Tech Report* projects daily email exchanges will rise to over 392 billion by 2026. And that’s just email.
With a massive wave of business messages coming in through multiple platforms every day, it is more critical than ever for even resource-strapped IT teams to keep tabs on one of threat actors’ favorite methods of attack: phishing scams.
Phishing’s success is heavily dependent upon social engineering —in other words, exploiting human error. This human element makes phishing attempts particularly challenging to catch and contain. In fact, CISA reports that most security breaches can be prevented if employees are effectively trained to spot and avoid phishing emails.
We know that IT teams like yours already prioritize phishing prevention. The real challenge here lies in quickly disseminating and sharing information with non-IT team members to ensure continuous training and company-wide knowledge of common phishing signs.
That’s why we created the following ready-made guide for IT pros to share with employees ASAP to help supercharge security strategies, mitigate human error, and add a strong line of defense against phishing attacks. Our quick-hit resource can be edited and adjusted to fit your organization’s unique needs and policies or used as-is to mitigate the success of phishing scams.
Our Guide to Phishing Prevention
Welcome to our 101 on phishing prevention. This guide covers the top five indicators of phishing and three easy steps any employee can take to avoid falling victim. Feel free to reference this guide as a base of knowledge on phishing attacks. If you have any further detailed questions — or if you’re ever unsure about a suspicious message — never hesitate to reach out to your IT team.
Top Five Indicators of Phishing
IBM** defines phishing scams as any attempt to trick users into sharing sensitive data, inadvertently downloading malware, or otherwise exposing themselves or their organizations to cybercrime. Breach attempts can target users via emails or other message platforms and often appear to be from well-known or valid sources.
Regarding phishing, here are a few common signs of malicious intent:
1. Grammar and Spelling Errors
Basic mechanical or grammatical errors are typically a dead giveaway that an email is a phishing attempt. In fact, cybercriminals often intentionally include typos in their messages to target users with the highest likelihood of falling victim to a phishing attack. Additionally, intentionally misspelled words help threat actors evade spam filters, which may only be flagging certain “red flag” words for phishing attempts when they use correct spelling.
We know you’re likely to notice these spelling and grammar errors but pass them off as innocent mistakes. Instead, we recommend you treat them as suspicious. Critically review every email you receive as best you can, and never hesitate to flag potential phishing to IT.
2. Incorrect or Unofficial Email Addresses
Phishers typically pose as reputable colleagues or higher-ups (such as managers, IT personnel, or even CEOs) to grab a user’s attention and get their guard down. They may also pose as external businesses, partners, or vendors, such as banks, accounting platforms, or HR services.
However, since these threat actors typically do not have access to legitimate company accounts, they often create email addresses that resemble official company email addresses or seem like personal accounts belonging to the person they’re masquerading as.
These email addresses may closely mirror official addresses but have incorrect construction, spelling, or grammar. For example, a threat actor might use a capital I (as in “eye”) for a lowercase l (as in “ell”) or a lowercase c for a lowercase o in a fake email address. These can be tricky to spot with the naked eye, so again, be as critical as you can and never hesitate to sound the alarm for IT. We’d much prefer sifting through false positives than remediating successful phishing.
3. An Unfamiliar or Strange Tone
The tone of a phishing email can be another sign of nefarious intentions. Cyber criminals can rarely mimic the unique idiosyncrasies, tones, or writing styles of the trusted authorities and sources they aim to impersonate.
Here’s where the social element of phishing may come as a benefit. Employees will likely be familiar with the usual tone their coworkers or managers use when communicating. Any clear divergences should be considered a flag for suspicious behavior.
4. Unusual or Uncommon Requests
It’s unlikely an actual CEO would ever request password information from employees, and yet, this is the strategy of many phishing attacks. Phishing scams will cut straight to the chase and ask for information that either directly correlates with or can lead threat actors to sensitive information — or even immediate authorization of large payments.
Just as frequently, these emails will ask employees to click unfamiliar or suspicious links without context. Employees should use their best judgment to determine whether the request posed in the email is unusual and always err on the side of caution. When in doubt, give IT a shout!
5. A Heightened Sense of Threat or Urgency
Most phishing attempts will emphasize that swift action. These emails aim to create a sense of panic and pressure to respond impulsively, further diminishing the chances of an employee identifying a phishing attempt.
In fact, threat actors will often fabricate emergencies (such as fraud or an impending security breach) to prompt users to give away critical information or click suspicious links. This manipulates employees into thinking they’re being helpful by responding urgently when, in actuality, they’re playing into a carefully crafted trap.
At the risk of being repetitive, whenever you’re in doubt about the legitimacy of a message, whether based on the factors above or a gut sense that something’s off, contact your IT or security team. It is always better to exercise more caution rather than less.
Spotting Phishing Emails in the Wild
When it comes to phishing emails, the earlier you can identify them, the better. CISA revealed that the most common phishing attack subject lines were related to:
- Financial security alerts
- User-specific alerts, including training updates
- Organization-wide announcements
It can be helpful to see examples of what real phishing emails might look like to prepare yourself to spot them ASAP. Here’s an example of how a phishing email could appear in your inbox:
Subject line: Urgent — need your help
Hi, need you for a special project. You can find more information at the link here.
Employees understandably feel a lot of pressure when they believe they’re receiving a message from the CEO or another person in a position of power, and phishers know that. Cybercriminals leverage the social aspect of receiving emails from important and familiar figures to manipulate users into giving away critical information.
Phishers might even masquerade as IT teams in order to disarm employees and make them more likely to give away sensitive information, such as passwords or other credentials. Here’s another example of how a phishing email might appear:
Subject line: Your account has been compromised
There’s been a breach that requires your immediate attention. We need your password ASAP to fix.
Your IT team
For more examples of what a phishing attempt might look like, check out our anatomy of a phishing attack blog.
Avoid Falling For Phishing Scams in Three Steps
As an employee, you can avoid falling for phishing scams by following these critical steps:
1. Don’t Click Suspicious Links
Hover over links before clicking on them. Usually, email clients display the URL of a link when hovered over — so employees can quickly verify whether a hyperlink leads to its claimed destination. If you have a feeling a link may be malicious, forward it to the IT team with the subject line: POTENTIAL PHISH.
2. Refer to Phishing Trainings or Fire Drills
Your IT team has more than likely shared some information about phishing before — or even conducted a phishing fire drill to help you practice identifying suspicious emails. Reference what you’ve learned from those moments and measure it against any emails that you’re unsure about for similarities.
3. Contact the Alleged Sender via Another Communication Channel
If an email seems suspicious, you can always validate its legitimacy by contacting the alleged sender through another mode of communication. The best bet here is for users to reach alleged senders via their legitimate, company-provided contact information to verify their request and potentially alert them of a phishing attempt under their name.
Here’s a template of a message employees could send to the alleged sender (please also CC IT):
Subject line: Received this message “from” you. Is it legitimate?
Hi [name of alleged sender],
I recently received this message from you via [Slack / text message / email] asking for [some of my personal information, a wire transfer, to click a link]. Would you be able to verify if this is a real request? Thank you.
In these cases, we recommend including some type of screenshot or snapshot of the message in question vs. forwarding the message along. This way, the alleged sender can easily verify or deny its validity without increasing the risk of an accidental click on a malicious link.
Once again, if you’re still in doubt after following these three steps, contact your IT or security team. They will be equipped with the necessary knowledge to determine if an email is legitimate or a malicious phishing attempt.
IT Teams: How to Help Employees Avoid the Bait
The success of phishing attacks hinges on human error. While having the right cybersecurity tools in place (like strong email filters) can be very helpful in mitigating phishing attempts, IT teams still need to ensure that all employees have a robust enough understanding of cybersecurity to identify suspicious emails on their own.
When employees can recall the most common signs of phishing and how to avoid falling victim, they reduce their chances of taking the bait and free IT teams to tackle more complex and strategic security work instead of putting out phishing fires. We hope this guide will prove useful to you in further educating your employees about phishing.
Need help protecting your org against phishing attacks? Contact us today to get a demo of Blumira’s security platform, purpose-built for resource-strapped teams.