We’ve all heard of email scams where an attacker impersonates a trusted source— such as a CFO or company you work with— to get you to take an action and steal your information. These are called phishing, as the cyber criminal “fishes” for data or a way to seize the infected computer or entire network.
Avoid being tangled up in a dangerous phisherman’s net by learning about the most common types of email scams and taking the necessary precautionary actions.
Really Look at the Sender’s Email
Attackers get creative when it comes to imitating trusted brands and authority figures, creating email addresses or adding titles to the associated email to make it look like it’s coming from someone it isn’t.
For example, if your boss’s email is email@example.com, you may receive an email from firstname.lastname@example.org and not notice the difference if the bolded name next to it displays his/her first and last name. Double-check that the domain ending is legitimate or doesn’t have a subtle spelling error to confirm authenticity. Look for these same mistakes throughout the email as well.
Be Cautious Opening Attachments
Oftentimes these PDFs or attached images seem like the most reasonable way to figure out what the emailer is inquiring about, but that’s how they get you! The emails says something vague to entice you to open the attachment for more details. Once opened, the file injects your computer with a malicious code.
These documents may be named something vague like “invoice” with a string of random numbers. If the email seems suspicious, or you don’t recognize the company or person it’s from, do not open any included files. Ask your IT department to verify if it is safe or not, or search them online to see if they are legitimate.
Watch Out for Shortened Links
Links can be disguised by being “shortened” with a link shortening service such as Bitly. You may see a link that says says “bitly.com/randomnumbers,” for example, and not be able to adequately assess it. If it said, XYZ.com when it should have said ABC.com, you’d be more likely to err with caution.
A shortened link could redirect you to a dangerous webpage. One where once you submit your information or make the requested download, they steal your data or infect you with malware.
Think before you click. Always hover over the link with your mouse to see if you’re being sent to a legitimate site. Especially look to make sure it’s an https:// link, as http:// sites are not secure. We talk about URL security, including a great Chrome extension to block http:// sites, in our Cybersecurity blog.
Be Suspicious of Urgent Deadlines
If you receive a message from an authority figure, like your boss, asking you to do something quickly, err with caution. Attackers use urgent deadlines and threats to pressure you into making a decision in haste, for fear of repercussions.
Your boss should not ask to you send credit card information or route money to another account via email. If you do receive a call-to-action such as this in your inbox, pick up the phone and call the person to ask if this is a legitimate request.
Examples of Phishing Emails
Before you can safeguard against phishing email scams, it helps to know what you’re looking out for. They’re not all obvious “wire-transfer payment” pleas.
Be alert for the following spam emails:
- Account suspension/expiration. A scammer could pose as a software provider, sending something that says “Your account is about to expire. Click here to renew it.” They create a fake payment page imitating a trusted site to steal your credit card information.
- Fake order/invoice. You receive an email saying you missed a payment or that you were charged for something you didn’t purchase and attach an invoice for your review. You click on the PDF and you’re infected.
- Fake refunds. These could be sent to your department email, saying something like “You were regrettably overcharged. Here’s your refund.” You click the attached refund statement or link and get infected with malware.
- Fake resume/cover letter. HR departments should be especially mindful of this tricky phishing email. The attacker tries to poise as an applicant, sending a link or attachment to their prior job history that’s injected with dangerous code.
- Prizes. The email shares the exciting news that you won money or a gift. “Please fill out this form and we will mail you your prize!” The attacker gets your personal information and tries to use it to frame you or steal further info.
- Friends requesting help. This is the classic email that appears to come from a friend, saying “I’m traveling out of country and can’t access my checking account here. Can you send me money and I’ll pay you back when I return?”
- Tech support scam. The attacker mimics your tech support and emails you about a threat, saying “We think you have a virus” and asks you to take an action or grant them remote access to your computer to remove it.
- Data request. A scammer can poise as your HR head and say “I need you to fill out this W-2 and send it back to me” or ask you to reconfirm your bank routing number, as they were having problems cutting your check.
Guard Against Spam
One of the best things you can do is ensure you aren’t receiving phishing emails is adding proper spam filters to your email platform. Many systems, such as Gmail, will automatically block infected files or suspicious emails from reaching your inbox, but be sure to assess your filters or consult your IT department for proper protection.
These Scams Aren’t Just Through Email!
Phishing emails are real and serious threats, but they aren’t the only way attackers target individuals within the workplace.
Scammers can try to reach you or members of your team through “vishing” (AKA voice phishing) via phone calls, “SMiShing” (text message phishing), through pop-ups, social media messages and more.
In order to defend against these malicious attacks, your company must be prepared. Do you have multi-factor authentication set up? How about strong firewalls and anti-virus software?
We can help with all those things and more. Explore our Cybersecurity page and let us create a customized strategy to keep you safe from phishing scams and beyond.