Phishing Email: A Comprehensive Guide to Protecting Your Data
Your IT staff can lock down your network like Fort Knox, but it only takes one accidental click in a phishing email to give a hacker the keys to walk right through the front door.
What is a phishing email?
Have you ever received an email that prompts you to do something like change a password or provide credentials, phone numbers, or email addresses? These are clues that the email may be a phishing email.
A phishing email is a scam email. It is “the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card numbers, or other sensitive details by impersonating oneself as a trustworthy entity in a digital communication” (Wikipedia).
Typically, phishing emails appear to be from a trusted source like Microsoft or your IT department. They might claim an account has been compromised or that it needs to be verified. If you click on a link in the email, it takes you online to the attacker’s spoofed site, which then prompts you to enter your credentials. If you fall for this, you put your own credentials right into the hands of cybercriminals.
Phishing emails pose a growing threat to enterprises as well as small businesses worldwide. The increasingly sophisticated strategies of threat actors make it difficult to recognize them. These types of attacks are some of the most virulent security threats out there. Clicking on one little link in an email or downloading an attachment may not seem like a big deal, but it could potentially cause considerable damage to your data, your business, and its reputation.
Differentiating a phishing email from an authentic email
It is especially important to be able to identify these fraudulent emails. Threat actors strategically design them so that it is difficult to tell them apart from authentic emails. If you are not sure something is real, get a second opinion from your manager or IT service engineer. It is better to be safe than sorry.
Below is an example of a phishing email that can be very believable.
Can you identify if this email is real or fake? It looks like a real Microsoft notification. However, you will notice the sender address is:
“department-service_msn@outlook.com.”
This email is not from Microsoft and should be deleted and ignored. Here is another example:
The above image is a screenshot of a real phishing email that was received a few months ago. Although this email was easy for the recipient to identify as a scam, it is a good example of what you can look for. The red comments point to each of the clues that identify it as a scam.
Is it real or fake? Check out these clues
- The sender appears to be within your organization, but you have never heard of him/her
- You or your team do not use the services they are claiming you do
- You trust the source, but the message is unexpected
- The sender’s message does not make sense or uses poor grammar
- The name of the sender is someone you know within your organization, but the email address is strange
- The email looks official, but it is coming from outlook.com or gmail.com
- The sender is asking for sensitive information
- The email claims to be from someone within your organization, but the style and manner do not match routine communication protocols
A Phish Story
Recently, a business was hit hard by a phishing email opened by a single user. The scammer that sent the message logged into an employee’s email and sent an email to not only his coworkers but also his clients. The hacker said he was in a bind and needed someone’s help who had an Amazon account. He configured the email account to forward all emails to a spoofed email that was similar to the victim’s account using the same name and contact information.
Unaware of the situation, many of the recipients responded that they did have Amazon accounts. The scammer sent out another email to these individuals asking them to buy a $500 gift card for him and he would pay them back. Fortunately, someone figured out what was going on and the employee’s email account was recovered before anyone sent a gift card. But still, there was damage done.
Part of this business’s services included collecting and safely storing their clients’ financial data. When the clients realized that this company had been hacked, they feared their financial data and email addresses were not safe with them.
This was a hard lesson for the business owners to learn. Anyone can get hacked. But you and your team can reduce the chances by becoming more educated about phishing emails.
You have a part to play in fighting against email phishing
Your IT company secures your company using firewalls, data backups, antivirus, and a host of other tools. But these cannot protect your business against breaches caused by end-user vulnerabilities.
You and your team have a part to play in proactively protecting your organization and its data. As a team member, you are given privileges that, in the wrong hands, could cause a lot of potentially irreparable damage to your business and day-to-day workflow.
Crucial action steps to protect your company
- Create and follow guidelines for communication within your company
- Identify what should be communicated through email, phone, in person, or in text messages
- Never give anyone else your password outside of the strictest circumstances
- Emails from Integrinet IT will always be from integrinetit.com or integrinet.net
- Emails from your team members and other departments within your company should only come from known email addresses at your domain name (i.e., yourdomainname.com, yourdomainname.org, etc.)
- Watch closely for the clues mentioned in this article that alert you to phishing emails
- Report suspicious email to your management and team
- Participate in end-user security training
- If you are unsure if what you are facing is a threat, avoid responding, clicking on suspicious links, or opening attachments and contact your management or service engineer.
If you feel your organization is not doing enough or needs help in securing your network from potential threats like phishing emails, contact your service engineer and start a conversation about it. We are always here to help and want to work with you to ensure your digital work environment is safe.
