In 2022, phishing was the most common type of cybercrime reported to the United States Internet Crime Complaint Center, affecting approximately 300 thousand individuals. Phishing emails are a real threat to companies, often used as a doorway to financial fraud.
To protect yourself from phishing attempts, you must be able to recognize them. We’ve compiled below the 12 tell-tale signs that’ll help you spot phishing emails before it’s too late.
Trustpair prevents any nefarious consequence of phishing emails by blocking suspicious payments to unknown or blacklisted bank accounts. Contact an expert to learn more!
The 12 signs that don’t Lie
Phishing is a type of online fraud carried out by hackers. Their goal? Lure their unsuspecting victim into realizing a set action or disclosing sensitive information.
Phishers often use social engineering techniques to help them reach their target. They collect information on their victims before sending their phishing emails to make their communications appear legitimate.
For instance, online scammers will send a fake email asking their victims to reveal their passwords, credit card numbers, or bank account access, under false pretenses. In companies, those fraudulent emails can appear to come from suppliers, clients, financial institutions, or even another employee.
Phishing emails work because they’re easy to craft and look innocent. 42% of employees have admitted to risky online behavior (clicking on a malicious link, downloading malware, or exposing their personal data or login credentials), failing to follow cybersecurity best practices. It’s therefore paramount to ensure all employees know the risks of phishing and how to detect them. Here are the red flags of phishing emails:
1. An alert from your antivirus or inbox
Nowadays, most – if not all – corporate devices are equipped with anti-virus software. Those include protection against the most common spam and phishing emails (the ones signed by a Nigerian prince).
They’ll usually flag suspicious-looking emails with too-good-to-be-true offers, but they’re not fail-proof. In case a suspicious email reaches your inbox, your first reflex should be to use your antivirus feature to double-check its content before taking any action.
2. An email from a company you aren’t a client of
If you ever receive an email from an unknown company or financial establishment asking you to reveal or confirm personal information – it’s a phishing email.
While they can be convincing when they emanate from well-known senders, emails from people or organizations you don’t normally deal with are easier to detect.
3. An unusual sender name
Did you receive an email whose sender you don’t know? It doesn’t necessarily mean that it’s a fraudulent email, but it’s best to be vigilant.
You can ask around for advice: from your manager, coworkers, or even your company’s IT department.
4. A suspicious email address
Most hackers use fake email addresses that look very similar to real ones. That’s a form of spoofing.
For instance, if the email address of your supplier is john@supplier.com, fraudsters will create a close likeness of it such as john@suppleir.com to try tricking you.
As the difference isn’t easy to spot at first glance, the email looks legitimate. It’s always worth spending a few extra seconds to double-check the spelling of your senders’ email, especially if the email message looks suspicious to you.
5. An alarming or too-good-to-be-true subject line
Thieves’ goal is to catch your attention in the sea of emails you receive. To do so, they use the most clickbaity subjects to catch your eye, such as: “new opportunity” or “RE: emergency – your account is in danger”.
Whenever you see an alarmist subject – or one that looks just a little too enticing – take a moment to look for other signs of phishing.
6. A suspicious design
While it’s not always the case, some phishing emails can easily be spotted because they look suspicious. Badly designed logos, pixelated images, funny-looking fonts… You can spot those irregularities at a glance.
Nevertheless, there are different grades of fraudsters – and of frauds. Criminals have had to upgrade their games and scams aren’t as obvious as they once were. The more elaborate spammer will pay attention to details and send you what appears to be a legitimate email.
7. No personalization
Most phishing emails come as part of a global phishing campaign. Attackers send thousands of emails at once and don’t have time to personalize their messages.
Look out for generic emails that don’t even mention your name or your company’s name, or have no direct link to your position. They’re usual signs of phishing scams.
8. An unusual request
An unusual request or suspicious-looking email should set up warning bells. For instance, professionals would never ask for any financial information to be disclosed via email.
Always be wary when you receive a request for such information, and make a rule never to divulge them this way, even if it looks innocuous. That’ll ensure you protect your identity – and your organization.
In the case of CEO fraud, scammers impersonate a high-ranking executive of your company to ask for a payment to be made. When this type of bank account fraud is successful, it can have disastrous financial and reputational consequences.
9. A request for confidential information
Never answer any request for your password, login credentials, bank account details, or even your social security number through email! No reputable institution will ever ask for your personal or financial information this way.
If you ever receive such a demand, move the phishing email straight to your spam folder. If it happens more than once, don’t hesitate to report phishing to local authorities and/or your IT department (or whoever is in charge of cybersecurity).
Communication is key to preventing phishing attacks from spreading.
10. Alarming or too-good-to-be-true content
A threat, an urgent request, an unmissable business deal… Hackers often get creative to get your attention. An email that looks too good to be true is often, well, too good to be true. It’s often a phishing email trying to pressure you into taking an action that’ll compromise you.
Even when you know the sender, it’s important to double-check the message. Cybercriminals might have taken control of their email account and could be impersonating them. Phishing emails can come from business partners who have no idea they’ve been compromised.
That’s the real problem with identity theft: nobody knows what’s going on, so even if you’re not directly targeted, it can still negatively impact your company.
11. Bad grammar and misspelled words
It’s one of the most common ways to spot a phishing email: mistakes! While they happen even to the best of us, scam emails tend to have a lot of them. There are a lot of grammatical or misspelling errors, or the tone or wording is off.
That should alert you because most communications from official institutions are carefully written and proofread (now we really hope none slip through this article!).
The opposite isn’t necessarily true, however: a well-redacted email doesn’t clear it out from any suspicion. As we previously said, the latest scams have become more and more sophisticated (auto-correct is much better too!).
12. A push to download an attached document
Phishing emails usually come with a call to action to click the link or download attachments. Depending on the scam, the tone can be friendly or downright threatening.
Either way, don’t do it! It’d lead you to a fake website, or get you to download a virus or spyware. In the latter, the software would be able to access your device and infect your company’s network to steal sensitive information.
That’s why phishing is the first step of social engineering attacks and often leads to more advanced types of fraud.
One way to make sure of the links’ true nature is by hovering your mouse over them: the full URLs reveal themself, so you can check if it’s a trustworthy website or a bogus one before it is clicked.
What are the most common types of phishing emails?
Amongst the ones we’ve seen, the most common types of phishing emails are:
- Urgent payment request (leads to payment fraud),
- Invoice email that requires a quick wire transfer (leads to invoice fraud),
- Requesting personal information (to give them and/or confirm them) under the false pretense of updating an account, or conforming to the RGPD or other regulations.
An example of phishing emails
To finish, here’s an example of a phishing email:
Sender’s: security@facebouk.com
Subject: Security alert
Content: A suspicious activity was detected on your account. Please confirm your information here. If we don’t hear from you we’ll delete your account in the next 48H.
This email is fraudulent because it:
- Uses a similar address to a well-known company.
- Asks for personal information to be divulged.
- Conveys urgency.
The case of spearphishing emails
Spear phishing is a focused phishing email that targets one victim. Hackers pretend to know you and use the information they got online or from a social engineering attack in their emails.
Like general phishing emails, they ask you to click link or to make a transfer to a given bank account. As it’s highly personalized and gives the impression they truly know you, they’re harder to detect.
For instance in CEO fraud, hackers will impersonate your CEO (or someone else from top management) to ask for:
- A wire transfer to a given account,
- Bank account details,
- Gift cards to be purchased.
Mattel almost lost 3 million dollars from this type of wire fraud. Using phishing emails and social engineering, hackers manage to convince one of their top employees to wire money to a Chinese bank account.
This story has a happy ending, as the Chinese bank employees raised the alarm – but many companies weren’t as lucky.
To protect yourself from spear phishing (and phishing emails in general), we recommend using digital solutions like Trustair.
Our software runs automated and continuous audits of your third-party credentials to protect you from becoming a victim of fraud. It’s more efficient – and more secure – than manual checks.
We use 3-way matching, checking:
- The bank account numbers are correct,
- The recipient’s name is correct,
- Both match together.
Any suspicious bank account payment is flagged before any funds are transferred. With Trustpair, no money can be transferred to scammers’ bank accounts. Ask for a demo to learn more!
Key Takeaways:
- Phishing emails have become more elaborate and legitimate-looking. You need to be able to recognize them to protect your organization from financial fraud.
- Using an anti-fraud tool like Trustpair prevents you from falling victim to phishing and spear phishing attacks by blocking any suspicious payment before it is sent.
