How to Spot a Phishing Email

Phishing attacks on businesses doubled during the pandemic and continue to be conducted at elevated levels. While attacks are becoming increasingly sophisticated, there are tell-tale signs of phishing, and you should be teaching your workforce how to spot a phishing email.

Why Train Employees How to Spot a Phishing Email if I Have an Anti-phishing Solution?

Anti-phishing solutions such as spam filters and secure email gateways are a vital part of security defenses. These solutions will block the majority of phishing attempts via email, but no single cybersecurity solution is 100% effective against all phishing threats – Some phishing emails will arrive in inboxes where they can be opened by employees.

For this reason, multiple anti-phishing solutions should be implemented as part of a defense-in-depth strategy. A spam filter should be augmented with a web filter for blocking phishing attacks via the Internet, and multi-factor authentication should be implemented to prevent stolen credentials from being used to access accounts. These solutions can greatly improve your security posture but will still not block all forms of phishing. Phishing attacks can occur via the telephone for instance, or SMS message. Security awareness training will help to plug these security gaps and create a human firewall to work alongside your technological safeguards.

Is Anti-Phishing Training Effective?

As with any anti-phishing measure, anti-phishing training for the workforce will not be effective in isolation, but studies have shown that through training and internal phishing simulations, susceptibility to phishing attacks can be reduced considerably.

Phishing simulations are fake but realistic internal phishing emails that are sent to give employees practice at identifying phishing emails and reinforce training. If an employee fails a simulation, they are told how they went wrong and are provided with refresher training. Phishing simulations also demonstrate how effective the training has been and allows businesses to determine the return on investment they are getting from workforce training.

How to Spot a Phishing Email – 10 Signs of Phishing That You Should be Looking for?

Employees should be trained on how to spot a phishing email and what to do if such a threat is encountered. Listed below are ten signs that you should be looking for in any email you receive that will help you to identify phishing threats quickly.

1. Do you know the sender, does the email address exactly match previous emails from that individual, does the domain name match the company that the email claims to be from? – These are standard checks that should be performed on every email. These checks should become second nature over time.
2. Is there an unusual or generic greeting? Is the email addressed to you personally or is a generic greeting used such as “dear customer” or “dear username” used? Most corporate emails will be personally addressed to the recipient by name.
3. Are there grammatical and spelling mistakes in the email? Emails from businesses are usually carefully checked before sending. Spelling and grammatical mistakes could indicate the sender does not have English as their first language. Spelling and grammatical mistakes are often deliberately included in phishing emails – if the user clicks despite these errors, they are likely to be fooled by the next part of the scam.
4. Is there a too-good-to-be-true offer? Have you been offered the latest iPhone for just $200? Have you won a competition you didn’t enter? Has an African prince chosen you as the worthy recipient of funds? If the offer seems too good to be true, it most likely is not true.
5. Does the email include content in an attachment that could have been easily included in the message body? Has an executable file been attached or a compressed file? Email attachments are used to hide content from email security solutions and are often used to install malware. If you are not familiar with the file extension, do not open it. If an Office document or spreadsheet has an extension ending in an ‘m’ that indicates it contains a macro, which is code commonly used to download malware.
6. Is the request in the email unusual? Stop and think about what is being asked and if the request follows standard email communications. Phishing emails may be sent from compromised – genuine – mailboxes even internal email accounts. Does the tone of the email match previous communications? Does something seem a little off? Have you been asked to send sensitive data via email? These are common signs of a phishing email.
7. Does the email contain a threat? – Phishing emails often threaten individuals with bad consequences if no action is taken such as the closure of an account, loss of service, legal action, arrest, or a malware infection that needs to be removed. Phishers use fear to get users to take the requested action and take that action quickly. If in doubt, verify the request via a medium other than email, and never use the contact information included in the message.
8. Are you directed to a website? Many genuine emails contain links to websites, but you should check the destination URL. Hover your mouse arrow over any link to reveal the true destination. Is that an official domain of the company in the email? Does it match the sender’s email domain?
9. Is the email unsolicited? Most phishing emails are unsolicited communications. In order for companies to send you marketing emails, you will need to have opted in. If you did not or have never heard of the company or individual, there is a good probability that it may be a phishing email, especially if you are requested to open an attachment or visit a website using the link provided.
10. Are you asked to keep the conversation private? This is a tactic used to try to stop people from verifying the email or request with other parties, who may see the scam for what it is.

These are just some of the signs that you can look for that will help you to identify phishing emails, but if you want to ensure your workforce knows how to spot a phishing email, and is aware of the full range of security threats, you will need to provide comprehensive security awareness training, and for that, you should use a security awareness training platform.

Structured Security Awareness Training and Phishing Simulations from TitanHQ

Developing an effective security awareness training program from scratch can be difficult and time-consuming, especially ensuring the training content is engaging and fun for employees and teaches all the best practices you want your employees to follow.

TitanHQ can save you time and money and improve the effectiveness of your training through the SafeTitan Security Awareness Training Platform. SafeTitan includes an extensive library of gamified, interactive, and fun training content that is delivered in small doses to help employees retain the information and fit training into their busy workflows. The training includes quizzes to make sure the training has been understood, and it is easy to track which employees have completed their training.

Training can be tailored for individuals and user groups to reflect the different security threats they are likely to face, and the platform also includes a phishing simulator for testing the effectiveness of training and the return on investment you get. The phishing simulator includes an extensive library of hundreds of phishing threats, taken from real-world phishing attacks and the templates are regularly updated. SafeTitan is also the only behavior-driven security awareness solution that delivers security training in real-time in response to failed phishing simulations and risky IT practices by employees.

If you want to improve your security posture, you need to train your workforce how to spot a phishing email and recognize other security threats, and with SafeTitan that is made simple. Contact TitanHQ today for more information and take advantage of the free trial to see how easy the platform is to use and to assess the quality of the training content.