Ahoy! 5 Ways to Spot Email Phishing

February 12, 2020

By Rahul Mahna and Gregory Puc’

Email has been the predominant form of electronic communication since the internet exploded in use in the 1990s. As the medium improved, email also became the go-to platform for both personal and corporate communications.

One downside of this has been the growth of bad actors, those who use the medium for nefarious purposes. For example, these bad actors often look for ways in which to extract a user’s critical personal information (e.g., username, password, Social Security number). If they can obtain these, there’s a higher likelihood they can drain a person’s financial account or sell the information on the Dark Web. And believe me, the last place you want your personal information is on the Dark Web! Creating deceptive emails and sending fraudulent emails for personal gain is generally referred to as phishing email attacks.

How to Catch a Phish?

The best way to combat phishing is to first identify what it is. It’s important to have some idea of what a phishing attack might look like, measure the threats, and take appropriate action. Here are five tips to identify email phishing.

1. Confirm Personal Details

A fraudulent email will often simply ask you to confirm your personal information. Most of time they aren’t personal, they will say “Dear Customer” instead of your first name. They will also appear to be from a company or institution that you are familiar with and include some sort of call to action, such as: “Please confirm the information below.” If you have any doubt, call the organization directly and ask if they sent the email.

2. Notice Poor Grammar

Many, but not all, phishing attacks originate from countries where English is a second language. Take precautions if you read an email asking for information and it has some grammatical errors, misspellings or odd phrasings. Trust your gut reaction.

3. Be Wary of Attachments

If you receive an email from an organization that you might not know and it has an attachment, be very careful. A phishing attachment will most likely have a hidden virus that if you open the attachment, it will execute a virus that could critically compromise your electronic security.

4. Think Before You Link

For any email that asks you to click a link, a good practice is to first hover over the link before clicking and see if it is actually going to the organization’s main website or sending you to a questionable URL. If there is any inconsistency, it is best not to click. Opening an improper website can have immediate, significant impacts, such as ransomware demands.

5. Determine the Urgency

Many phishing emails are labeled “time sensitive” and ask you to act immediately or there might be negative impacts on your financial or electronic well-being. This is designed to create anxiety and dispel a user’s natural inclination to be skeptical. Most reputable organizations will not use email for this purpose, and, again, it’s best to contact the organization directly to confirm the situation.

Email is, by far, the main way bad actors breach an organization’s electronic security. Cybersecurity in an organization is only as strong as its weakest link. This weakest link could come down to an employee simply being inattentive when receiving a phishing email.

The most important thing a business can do is to have strong awareness and education programs to help employees become part of the security team. When any email appears suspect, forward it immediately to the IT department or an experienced organization that can measure, manage and monitor the risk. When it comes to this type of phishing, prevention is key.

About Rahul Mahna

Rahul Mahna is the Managing Director of Managed Security Services within EisnerAmper’s Process, Risk and Technology Solutions (PRTS), with extensive experience in information technology and cybersecurity solutions to our clients.