Phishing: we’ve talked about it before on the blog, and we’re talking about it again today — because it’s just that important.
Even today, phishing remains the single greatest source of digital threats against your business. It’s the tactic scammers use to crack open the door. Once that door is open, they can launch any number of attacks: malware, spyware, ransomware, DDoS attacks, financial attacks, and many more.
So today we’re giving you a crash course in phishing awareness, the top signs you and your team should watch out for in an effort to remain protected.
What is phishing, again?
Before we jump into awareness tactics, we’ll start with a quick definition. Phishing refers to any digital attack where the cyber criminals try to lure in unsuspecting users similar to how real-world fishing lures in fish.
Here the bait is some urgent communication, usually via email, that tells the user about some big problem they need to solve right now. It usually looks like it comes from somewhere legitimate, like a bank or Microsoft or even (in advanced cases) a high-level executive at your own company. But in reality it’s a fake — just like that juicy rubber worm you’d use to catch real-world fish.
As soon as a user clicks the link, they’re asked to log in to whatever service the scammers are pretending to be. The login fails, but it’s already too late: the bad guys now have credentials and can access whatever system or service used those credentials.
How to Spot Phishing Attacks
The alarming thing about phishing attacks is that they honestly work way too well. Employees get tricked by the urgency into acting before they think. But usually, if people slow down a bit, there are some tells that suggest an email (or voicemail, or text message, and so forth) is illegitimate.
Here are top signs to look for.
1. Spelling Errors and Weird or Unprofessional Writing
First, if there’s anything off about the words themselves, that’s a huge red flag. When was the last time you got an email from Microsoft or your bank that wasn’t written in clear, professional-quality English? Just about never, right?
Many phishing campaigns originate overseas, and all of them prioritize quantity over quality. So you’ll often see just weird stuff in the text.
Note that the scammers are getting smarter on this point, so messages are getting more convincing.
2. You’ve Never Gotten a Similar Email from the Company
If you receive an email you weren’t expecting, and it asks you to do something you’ve never before been asked to do, treat it with deep skepticism. You will almost never receive an unsolicited email from a legitimate company that rushes you into providing sensitive information.
If anything feels off about it in any way, don’t click any links in the email. If you’re worried it might be legit, contact that company another way (such as manually navigating to their website, logging in, and contacting support). If the problem is really that urgent, support can guide you through.
3. There’s Any Sense of Urgency
Urgency tricks the brain into not thinking or noticing details. We’re wired for fight or flight for a whole bunch of good reasons, but the bad guys know this and exploit it in phishing attacks.
If it sounds like the world is about to end, someone’s probably up to no good. What do we mean?
- The IRS doesn’t have agents out for your arrest
- PayPal isn’t emailing to confirm that you bought a new MacBook and you have to call RIGHT NOW if you want a refund
- Your Microsoft 365 account isn’t going to get deleted in the next hour unless you click the link
In each case, most people know this isn’t how these entities behave. But in the heat of the moment, it all sounds so important—so they click, and they get phished.
4. Attachment? No Thanks.
In general, never open any attachment you weren’t expecting to receive. Unless the email is explicitly clear and there is a specific reason you should be receiving an attachment, just don’t. Most spam filters block malicious attachments most of the time, but if one gets through, opening it is the easiest way to end up with malware or worse on your machine.
Want to Learn More? Get the Free Complete Guide
We’ve given you actionable information in today’s blog post, but there’s much more to learn about phishing than we could fit into this short crash course. If you’d like to go deeper and learn even more, our business owner’s complete guide to phishing is a great next step.