Sometime it’s easy to identify a phishing email. Sometimes it’s not. The easy ones to spot follow the patterns of ten or more years ago, when cybercriminals would bulk-send spam emails telling recipients they’d won a lottery they had never entered, or addressed their emails “Dear Sir” and littered them with spelling mistakes.
As awareness of how to identify a phishing email has increased, so has the sophistication of cybercriminals. In today´s online environment, phishing emails are more carefully crafted, often targeted at specific individuals and spell-checked before they’re sent. In many cases, fake landing pages linked from phishing emails are indistinguishable from the real thing.
Why Tips to Identify a Phishing Email are Rarely Valid
Most sites offering tips to identify phishing emails base their advice on the level of sophistication used ten years ago. They suggest hovering your mouse over a hyperlink to see if the URL differs from the one you would expect to see, or checking if the sender´s email address matches the email’s purported sender. In both cases, these tips could result in a successful phishing attack.
If, for example, you receive an email supposedly sent by a bank to which you’ve linked a PayPal account, would you know not to click on a clink that led to www.paypal.yourbank.com? If you get an email from a colleague whose work email address has been compromised by a hacker, how would you know not to reply with the information requested?
It’s increasingly difficult to identify a phishing email. Although the psychology of phishing is much the same as it was a decade before (prey on the recipient´s curiosity, greed, fear or sympathy), and phishing emails usually include the same element of urgency, there’s only one tip that really matters: treat every single email in your inbox as suspicious.
Why a Multilayered Solution is Necessary
A good way to block phishing emails is to implement a spam filter with phishing protection and malicious URL detection. However, while these will stymie many phishes they won’t not stop them all, as when a hacker compromises a work colleague´s email account.
Other technological measures to prevent phishing emails from working: disabling macros and html in email messages; encrypting internal communications; configuring web filters to block specific file extensions; keeping software up to date; and implementing an employee training and awareness program for when phishing emails evade technological detection.
Cybercriminals see employees as the weakest link in cybersecurity, but a smart training and awareness program can turn that around. With effective training, employees will know not only how to identify a phishing email but also how to help gather real-time information to prevent future attacks.
Effective Training and Awareness from PhishMe
PhishMe is an intelligence-driven, human-response solution to the threat of phishing emails. Interactive simulations condition your employees to identify and report potential phishing emails. The simulation results feed our incident response platform, helping IT departments prioritize their responses to phishing reports.
In addition to this three-tiered defense against phishing threats, PhishMe provides a human-vetted analysis of phishing and ransomware attacks. This gives IT departments the information they need to identify false positives and contain malware when a malicious URL has been clicked or an infected attachment opened.
PhishMe is trusted by more than 1,000 companies, including 50 Fortune 100 companies, to mitigate the threat of phishing emails. Our awareness and conditioning solution has decreased employee susceptibility to phishing emails by up to 95%. To train your employees on how to identify a phishing email, contact us and request a free PhishMe demo.