Get back to cybersecurity and IT basics with a phishing overview.
You’ve likely heard the term phishing before, but do you know what it is? There are many definitions available, all of which agree on the basics: bad actors want some kind of confidential information from you, and they’ll disguise themselves as a trusted person or business in order to trick you into giving them what they want.
Phishing Emails – Their Many Disguises
Phishing emails can appear in a variety of ways. The classic version involves an email that looks like it’s from a major bank, while other examples include a link to a shared document that you have to enter your password to access, or even a threat of legal action from a government agency. Bad actors play on your emotions, using subject lines that grab your attention and create feelings of urgency.
Examples of Phishing Emails
- Deactivation of Email in Process – You’re thinking, “Oh no, don’t turn off my email!” Bad actors know how critical email is to business operations, and the threat of email being turned off is likely to make people leap into action before thinking things through.
- Recommendation: Don’t click on any links and follow your company’s IT procedures for reporting phishing emails.
- Your Order from a Website – Whether you remember ordering something or not, you may be tempted to click and find out more. This can be the case if you’re ordering something using your work email or using your personal email on your work computer. And if you get an email to your work account that you’d usually receive to your personal email account, know that the email in question is almost definitely a phishing attempt.
- Recommendation: Do not click on any links in the email. Instead, open your browser, go directly to the website, and log into the account you created to view any activity. If the email came to your work email, follow your company’s IT procedures for reporting phishing emails.
- Revised Vacation and Sick Time Policy – Everyone loves their PTO, so emails that hint about upcoming changes can be hard to resist and bad actors hope to prey on this tendency. Always evaluate emails like this carefully before clicking on any links or opening any attachments.
- Recommendation: Consider the sender address; if it doesn’t come from a member of your company’s HR or leadership team, you should be skeptical. Don’t just rely on the name shown in the “sender” part of the email, but see the actual email address that sent it and make sure it’s legitimate. If you suspect it’s a phishing attempt, follow your company’s IT procedures for reporting it.
Questions to Ask When You Receive an Email
- Were you expecting this email? If you asked for this information, great! But keep asking questions to confirm. If the email was unprompted, it might be phishy. Ask more questions.
- Does the sender name match the email address? If the name is displayed as one name, but the email address is anything other than the work email address you expect, that’s extremely suspicious. Also be cautious if the email came from a known person’s personal email address as they’re unlikely to send work-related emails from their personal address. Call the person to confirm if the email was meant to be sent that way.
- Is the greeting written for you personally or does it look like it could have been sent to a large group of people? Some emails are designed to go to a large group of people, so a generic or missing greeting is common. If the email looks like something that was only sent to you, but there’s no personal greeting, you should keep evaluating the email’s legitimacy.
- Does the email make you anxious or scared? Bad actors want to create a sense of urgency so you give them the information they want without taking the time to think it through. Work emails shouldn’t be scary. If an email feels threatening or urgent, it’s worth slowing down to evaluate thoroughly. When in doubt, ask your IT team or other reliable cybersecurity expert based on your organization’s phishing policies and procedures.
There is no single indicator of a phishing email. Some messages will be subtle and might have more discreet red flags. Others may be outright obnoxious and can be dismissed right away. Either way, the red flags can be different from one email to the next, so you have to stay on your toes. Continue to evaluate all emails, even those from trusted senders, as you never know who might be compromised.