It’s Monday morning and the first thing you do (after grabbing your coffee) is to check your emails from the weekend. There are 23 new messages. The most recent one is from your CEO, so you open that one immediately. He’s about to give a presentation, but his laptop died. Please text him your mobile number ASAP!
The next email is a warning from one of your vendors that you have an unpaid six-month-old invoice and your company is about to get dropped from their services unless you deal with it immediately. There’s a PDF of the invoice for proof.
The third email is from Amazon. Your order has been delayed, but you can track it by clicking on this link.
It’s 8:15 am and you’ve just potentially fallen prey to three phishing emails. You might think those examples were too obvious for you to fall for — and perhaps they were — but email attackers are getting more sophisticated all the time, and the tactics are ever evolving. And when you’re in a rush to get through your emails, or to prevent a disaster — or you’re getting emails from the CEO — you don’t think as clearly as you normally do.
It’s more and more important to know how to spot a phishing email, and to know what to do about it if you suspect a scam. Here’s what you need to know about email scams in 2021.
How to Spot a Phishing Email
There are several indicators that can help you recognize a phishing email:
- There’s a sense of urgency — for example, confirm your account before it gets shut off in 12 hours, your computer’s security is at risk, or you must confirm your credentials.
- It’s an unexpected email — whether it’s from someone you know or don’t know. For example, your Facebook friend is emailing your work account, or a billing issue is sent to you instead of Accounting.
- The From email address is odd. Pay attention to the exact spelling and punctuation of email addresses. A phishing attack may use a very similar domain that looks right at first glance (company-name.com vs. companyname.com).
- It’s poorly written. Phishing emails often come from overseas, where English is a second language.
- The logo doesn’t look right. If an attacker stole a company logo and pasted it into the email, it can have the wrong aspect ratio, or be low-resolution. It might even be an outdated version of the logo.
- Strange attachments or links. Hover over the link and check the URL at the bottom of the window. Do the links go to India or Russia, or some other foreign country?
A nefarious email will either ask you to click on a link, download an attachment, or reply with specific information.
Trending Email Scams
Email scammers are continually learning and becoming more sophisticated. In fact, 68% of phishing emails blocked by Google are new variations never before seen. Here are some newer types of email scams that are becoming more common, lately.
No attachments or links
It’s harder to identify an email scam if there’s no link with a suspicious-looking URL. Instead, these emails pose as someone you know, and to get you to take the conversation offline. The idea is to get you to use your mobile device so they can take advantage of your mobile connection, which likely isn’t subject to the oversight of the company’s monitoring systems.
I’ve seen emails that purport to be coming from the CEO of the company. The message says something like, “Hey, I’m stuck at the airport and can’t get on my computer. Can you send me your mobile number so that you can help me with something I need urgently?”
This strategy works well, because it takes advantage of your eagerness to respond to your CEO when he or she needs you — the attackers count on you not to think, but to react reflexively.
The sender claims to attach an invoice or some other document as a PDF for you to review. It appears to be a PDF, but it’s actually a link to a website. From there, they can attack your system or your device.
The message warns you that your password is about to be force changed. If you want to keep your existing password, click on a link or button. It appears to take you to a legitimate login page, but it’s actually a fake website. The login page looks just like the real thing, and it prompts you to log in with your current password in order to keep the password from changing. Of course, it’s all a ruse, and you’ve just given them your login credentials.
Voicemail/email messages to review
Your voicemail system is alerting you that you have a voicemail message. You’re prompted to go to a webpage to listen to the message, or to submit your credentials.
A variation of this is a notification that emails in your inbox have been quarantined. Please go here to review the emails. In many cases, this is an attempt to get you to authenticate to a fake system.
Best Practices for Handling Email Scams
Generally, if you take a few moments to investigate the email, it’s relatively easy to tell a phishing email from the real thing. That said, here are some best practices to follow:
Don’t click on any links. Instead, manually navigate to the system in question and do your business there. If the email says there’s a notification for you or an issue with your account, you’ll see it on your account page by going there directly.
In all cases, slow down and think about the email. Does the request sound odd at all? Does the message “sound” different from the sender’s usual email writing style?
If an email feels “off” somehow, trust your gut. Confirm with the sender that they did in fact send you the email. Send a NEW message to an email address you trust, or use another method to check. DON’T reply to the sender, as the bad actors may have used a fake email address and made it appear as if it came from someone you trust.
If you accidentally handle a phishing email incorrectly, notify your internal IT or security team immediately. This is critical for maintaining the security of your company and mitigating any fallout as a result.
What About Tomorrow’s Attacks?
Email attackers don’t stick to the same old tactics, so it’s not enough to know how to spot a phishing scam today. Everyone in your company needs to stay informed of the latest scams and tactics, and to know the best ways to identify a suspicious email.
One of the best ways to stay informed of security issues is to follow industry leaders. Count on TCT to provide helpful security information you can use.
Get equipped with insider expertise
Subscribe to the TCT blog