It’s fascinating that even in 2022, we are still discussing phishing, a scam technique that originated almost three decades ago. What’s worse, phishing is not slowing down. Microsoft reportedly blocked more than a whopping 35.7 billion phishing and malicious emails in 2021 alone. According to IBM, phishing was the top infection vector for 2021 and more than 40% of security incidents involved phishing.
The main reason why phishing is still a popular attack vector is because humans continue to be vulnerable, careless and naive. As a result, phishing aids attackers in bypassing security controls and securing a foot in the door. Traditional email scams were easy to identify — they tended to show generic salutations and obvious grammatical errors; they lacked sophisticated impersonation and often used generic domain names. Modern email scams are harder to spot; they are more targeted and personalized, appearing authentic to the untrained eye.
Here are four tell-tale signs users can watch for to help avoid falling victim to common phishing scams.
1) A message arrives unexpectedly
Be extremely cautious when a message arrives unexpectedly or instructs you to perform an action that is out of the ordinary or feels like it’s unusual for the person to contact you. Such messages should serve as a warning sign that it could be phishing. For example, you receive an email from the IRS to claim a tax refund, but you know you’re not eligible for one or the timing of the message doesn’t sound right; avoid clicking or confirming your banking details.
2) Is this the first time the sender has contacted you?
Be careful when dealing with or responding to first-time requesters (especially those from outside the organization) or people that you do not transact with normally. Even if this appears to be from someone senior who you know and trust but haven’t dealt with before, it’s probably a good idea to verify their authenticity before proceeding. For example, if it’s uncommon for the CEO to email you directly for a favor (i.e., transfer money, share customer details or intellectual property), immediately contact the person to verify the request before acting upon it.
3) Does the message contain a stressor?
Most phishing messages include a sense of urgency so that users react without thinking to verify the authenticity of the request or requestor. If a message is urgent, one must immediately become cautious if it pressures or threatens you to do something quickly under a deadline. For example, a request to reset your password or update your expired credentials should be carefully studied before taking any action.
4) Can the action harm your interest?
If the requested action is harmful to the receiver or organization, then it shouldn’t be performed in the first place. Always seek authorization from a higher office before taking any action that deviates from an agreed or standard process. For example, if sharing customer information with anyone (no matter how important the requestor) might create a conflict of interest, it’s better to avoid it altogether.
Some sophisticated scams are so advanced that these tell-tale phishing signs may not apply. For example, recently, a legitimate Ukrainian military email address was used to phish EU personnel helping Ukrainians during the Russian invasion. The message was extremely well-timed (it was sent immediately after a confidential NATO meeting) and targeted specific people who possessed a unique range of expertise and responsibilities. While such scams can be difficult to detect, in the majority of cases, if potential victims watch out for these four warning signs, they can avoid being victimized.
How can you protect your business against phishing scams?
To effectively and proactively address phishing, organizations must use a multi-layered defense strategy — a combination of security policies, technical defenses and security awareness training. Security awareness education is probably the most crucial here because for scams to work, victims must participate. If users learn to recognize, avoid and report suspicious activity, it is significantly harder for a scammer to succeed.
Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with 41,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Contact him at [email protected].