How to recognise and react to phishing emails

Phishing attacks are one of the most common cyber security issues that individuals and businesses face, and even with how much we think we know about them, they are always adapting, ensuring that people continually fall victim to them.
In this article, we will be discussing what phishing emails are, who sends them and why they’re so dangerous across the globe.

Phishing emails are emails that are created by undesirable people to look innocent, appear as though they are coming from someone you know or to appear relevant enough that you believe you should click on the link or open the attachment.
They can “come” from your boss, your co-worker, a supplier, a customer, a family member, your bank, Netflix, the list is endless. This is why they are so dangerous and why it’s so important to understand and recognise when you have been sent a phishing email.

Because phishing emails are made to look like they are meant for you from someone you know, these emails can be hard to recognise. Important things to look out for are:

• Look at the email address, not just the sender: when the sender name pops up in your inbox, it’s not very likely that you’ll bother looking at the email address, you’ll just jump straight to the content but you are skipping a vital step.
  • Make sure you look at the whole email address for spelling errors or numbers.
• The email is poorly written: If the email contains poor spelling or grammar, it is likely a phishing email.
  • Just delete it.
• It includes a suspicious attachment or link: by clicking on links or opening attachments, you are allowing the hacker to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers.
• The email is stating urgency is required: for example, your account is on hold or that if you don’t action something right away your account will be cancelled. It’s time to take a breath.
  • Exit the email and verify if this is true another way. I.e. for Netflix, go straight to your Netflix app and check your account information from there OR if it’s from a bank – is it your bank? If so, exit the email, find their phone number online or in the phone book and give them a call to enquire.
• You are not expecting an email from this person: this is a good sign that it may be a phishing email.
  • If you are unsure, pick up the phone and give them a call to ask if they sent it to you.

A good rule of thumb is to delete it. If it looks a bit funny, with any of the above signs, just delete it. If it is real and is important, the person who sent it will be in touch again. Otherwise, another good idea is to give the person or company a call to enquire.
Don’t follow the links or open the attachments, and don’t call using the phone numbers provided in the emails.

A good way to prevent phishing emails being an issue for your business is to create a simulation of these emails to test your team’s knowledge and awareness of currently used techniques by hackers, and to educate your staff to spot future phishing scams.
At Focus, we have created a service to assist your business with this – Focus PhishMe Service.
The Focus PhishMe service (powered by Cofense), educates users on the real phishing tactics your company faces. We leverage extensive research, threat intelligence, and front-line phishing defence. By using simulations of current phishing threats, you will create smarter email behaviour, transforming vulnerable targets into an essential layer of defence.

Identify your employee’s biggest cyber security flaws

• Phishing your employees firstly allows you to see who has clicked on the ‘malicious’ links, and who has acted appropriately. This can give you an excellent insight into just how exposed your workforce is. Not only is this useful for seeing where the weaker links are, but it is also extremely efficient for discovering which departments are more susceptible to a breach.
• Many businesses are guilty of raising awareness of the perceived “higher risk” departments. However, all employees have company-sensitive information and should all receive the same level of education and awareness. It is important, however, to follow the ‘engage, not enrage’ methodology when conducting this simulation, and give employees individual feedback, rather than in a name and shame manner.

Increase the awareness around phishing emails

• The more exposed your employees becomes to these types of emails and their signs, the more likely they are to detect the red flags. Focus PhishMe simulates active phishing threats to create smarter user behaviour. People remain aware of threats by practicing regularly and remaining invested in your business’ defence.

Provide the opportunity to safely educate employees

• Keeping the training consistent, whilst also avoiding learning fatigue, is crucial. Make sure you can measure the results of how effective this training has been, and where there is room for improvement. It is not about naming and shaming!

This service is run over a 12-month period and consists of six scheduled Phishing email tests.
The test emails can be varied in levels of complexity to challenge the skill levels of your employees. The responses of these emails are reported and from there we are able to better educate teams to protect not only your company data, but their own data linked to their personal accounts too.

• info@focus.net.nz
• 0800 12 00 99