According to Verizon's latest report, 36% of breaches involved phishing attacks, an increase of 11% in comparison to the previous year. Due to the pandemic and more employees working remotely, cyberattackers have used this to increase their phishing campaigns to organisations and their employees. All it takes is for one employee to click on a link in a phishing email for them or the organisation to fall victim.
That is why organisations must support their employees with cybersecurity awareness training and helping their employees understand cybersecurity foundations such as how to spot a phishing email. In this blog, we share some top tips on how your employees can spot a phishing email, helping to strengthen your organisation with its cybersecurity strategy.
1 – Check the email address of the sender
If you spot an email and the display name looks familiar or from a brand you trust, it doesn't mean it is them. Be sure to check the actual email address is from a trusted sender. Phishing scams impersonate a person or a company you trust, e.g., TV licence phishing, Amazon phishing or more recently Covid-related phishing.
Sometimes a phishing email may come from an address such as firstname.lastname@example.org or email@example.com - trusted senders would not send it from a generic email such as Hotmail, Gmail or Yahoo!, instead a verified email would be from their domain name. In the second instance, having a domain name that looks similar, but is slightly misspelt, is another way of fooling you into believing they are a trusted source.
2 – Detect spelling and grammar errors
While this may sound strange, spam emails often have spelling mistakes or grammatical errors. Cyberattackers really aren't worried if their spelling or grammar is correct.
Read the email thoroughly and be suspicious of any errors. If the email is poorly written, then it's not from the company they are impersonating. If in doubt, always forward the email to your IT team. But NEVER follow through on the actions requested in the email.
3 – Beware of how the email sender greets you
Is the email greeting impersonal? E.g. Dear reader, Hello Sir/Madam. Or perhaps it fails to recognise your name entirely, e.g., Hi [first name]?
If a trusted source is emailing you, e.g. your bank, they will address you personally. Don't fall for the trick, mark the email as spam and delete the email. Even better, forward it to your IT team, so they can warn everyone in your organisation of phishing scams targeting your organisation.
4 – Do not share personal information
Are you asked for personal information such as your bank details or security details? Remember, genuine companies such as your bank will NEVER ask you to confirm that over email. They already know that information. Don't share anything.
5 – Do not click on suspicious links or attachments
Cyberattackers love luring in their victims through links, for example, "validate your email address or account". Always hover over a link to check the linking URL, if it looks suspicious or doesn't link to what the rest of the email says – don't click on it! The same goes for attachments, if you're not expecting an email with an attachment and if the email is out of context – then don't open it!
Phishing emails are there to incite curiosity or panic to get hold of a vulnerable employee who will open your organisation to the cyberattacker. It's important to continuously remind and educate staff throughout the year with phishing training and other cybersecurity awareness training to ensure everyone stays alert on what to look out for, so they don't get caught.
Organisations can use a phishing simulator tool to increase the security awareness of their employees. By regularly testing employees, organisations can ensure they remain alert, asking themselves if an email is legitimate or spam. Using this technique also helps L&D and security teams understand who in the organisation might need some extra training or support.