Changing user behaviour to prevent phishing attacks

As we outlined in our post on preventing phishing emails, many businesses don’t realise that there are technical solutions such as DMARC that can prevent fraudulent emails being sent from their domains in the first place. If this is done properly, then educating employees about potential spoof emails becomes a secondary priority.

Once you’ve got your DMARC compliance in place, it can still be helpful to educate your employees about common email phishing scams, in case they do come across a fraudulent email (in all likelihood, it won’t be from your domain).

What do phishing scams look like?

There are several common phishing scams, which can include things such as:

  • Asking you to click on a link and download a malicious file onto your computer.
  • Sending you an email notifying you of an outstanding invoice – and then a link where you can click to pay it. Clicking on this link takes you to an illegitimate site where scammers can gather your personal information and access your bank accounts.
  • The email sender telling you that one of your accounts has been compromised, and then asking you to log in and reset your password, fill in your information and resubmit it.
  • Pretending to be one of your vendors and asking you to confirm your credit information before they can release or deliver an order.

What should you do if you receive a suspicious email?

The problem is that as cybercriminals become more sophisticated, phishing emails are becoming increasingly hard to recognise, as they often include things like high res company logos and opt-out instructions at the bottom of the mail. With this in mind, here are five things you should check if you think an email is coming from a fraudulent sender:

  1. Does the email contain a link to a third-party site?
    Phishing emails often contain links that direct you to sites that are completely different from the domain of the email sender. On this site, you may be asked to fill in personal information and then submit a form.
  2. Is the email sender asking for your personal information?
    This could be things like your bank account number, your ID number, or your credit card details. If someone is asking for these, don’t respond to the email – rather phone them to check that it is really them asking for this information. If you do need to supply details, don’t do this over email.
  3. Do you know the sender?
    You may have communicated with people within an external company – such as with a supplier or customer – but suddenly you get an email from someone in that company who you’ve never dealt with before. Or, you could receive an email from a completely new vendor. In either case, delete the email without opening it and rather phone the company to verify the communication.
  4. Are there typos or grammatical errors?
    While this has improved in recent years as scammers have become more sophisticated, you may still be able to spot small errors within the email copy. Or, the tone of the sender may seem off (perhaps lots of use of exclamation marks or capital letters), or the specific details they give may be incorrect.
  5. Is the sender’s email address correct?
    These days, sophisticated fraudsters can easily send a fraudulent email from what appears to be the correct email address, but this is not always the case. It’s always worth checking if the email address is incorrect – even if it is close to the original.

No matter what industry you’re in, it’s crucial to be aware of common phishing tactics, so that you can prevent your personal information being compromised and used against you.

By being aware, you can potentially help protect your company from losing money, being impersonated, or being used for other fraudulent means.