Email phishing spreads malware when a recipient clicks on a call-to-action or link in an unsolicited email. If your employees are duped, the consequences can be devastating for your business, customers, and reputation.
Cybercrime has become more sophisticated, with cybercriminals exploiting vulnerabilities on a large scale. One in two organisations has experienced a successful cyber attack in the past three years, and 82% of organisations don't expect this situation to ease up in the next year.
How to reduce the risk of email phishing
The risk of cyber security attacks has increased in recent years. Three in four security professionals state that their organisation's cyber risk has increased due to AI, geopolitics, and remote work.
There are no fool-proof methods to prevent phishing. But you can reduce the risk by installing anti-phishing tools and making your employees aware of the risks.
1. Keep your software up-to-date!
It may seem obvious, but both at home and at work, the first line of defence against attacks is the software on your network or device.
That's not just the anti-malware software but also security patches for your operating system, windows and any packages you use. It takes seconds to keep it updated and mitigate the consequences of any mistake you might make.
2. Be sceptical about links in branded emails
The US Federal Trade Commission reported a spike in email phishing related to the COVID-19 pandemic. A report from Digital Shadows found scammers posing as well-known and reputable organisations - including the World Health Organization and the Centers for Disease Control and Prevention.
If you receive an email from a recognised brand (such as a bank, utility, shopping or tech firm), be sceptical if it asks you to click a link to provide your personal information or passwords.
Make sure the domain on both the sender's email address and any links match that of the actual site, as you would find it via a search engine. Roll your mouse over the link and email address to ensure that they match the text displayed.
3. Avoid oversharing personal information on social media
Avoid sharing your position, job title, location, company and even age on social media (with the obvious exception of sites like LinkedIn and Workplace).
It can make you more susceptible as scammers can use it to make their emails more credible (e.g. "Hey, I work with Julie in Accounts at X").
4. Train yourself to recognise personal styles
A recent report shows that one in three users click on harmful content in phishing emails, with one in two proceeding to enter sensitive information.
Familiarise yourself with how colleagues and suppliers communicate with you. It will help you to recognise their personal style in terms of the words and phrases they use, their usual sign-off, etc. This can help you detect impersonators.
5. Notify your IT team of suspicious emails
In the UK, individuals were targeted by Coronavirus-themed phishing emails with infected attachments containing fictitious 'safety measures'. The scale of attacks prompted the National Cyber Security Centre (part of GCHQ) to step in and automatically remove malicious sites that served phishing and malware.
If you are suspicious of an email, then forward it to your IT team. It allows them to investigate and, if necessary, both block the sender and warn your colleagues.
Remember, don't open the email or click on any links. But if you do, tell your IT team immediately so that they can mitigate any consequences.
6. Be wary of requests from generic addresses
If you receive an email from a generic address, e.g. customerservice@, help@, hr@ itsupport@, or payroll@, always be suspicious. If they ask for any personal information, check the sender's identity before responding - even if that means calling them to check!
7. Know the red flags
Generic greetings (e.g. Dear Customer, User, Colleague, Friend).
- Inconsistent or unusual sender information (e.g. email domain, sender name).
- Poor formatting (e.g. poor quality logos, inconsistent font sizes and colours).
- Spelling/grammar mistakes.
- Alarming content with dire warnings and claims of serious consequences, often coupled with a need to act urgently.
- Incorrect facts (e.g. locations/names).
- Offers of financial rewards or penalties.
- Lack of legally required links to unsubscribe etc.
8. Finally, trust your instincts
If it sounds too good to be true, it usually is. If it sounds too bad to be true, it usually is. Cybercriminals are experts at fabricating extraordinary situations that they can exploit to their advantage.
Want to learn more about Information Security?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.