do the fonts and brand colours match up?
- Does the design quality look bad or rushed?
- Is the email signature the same as always?
- Is it normal and reasonable for the sender to make this request?
- Did you initiate the request?
- Were you expecting the request?
Double-check that everything is correct.
Scammers will often use e-mail addresses or domains with one letter or number different from the real thing. For example:
- sirkit.ca might be sirkit.org
- google.com might be gooogle.com
- rbc.com might be rbcbank.com
The best defense against a phishing attack is being vigilant. If you’re not 100% sure it’s legitimate, delete it, or contact the person or company directly by telephone or through their website (DO NOT reply to or use contact information from the e-mail you received).
It’s important to note that most organizations will never ask you to submit confidential information or login via e-mail. If you didn’t initiate the process, always assume it’s fake.
How to protect against phishing
While paying attention to the details is the best way to protect yourself from a phishing attack, other steps can be taken. Having a procedure in place for financial transactions and the transfer of sensitive information can help prevent phishing attacks.
First, if there is a procedure in place, any correspondence that deviates from the procedure, or, requests specifically identified by that protocol as high-risk, should set off alarm bells.
Use trusted security services, like Microsoft’s Advanced Threat Protection (ATP) to analyze and quarantine incoming hostile email before it hits your mailbox and always ensure financial requests require a secondary manual check that does not involve the source. It’s also possible to set up an alert that will display a warning if an email came from a third party.
Additionally, multi-factor authentication (MFA) is one of the most effective ways to enhance cybersecurity. Using MFA is usually free and can stop over 99.9% of account-based attacks, primarily because it requires a secondary means of proving who you are (more than just your password). This typically involves a push notification to your phone or a random code that changes every 30 seconds. MFA is super easy to use and should be set up on any platform that supports it. If you currently use Microsoft 365 and do not have it enabled, you should absolutely do it as soon as possible.
We also recommend setting up a warning when e-mail comes from external parties. Microsoft Office 365 has a feature to assist with this.
Finally, have your IT company setup sender verification to enhance e-mail security- including setting up SPF, DKIM, and DMARC protocols.
- SPF stands for Sender Policy Framework. This record specifies which IP addresses are authorized to send email from a particular domain.
- DKIM is short for Domain Keys Identified Mail. This record proves that the contents of an email have not been changed or tampered with.
- DMARC, meanwhile, is Domain-based Message Authentication, Reporting, and Conformance. This record builds off the previous two and adds a few more security measures.
Setting up all three of these security protocols will provide a strong net against phishing attacks. Implementation can be advanced, but an IT consultant can help you get them set up. Hiring an IT consultant has many benefits, including increased cybersecurity.
At SIRKit, our goal is to be the last IT partner you ever have. We pride ourselves on fixing problems the first time. Our strength is providing you with personalized service- not canned responses. If you are looking for the best IT company for your company or project, please reach out to us. We would be happy to help, including providing you with a no-obligation quote.