People are out to get you.
That’s not scare-mongering – that’s a simple fact.
The average person receives around 16 malicious emails per month.
Multiply that by your number of employees, and you’ll quickly realise that your business is at risk almost every day.
It only takes one quick click from an unwitting team member to expose your sensitive data.
So you need to be aware, and you need to get protected.
And it all starts with an understanding of how these attacks work.
What is phishing?
In simple terms, phishing is when a criminal pretends to be someone else in order to trick you into giving away your sensitive data.
That could be through an email (phishing), through a voice call (vishing) – or even through SMS texts (smishing).
And they could be trying to lure you into:
- Giving away your banking details
- Revealing your credit card numbers
- Sharing your log-in details and passwords
- Or clicking a link that contains malicious software
The key part of this scam is that the message usually looks like it’s coming from a reputable source: your bank, the police, or an app or service that you subscribe to.
If you’re like most people, you probably think you’re not that easily fooled.
But sadly, phishing attacks really do work:
- 76% of organisations have been victims of a phishing attack
- 4% of people will click on any given phishing campaign
- And phishing attacks cost American businesses half a billion dollars each year
If that sounds a bit scary, that’s because it is.
But if you’re worried about phishing attacks against your business, you’re in luck:
There are plenty of warning signs – and there are plenty of ways to check if the messages you receive are real.
Here are a few tips to help keep you, your employees, and your business safe.
How to spot a phishing attempt
We’ve all seen some dodgy emails in our junk inbox:
We’ve probably all had a good laugh at them, too.
But those are just the ones that the junk filter managed to catch.
Phishing attacks won’t always appear to come from strange email addresses. And they could have the exact same logos and branding as the source they’re pretending to be – sometimes even with entire mirror-image websites built to harvest your log-in details.
But despite these advanced techniques, there are still lots of different ways you can spot a dubious email: the only difference between a good phishing attempt and a bad one is the degree of subtlety they use.
Here are a few common red flags to watch out for.
1. It promises too much
One of the obvious scams in the image above promises a compensation payment of $39 million.
We can all see straight through a ludicrous prize like that one. But some phishing attempts might not be so heavy-handed.
It might be a £100 refund from an overpayment in taxes.
It might be your bank offering you a 10% saving on your mortgage repayments.
Or it might be as simple as a £100 gift voucher from your favourite store as a reward for your loyalty.
But even in these more moderate cases, taking a few moments to think about the situation should show you that these are all highly unlikely scenarios:
The tax office will rarely give you a refund unless you’ve applied for one.
A 10% saving on your mortgage is too generous for even the most benevolent bank.
And a £100 gift voucher is a considerable loss for any online retailer.
So whenever you’re reading an email, ask yourself this:
Is it too good to be true?
2. It’s asking for the wrong things
If you’ve ever read the small print on a legitimate email from a bank, it almost always says something like this:
‘We will never ask for your password or PIN in an email or on the phone’.
And that’s a good little fact to keep in mind.
Any online shop that owes you a refund already has your banking details. And any app or service you subscribe to has no use for your user name and password – they already have access to the account you have with them.
So if there’s a message asking for anything sensitive (or any personal details that seem irrelevant to the problem at hand), take care: it could be a scam.
3. There’s a strong sense of urgency
Most genuine companies will give you plenty of time to take action if there’s a problem. They don’t want to punish you – they want to make sure you fix the problem.
But a phishing email will usually come with some kind of time limit or threat (like issuing a fine or closing down your account).
Like this recent phishing attempt from a fake TV Licensing authority:
That was sent on the 22nd January – which means that anyone reading it thinks they only have two days left on their licence.
They don’t want you to spend time thinking about the email or investigating its source: they just want you to click or hand over your details before you’ve had the chance to make a considered decision.
Unfortunately, there’s a lot of overlap here with genuine offers. Creating a sense of urgency is a valuable tactic used by legitimate marketers to increase sales – so while you should be careful, you shouldn’t assume that every message asking for a quick response is guaranteed to be a scam.
4. There’s an attachment with the email
Be honest: is it normal to get attachments from places like Amazon, Spotify, or Barclays?
It almost never happens. And if it ever does, it’s probably in response to some kind of ongoing conversation, like a customer query or an issue that you’ve raised.
The chances are that any legitimate attachment you receive with an email is one you were already expecting – and it’s usually from some kind of one-to-one communication, not from a general marketing or promotional email.
As you’d expect, downloading files from an email can lead to some nasty software on your computer. But there’s an extra-sneaky trick that some phishing attackers will try to pull.
Here’s what an attachment in Gmail usually looks like:
Some phishing attackers will take a screenshot of this attachment graphic (like I have here) and then embed that image into their email message. It looks like there’s an attachment, but it’s really just an image.
And that embedded image is linked to something else (like a fake Gmail log-in page). So when you think you’re requesting a genuine attachment from Gmail, you’re really being sent to another page that looks just like the real Gmail log-in page.
You assume you’ve lost your connection to Gmail and need to log back in, so you happily enter your details for the attacker to take.
5. The voice sounds wrong
Every company has the odd small typo in their messages from time to time.
But even when they do, that message has usually been written by:
- Someone who constructs emails and messages for a living
- Someone who’s fluent in English
- And someone who’s used to all of the normal terms and phrases for their industry
So when you get a message from an illegitimate source, it’s usually painfully obvious:
Hopefully, none of you would give an email like this a second glance (or even a first).
But sometimes, the message is reasonably well-constructed, and you’ll have to look closely to find the warning signs:
This message is also a phishing attempt. And if you look closely, you’ll notice the smaller things that look out of place, like:
- ‘TVL could not’ instead of ‘Your TV Licence could not’
- ‘If you will not’ instead of ‘If you do not’
- And ‘Visit TV Licensing Website…’ instead of ‘Visit the TV Licensing Website’.
Any one of these odd phrases alone would seem a bit off. But when you add them all up – especially in a message so short – it should tell you that you’re probably dealing with a fake.
So how can your business avoid these phishing attacks?
Knowing how to spot a dubious email is a good starting point. But criminals are getting better each year – and their attempts are getting more polished and professional.
So before you click any link in an email (even if you think it’s genuine), try a few of the following tips:
1. Hover over the link
Without clicking, put your cursor over the link the email wants you to follow.
Your browser will usually show you the address of the link – and you’ll be able to see if it looks suspicious before you decide to commit to it.
Here’s an example from our fake TV licensing email:
That URL definitely doesn’t look like an official TV Licensing website – and that means you’re dealing with a scam.
Sometimes, an email link will use a shortened version that makes it impossible to see the real destination (like https://bit.ly/2G74YIb4).
If that’s the case, you can use a tool like CheckShortURL to expand the shortened link, revealing the real destination.
2. Use a link-checking tool
By right-clicking on a link you’re not sure of, you can copy the URL to your clipboard without following the link.
You can then paste this URL into one of these handy online checkers to see if there are any negative reports:
But be careful.
While these tools are incredibly useful, they didn’t catch every single one of the suspicious URLs I tested (probably because these were new phishing campaigns that hadn’t been recorded yet).
3. Use your own navigation
If you think the email might be genuine, but you’re not completely sure, you’ll usually be able to access the same pages and information you need through the company’s website without using the link in the email.
So whenever you’re asked to follow a link, just open up a new browser and find the company’s website for yourself, either by typing in the URL from memory, or by typing their name into Google.
That way, you can be sure you’re dealing with the official company and its website – and not some deceptive mirror-image.
4. Keep your communication on a protected platform
The main problem with email is that it’s a completely open system.
Anyone in the world can email anyone else – and that can leave you and your colleagues wide open to attacks.
Some companies instead choose to keep the majority of their internal messaging on an exclusive network – like Workplace by Facebook.
In systems like these, you’re not able to send direct messages to someone unless you’ve already been approved by their IT admins. So you and your employees can be reasonably certain that any message they receive is genuine.
Of course, it’s not perfect: you’ll still need your IT team to be vigilant about who they approve.
But by taking the responsibility of scepticism away from the average worker, and putting it into the hands of your trusted, tech-savvy IT experts, you’re massively reducing the risk of letting an attacker freely message your teams.
5. Train your employees to avoid attacks
You might have learned a lot about phishing today. And you might think you’ve got a good grip on the different ways you can recognise and work around the attacks.
But you’re not the only one who can put your business at risk.
If 4% of people fall for phishing attacks, that means there’s probably at least one person in every business who could unwittingly become a victim, exposing your business’s sensitive data and financial details.
So if there’s just one useful tip you take away from this article, it’s this:
Every single person who works with your business is a security risk. And that means every single person needs to be given the awareness and knowledge they need to recognise and avoid security attacks.
Unfortunately, phishing is just one of the hundreds of different ways your business could be put at risk online, but hopefully this article has given you some handy tips to help you improve your SME cyber security and spot potential attacks before they can damage your business.