There’s a reason that phishing attacks are so successful. Millions of malicious messages are sent every day, vast numbers pass through spam filters and at first glance many of them appear genuine.
Verizon’s 2018 Data Breach Investigations Report found that a phishing email will catch out 1 in 25 people. That means there’s a good chance that, even in the smallest organisations, at least one employee will be fooled.
To ensure that doesn’t happen to you, take a look at our top five tips for identifying and avoiding phishing attacks.
Learn about common phishing scams
Although criminals launch vast numbers of attacks, these generally imitate common issues from well-known organisations, like an order receipt from Amazon, a password reset message from Apple, an account verification from Netflix, a failed payment from PayPal, and so on.
If you are aware of the most commonly imitated organisations and the types of messages sent, your alarm bells will ring whenever you receive such a message.
There are also scams that take advantage of topical events, such as bogus promotional emails relating to major sporting events. Being aware of these means you’re more likely to scrutinise the email before clicking anything.
Think before you click
That brings us to a more general piece of advice about phishing: always think before you click.
Many of us can spot a phishing scam in a test environment but fall victim in a practical setting. That’s because our guard is down, leaving us more susceptible to the tricks that scammers use, such as making a message seem urgent in order to make us panic.
We wouldn’t expect you to identify every scam email as you read it, and it’s perfectly natural to panic when you receive an urgent request.
Just don’t click anything right away.
Take a deep breath. Whether the message is genuine or fake, nothing will get any worse in the few seconds it takes to re-read the email and look for signs that it’s a scam.
Verify the site’s address
Phishing emails will either ask you to download an attachment or to click a link. If it’s the latter, you should check the destination link before you click.
You can do this on a laptop or PC by hovering your cursor over the link. This will display the destination URL on a small bar in the bottom of the browser. On a mobile phone, hold your finger on the link and the URL address will appear as a pop-up.
Doing this might immediately reveal that the link is bogus. For example, an email from, say, Netflix would direct you to an address that begins “netflix.com”, so if the link uses an unfamiliar string of characters, like the example below, or a URL shortening service like TinyURL or Bitly, then you shouldn’t click.
Source: Malware Traffic Analysis
Verify the site’s legitimacy
It’s not too late if you click a bogus link by mistake. Simply visiting a website is unlikely to pose a risk , as every major browser is sandboxed, meaning a malicious script on the page can’t infect your device.
Criminals know that and have a different goal in mind. Their intention is to make you believe the site is genuine and get you to enter your login details. This gives them access to whatever information is linked to that account and, because people often use the same credentials across multiple sites, potentially enables them to compromise other accounts.
So how can you tell a site is legitimate? The first clue is to look for a green padlock next to the URL, which generally indicates that the site is secure. Here’s what it looks like on each major browser:
Source: The SSL Store
The green padlock doesn’t guarantee that the website is legitimate. It simply means that the organisation that owns the site has an SSL certificate, which it gets when it has implemented security measures that ensure the information shared between you and the site is secure.
In other words, it simply guarantees that criminal hackers won’t intercept information that you provide the site.
That still leaves the possibility that fraudsters own the site and are accessing the information you give them, so it’s certainly not foolproof.
What we can say definitively is that all legitimate sites will have a green padlock, so if it doesn’t, it’s almost certainly malicious.
Never provide personal information from an email request
Our final tip is our most decisive: never give anyone personal information simply because they’ve requested it in an email.
Yes, many legitimate organisations will send you messages asking for your personal details. They might also ask you to log back in to your account or to confirm your activities.
These requests aren’t always suspicious, but if you want to avoid the threat of phishing altogether, you should simply avoid the risk.
That doesn’t mean ignoring requests. However, instead of following any email links, you can instead log in to your account via your browser. If the message was legitimate, the same warning should appear as a banner once you’ve logged in or in your inbox. Because you visited the site independently, you can be sure that no trickery has occurred.
It’s a little more time-consuming than following an email link, but it will save you plenty of headaches down the line.
Test your organisation’s resilience to phishing scams
Find out how your staff handle phishing emails by putting them to test in a real-world environment. With our Simulated Phishing Attack, a security expert will send your employees a scam email (minus the malicious payload) and monitor how they respond.
You can use the results to pinpoint specific weaknesses, inform your cyber security strategy and show employees how serious the threat of phishing is.