Have you ever received a phishing email? You know, those poorly written, unconvincing messages that make you wonder why scammers even bother?
Well, here's the harsh reality: phishing attacks work, and they're a top cybersecurity threat. In fact, within companies, a single breach can cost around $4.5 million.
These costs can pile up quickly, from paying ransoms in the event of ransomware in response to threats to leak data to recovering systems infected by ransomware or viruses. It's not just about money; it's also about the countless man-hours spent securing compromised systems. The good news?
All of this is preventable with the right awareness, approach, and knowledge.
The Phishing Epidemic: Some Startling Statistics Let's dive into some eye-opening statistics:
An estimated 80-90% of recent cyberattacks involved phishing.
In 2022, nearly half of all emails on the internet were spam.
One high-profile "Whaling" attack cost a business a staggering $47 million. (Wondering what Whaling is? It's a specialized form of phishing targeting high-level employees, such as CEOs, who have access to substantial funds.)
Spotting Phishing Emails: Your First Line of Defense So, how can you protect yourself? While there are no guarantees, you can follow these steps to spot phishing emails and shield yourself from becoming a victim.
1. The Urgent Tone: Proceed with Caution
Phishing emails often employ an urgent tone that pressures you to act quickly, without giving you time to think. For instance, they might claim your parcel is at risk, your device is unprotected, or your Netflix account is in jeopardy. Anything pushing urgency should raise suspicion.
An example of a phishing email masquerading as McAfee
These email examples show you a couple of standard phishing emails, they rely on your worry of losing your protection or not getting your package.
An example of a phishing email masquerading as a courier company
2. Verify Contact Information: Don't Trust the Email
Don't trust the contact information provided in the email; it's often fake. Instead, look up the official phone number for the company and call them to verify the email's authenticity. If it's a scam, ask if they have an email address for reporting such incidents.
Although waiting on the phone can be annoying, it is less annoying than having to change every password you have, get cards re-issued, deal with the bank and potentially Police investigations in order to get your money back.
3. Scrutinize the Email Address
Even if the email looks legitimate, check the sender's email address. In many cases, scammers use email addresses that mimic those of well-known companies but have subtle differences. Always cross-verify with official corporate email addresses.
An example of an illegitimate email address
Although this one can claim to be from NZ Post, when you look at the e-mail address it is clearly not a legitimate one. No matter how legitimate the rest of the content looks you should always check the email address against listed corporate e-mail addresses.
4. The Devil Is in the Details: Spelling Mistakes
Legitimate emails are less likely to contain spelling mistakes and incorrect syntax. Scam emails often feature glaring errors that reputable companies wouldn't make. If something seems off, like "receive it" instead of "rearrange delivery," it's a red flag.
An example of a phishing email with obvious spelling and formatting errors
Frequent spelling mistakes are also a tactic used by some malicious actors to put off those people who would question them, they count on the 'harder' targets who would pick up on the mistakes to not get in contact. The people who don't pick up on it or are a bit more trusting, are more likely to click/reply to the email and fall foul of a cyber-criminal.
5. Ask Yourself Key Questions
Before taking any action, consider these questions:
Is this email expected?
Do I typically receive emails from this company?
Did I request or subscribe to this service?
Does the link lead where it claims to?
These are standard things you should consider for more than just Phishing e-mails, it also applies to text messages, calls, social media requests/messages or even people showing up at your door.
6. Hover Before You Click
To check where a link will take you without clicking it, simply hover your mouse over it. If the destination URL doesn't match the company's official website, be highly suspicious. While some companies use link shorteners, it's always safer to confirm with the company directly.
Although some companies do use 'Tinyurl' or something similar, these are also open to abuse and no one will blame you for being careful and checking with the company in question.
One example of a link that is clearly suspicious is below, as you can see when you hover over the button:
An example of a phishing email with an illegitimate URL hidden behind a button
This link is clearly not a legitimate shipping company, clicking this would be a bad idea.
Stay Vigilant and Spread Awareness
In conclusion, remain vigilant both at work and at home. Cybercriminals target individuals wherever they can. Educate your family and colleagues to recognize these signs. If you're unsure about an email's legitimacy, reach out to your company's IT department or contact the alleged sender for verification.
In New Zealand, organizations like 'Netsafe' (https://netsafe.org.nz/) can assist in keeping New Zealanders safe from online threats.
In future blogs, we'll explore more methods to verify links without clicking them and reference additional resources for your cybersecurity journey.
External References:
Comments