Almost all data breaches involve a social engineering element, hence why good security starts with the ability to recognize and report phishing scams.
According to Deloitte, 91% of cyberattacks involve a social engineering element, making it by far the most common attack vector. After all, it’s generally much easier to exploit human ignorance and unpreparedness than today’s cybersecurity technology.
Social engineering, or phishing attacks, can exploit any form of communication, such as email, websites, social media, voice calls, and instant messaging apps. However, while the methods of communication may vary, there are some commonalities that are almost universal. Learning how to identify these characteristics is vital for protecting yourself and your business online.
Here are some of the phishing characteristics that everyone should be aware of:
#1. The sender asks for something unusual
The first and most important rule of identifying phishing emails is that no legitimate company will ever ask you for login credentials like passwords. Neither will they ask you to send payment information via channels like email or instant message. Admittedly, however, not all phishing attempts are that obvious. Some will encourage recipients to download an attachment instead. If you ever receive an attachment you weren’t expecting, especially if it’s an executable file like an EXE, then it’s almost certainly malicious.
#2. There are inconsistencies in the message
Social engineering scammers often use spoofed email addresses or domain names. At first glance, they might look legitimate, but upon closer inspection, you might notice a single letter that’s out of place. Some spoofs are harder to recognize, especially in the era of multilingual domain names. For example, the letter ‘e’ looks exactly the same in the Latin alphabet as it does in Cyrillic, but it’s actually a different letter as far as the computer is concerned. Always verify email addresses, domain names, and links from new or unexpected senders.
#3. There are threats or a sense of urgency
Many phishing scammers use similar tactics to those of legitimate marketers, such as building a sense of urgency. Some scams go even further by making threats like locking you out of an account, taking legal action, or demanding payments if you fail to follow their instructions. Scammers often hope that such tactics will distract their victims, who will then be less likely to sufficiently scrutinize the message.
#4. The message arrives unexpectedly
Of course, there are plenty of emails that arrive unexpectedly every day, such as queries from customers or fellow employees. However, phishing messages almost invariably arrive without any prior warning, even if they claim to be from someone the recipient personally knows. The first thing that usually arouses suspicion is an unfamiliar greeting or tone. You should also be wary of any apparent marketing emails purporting to be from otherwise legitimate companies that you did not opt-in to receive messages from.
#5. There are grammar and spelling errors
When you receive a message from a legitimate company, it’s highly unlikely that it will contain spelling or grammar errors. Although that doesn’t mean you should start ignoring friends and colleagues whose native language isn’t English, poor spelling and grammar in something like a marketing or otherwise ‘official’-looking email is almost a sure sign of a phishing scam. Additionally, some scammers may deliberately include spelling and grammar errors in an attempt to circumvent spam filters or even come across as more ‘authentic’.
Mitigating the risks with email security
Social engineering attacks are, by definition, a human challenge. However, while they require a human solution in the form of ongoing security awareness training, modern email security solutions can greatly reduce the risk, while easing the burden on your employees. SeedSpark provides tools like Ironscales, harnessing AI-driven security to detect more sophisticated phishing scams while keeping security teams informed with real-time reports and insights. We’ll implement the cybersecurity tools you need to alleviate potential employee mistakes and keep your information secure.
*Offer available for new clients with 50+ employees and all current clients that do not already use LastPass.
SeedSpark provides managed services to bolster your security posture and mitigate the risks to your organization. Get in touch today to get the proactive IT support you need to succeed.