- Check the “from” email: When you receive an email that looks like it’s from a person you know, always check the email address next to the name of the sender to verify that it’s correct. Email addresses can sometimes be spoofed, so to double check, click “reply” to see what email appears in the “To” field. Do not actually reply to the email.
- Use your knowledge of the person: If you receive an email that looks like it’s from someone you know, check it carefully to see if it matches what you know about the person. Does the phrasing, tone, or language seem strange or uncharacteristic? Do they use a name, greeting, or sign-off other than the one you’re used to seeing? Do they have the right signature file or graphic at the end of the email?
- Check for misspellings and awkward phrasing: In the iTunes email scam above, the phisher wanted to “advise the quantity and domination to procure.” Uh, you mean “denomination”? As the conversation continued, the scammer stopped using any sort of punctuation or sentence spacing, just long strings of run-together phrases. Of course there’s always a chance your colleague doesn’t know how to spell or write, but it’s still worth checking—phishing emails are notorious for being poorly written.
- Be suspicious: The X-Files had it right: Trust no one. If you have the slightest suspicion about the origin of an email you receive, call the person independently to confirm that they sent it, and never do anything involving money, business operations, or revealing sensitive information without verifying, in person if possible, that the person who appears to be emailing you actually wants you to perform the requested task. So many spear phishing attacks could be foiled by simply popping your head into someone’s office and saying, “Hey, do you really want me to do this?”
- Conduct security training: Cyber criminals are always looking for new ways to defraud people, and it can be difficult to keep track of all the warning signs you should be looking for. In addition, working in a busy office naturally makes people more susceptible to scams, because when you’re focused on trying to get things done, you tend to let down your guard. Companies like KnowBe4 and Cofense (formerly PhishMe) can hold security awareness training for your employees and can even set up automated fake phishing emails you can send to employees to increase their security awareness.
Here are a few real-life attacks we’ve seen recently, and how we knew they were phishing:
The attack: An employee in the payroll department received an email from “Mike,” another employee, saying he wanted to change his direct deposit information.
The giveaway: While the phishing email had the full name of the employee correct, the “from” email was wrong, and the person signed the email “Michael” when the actual employee only goes by “Mike.”
The attack: An employee received an email that appeared to be from his boss asking, “Are you available for a quick task?” We’ve seen these before, and because they do not ask for or refer to any sensitive or financial information, people tend to engage with the sender, which then leads to the scam.
The giveaway: When the email recipient responded, he received strangely worded instructions to obtain 10 $100 iTunes gift cards. The scammer asked the employee to scratch off the silver portion to reveal the PINs and send a picture of all the codes. If the red flags weren’t up before, that sent them all the way up the pole. However, when the employee asked what client they were for, the scammer provided the name of an actual client of the company.