In an age where data protection is on everyone’s minds, it’s critical to understand the dangers that phishing poses for companies and learn how to detect these threats before a data breach occurs.
What is phishing?
Phishing is a type of social engineering attack that cybercriminals use to steal data, and it’s currently the most common cybercrime in the US. Disguised as a trusted entity, fraudsters send emails that trick people into clicking on an infected link or attachment.
Spear phishing is a more sophisticated form of phishing. It’s more successful than standard attacks because they target a specific individual. By gathering information from social media or company websites, the perpetrators impersonate a known, trusted contact of the victim (e.g., a manager or colleague) to throw them off the scent.
What happens if you click on a phishing link?
Cybercriminals use phishing links in two ways. Some links lead to fake — but convincing — websites that ask you to enter your login credentials, bank card details, etc. The perpetrator then steals this information for illegal purposes and compromises your account.
Phishing links can also be corrupted with malware (or ransomware). If a victim clicks on an infected link, cybercriminals could gain access to all the data stored on their device. Due to the importance of data security nowadays, a data breach like this could damage an organization’s reputation and result in serious losses.
How to spot a phishing link
Phishing emails have evolved since they first came about in the 1990s, and even the most tech-savvy among us are at risk of falling victim to the scam. However, there are a few tell-tale signs you can look out for to spot suspicious links and keep your data secure online:
- Does the sender’s email address look legitimate? First, check the sender’s address (not just their display name) and domain name. A common tactic of cybercriminals is to slightly alter the domain of a reputable company to convince you that it’s legitimate. They may also use a combination of a company name and public domain to lure you into their schemes, e.g., firstname.lastname@example.org. Make sure to look twice for any errors or inconsistencies.
- What appears when you hover over the link? There are two parts to a link: The words describing the link (the part you see) and the URL. If you’re on a computer, hover over the link and find out its real destination. If it doesn’t match the link displayed, assume it’s unsafe and don’t click it. This is an easy, effective way of spotting phishing threats.
- Are you being asked for personal information? If you receive an unsolicited email from a company asking for personal information, such as bank details, passwords, or tax information, it’s probably a scam. Reputable companies will have secure data collection methods and will rarely ask for sensitive data via an email link.
- Is the message too good to be true? Does it create a sense of urgency? Phishing emails usually follow the same trope of being overly positive or urgent to drive an emotional reaction in victims. By urging people to act before it’s too late (for example, a limited-time offer), cybercriminals provoke irrational, immediate decisions. If you receive an urgent offer or request, take some time to figure out whether it makes sense and looks genuine.
- Is the email well written and free of typos? Reputable entities will take care to send well-crafted emails free of spelling and grammatical errors. A genuine typo could slip in occasionally, but they’re usually rampant in phishing scams. If the email is a generic template filled with mistakes, this is a sure sign of something more sinister.
- Is the email personally addressed to you? Even large companies will address you by your name in the greeting. If you receive an email template with a generic “Dear Sir/Madam” opening, tread carefully. Go through the list above to check if the email fits any other criteria, and avoid any links unless you’re 100% sure it’s a legitimate message.
Still not sure?
If you’re still not sure whether a link is genuine or a threat, it’s best to proceed with caution. Why not call the company that supposedly sent the email to confirm whether or not it’s legitimate? It’s also wise to alert your security team if you think you’re the target of a phishing scam. Better safe than sorry where data protection is concerned.
Explore our phishing hub to discover information and advice on how you can protect yourself — and your data — against phishing attacks. Want to know how your peers and IT leaders across the globe are responding to phishing attacks, and protecting their business? Read our new “Fighting Phishing” report, which is full of key insights and data around phishing impact and protection.