Phishing emails are all too common in 2024
Where new and sophisticated cyberattacks are posing a threat to businesses, phishing emails remain all too common in 2024. Otherwise known as a phishing attack or phishing scam, this tactic uses fraudulent emails to extract personal information or money from users.
As of 2023, 79% of UK businesses surveyed were victims of phishing scams, with 83% of medium sized businesses reporting these attacks. According the UkGov, the smaller the organisation the less likely it was for them to report. And, with a staggering 3.4 billion phishing emails sent every day, these figures make such scams seem unavoidable.
Despite its simplicity, phishing is underestimated, leading many business owners to overlook staff cyber awareness training. Being able to stop and identify a phishing email can in fact be the difference between a normal day or thousands in damages. So, although it may seem unnecessary, understanding how phishing works and what these emails look like can prevent massive financial and data loss.
As professionals in cybersecurity services, we aim to reduce this threat and prevent disaster by offering some guidance. Therefore, we’ve put together seven tips for recognising phishing emails to help your business protect itself from scams.
Seven tips to help spot phishing emails
Hackers use many easy tricks to try and exploit your employees’ information and steal business data. Recognising these simple tactics can be an important step in catching out suspicious emails and preventing a breach.
So, here are the seven key tips we recommend your organisation should implement in its day to day:
Check for a misleading domain name
One of the most common tricks phishing scams employ relates to domain names. Most people are not familiar with the Domain Name System (DNS) naming structure part of the email sender’s domain. Therefore, many employees will be easily misled by the company name they see in the URL, as they assume its legitimacy. This often occurs when hackers pose as the recipient’s registrar, luring them to dodgy sites to steal login information.
The convention for a DNS name follows this structure: child domain. full domain.co. For example, a URL of a legitimate organisation would read as info.examplecorp.com which is a child domain of examplecorp.com (full domain). Clicking on info.examplecorp.com would take the user to the information landing page on the website.
Note that the full domain name will always be located on the right side or at the end of the URL. Equally, if the URL is examplecorp.com.phishingemail.com it indicates the child domain has not originated from full domain of examplecorp.com. Again, this is because the apparent domain name is to the left side of the URL.
If in doubt, contact an IT support provider in London as this will be the most secure way to find out if the domain name is legitimate.
Ensure the URL is valid
Often, an email’s URL appears to be valid, but is in fact inconsistent with what is shown. Luckily there are a couple of simple ways to check if it is genuine.
The first method will only work if you use Outlook for your work emails. By just hovering over the URL, Outlook will show the hyperlinked address that should match the URL. If a different hyperlinked address is seen on embedded URLs, it is a clear sign of a phishing email.
Another way you can check your URLs is by using an AI powered phishing link scanner. NordVPN offer a free and safe URL checker which scans for malicious websites, malware, and phishing.
Never click on links to share personal information
Often users receive a phishing email from what appears to be a completely genuine sender. This is a difficult scam to spot as hackers will imitate official messages from your bank or reputable companies. These phishing attempts function through social engineering, communicating urgency and priority to compel you to take action.
A major red flag is when the phishing email asks you to confirm your personal details by replying or following a link. This information could include your account number, name, age, or login credentials. Remember, your bank or company would never ask you for such information as they already have it. Additionally, if it appears to be an urgent request for information from your employer, seek other means of contact.
Generally, it is imperative that if you suspect an abnormal email to not interact with the sender, follow any embedded links, or download attachments. And again, if you’re unsure about the email source, it is better to search online for the company or bank to contact them directly.
Reread for poorly written phishing emails
As a rule, emails from real companies are written by professionals and will be thoroughly checked for grammar, spelling, or legality errors. Instead, many phishing emails are sent in large quantities, with low quality messaging, so mistakes are aplenty. Further to that, less sophisticated phishing emails can give themselves away with poor language, grammar, and spelling errors.
Ensure you read the full email and note any grammatical and spelling errors. Reread if necessary and scan for peculiar phrasing or structure as these can both indicate a phishing attack.
Be distrustful of far-fetched offers
Many phishing emails contain an irresistible offer that sounds too good to be true. Common sense dictates that most employees should see through these messages, however many still fall prey.
One of the common fraudulent offers include a congratulatory email stating you have won a new phone or money. These phishing emails draw you to click a link and share your personal details to “claim your prize”.
Don’t respond to phishing emails asking for money
Any email that asks you to send money towards fees, expenses, or taxes is undeniably a scam. Another common example experienced by many is an email laying out an overseas job offer with an incredible salary. In this case, users are prompted to send a “deposit” to confirm their acceptance of the job.
Be wary of threatening messages
Alongside posing as legitimate businesses or banks, scammers try to instil panic by sending out threatening messages. One such scam will claim your account is compromised or closed telling you to take immediate action. Hackers will then prompt you to verify your login details through a dodgy website to be able to access your account.
When a hacker is threatening you through a phishing email, it is always best to remain calm. If you are asked to verify any personal details, you should never share them through an email link.
For phishing emails claiming to be from your bank or an official tax authority, check again for any mistakes or vagueness. Keep in mind that any real action needed from genuine authorities like HMRC are usually communicated by post. Additionally, urgent notices of payments can be followed through on official websites.
Ultimately, when in doubt about the source of an email, you must check with your IT support provider. For further guidance, please reach out to totality services team, where we can help assist with any preventative steps.