Cybercrime comes in many disguises, goes by many names.
But the endgame is basically the same — to steal your money, either now or later.
Ransomware is now. You’ve heard about it a lot since 2017. Your computer files are literally held for ransom. A cybercriminal uses malware to encrypt all your data, demanding you pay by a deadline to unencrypt it. (Don’t pay! Only a quarter of payers get their data back.)
Phishing — as in “fishing for information” — is often for later. Phishing scams are designed either to download malware (like ransomware) or acquire personal information they can use later to hack your financial or other accounts.
But there’s one thing that most cybercrimes have in common:
Nearly all of them are delivered right to your inbox.
This article (the second of three parts) will help you identify those ticking time bombs before you click anything and cause costly damage to your organization — or your personal finances.
Read Parts 1 and 3:
Part 1 – It’s Tax Time: How to Protect Yourself from Email Tax Scams
Part 3 – How to Respond to Ransomware and Malware Cyberattacks
The Problem with Email
It’s been estimated that one in every 130 or so emails contains some type of malware. So if your inbox backlog is like many people’s, you may have a couple unopened ones there right now.
Studies show that 92 percent of all malware is delivered by email. About 30 percent of those emails will get opened, and about 12 percent of readers will open them.
Phishing attacks often don’t target just the host computer (yours). From one email account they can download malware onto corporate networks, spreading destruction far and wide.
For that reason, it’s important that everyone in an organization be able to recognize malicious emails before they’re able to cause any damage.
How to Identify Phishing Emails, Part 1: Ask Questions
Any email with “FREE!!!” in the subject line should wave a bright red flag before your eyes. But many fraudulent emails are more subtle and harder to spot.
When you’re scanning your inbox and a sender or subject line makes you wonder, start by asking yourself some questions:
- Is this email out of character for the sender?
- Does the sender’s email address seem odd?
- Is there an attachment with an odd or vague name?
- Does the email prompt me to enter a username and/or password?
If you answer yes to any of these, be wary.
If you think the email may be legit after all, make sure by contacting the sender directly. Call and talk so you know it’s really the person. If you email, absolutely do not reply to the suspicious email — you’ll just spread the disease. Instead, send a fresh, new email.
How to Identify Phishing Emails, Part 2: Examine the Contents
Most phishing emails are pretty good forgeries. At first glance you might not notice anything wrong and think it really does come from Amazon, UPS, or whoever.
But for all their cybercriminal effort to mimic real businesses, there are always telltale signs — usually several of them — that should tip you off the email is a fake.
Some tip-offs are technical in nature:
- Fake, odd-seeming sender domain, often from outside the country
- Hovering over the link in the email reveals a suspicious URL (often a numerical IP address followed by /nonsense)
In the content itself, some relate to what’s being said:
- An urgent request
- A request to update your official record
- A request to confirm your account
- Notification that you missed a delivery (UPS, FedEx, USPS)
- An alert that your account has been locked or suspended
- Notice of an unexpected refund or payment
- Notice of a purchase you don’t recognize on iTunes or Google Play
Finally, sometimes the tip-off is how it’s said:
- Generic greeting (e.g. “Dear Client”)
- Suspicious subject line (e.g. vague, alarming, vaguely alarming)
- Urgent, imperious, threatening tone
- Spelling mistakes, bad grammar, or odd use of words
That last one is common, in the body, the subject line, or both, e.g. “Your account has been limited.” Suspended? Okay. Deactivated? Sure. But limited? Who says that?
Fishing for Phishing Education
According to CSO Online, average annual business spending on cybersecurity jumped from $11 million in 2017 to $15 million last year — 27 percent! But that’s just for software and services; physical security adds another $13 million per year.
And yet, for all that money, spending on cybersecurity training still lags behind.
So keep the lists above handy for reference — and while you’re reading the articles below. The first two — from EDTS and CSO Online — show you in detail how to recognize the tell-tale signs listed above.
CSO Online: “15 real-world phishing examples — and how to recognize them” (slideshow)
Phishing.org: “10 Ways To Avoid Phishing Scams”
Malwarebytes: “All About Phishing”
Read the complete series from PC Professional:
Part 2 – How to Spot (and Block) Email Phishing Scams (this post)