Tips on how to protect yourself from Phishing attacks

Phishing attacks are getting more sophisticated and are often either difficult to spot or the email just doesn’t raise any red flags or suspicions and get through.

To get you thinking about how large the problem is, here are four headline statistics to think about:

1. On average every 1 in 4 email messages received by people is either malicious or unwanted SPAM emails. 
2. 20% of businesses experience at least one of their users mailboxes being compromised with an account take over each month. 
3. 83% of malicious Microsoft 365 documents contain QR codes that redirect you to phishing websites. 
4. Half of all business still haven’t setup a DMARC policy, putting them at significant risk of email spoofing, phishing attacks and business email compromise. 

Source of the above stats is from Barracuda email security. 

Bearing all of this in mind, here are some tips you can use to protect yourself:

Check the email address and domain name carefully. 

A little while ago there were emails doing the rounds asking people to change their Microsoft 365 passwords, the email came from support@rnicrosoft.com which fooled a lot of people.  At first glance the email address looks legitimate, and a lot of people fell for it.  Did you spot the issue in the email address?

Look for anything that is a mismatch.

When you get an email, there are two elements to the sender.  The displayed name and the email address.  Phishers often use the display name to try to spoof a sender name whilst the actual email address is different to the display name.  Check that the contact information is consistent with emails that you have previously had and ensure that nothing is out of place.

Check the language to see if it is consistent with what you would expect to see

If you got an email from someone that you know, check the language.  A common theme is that the sender uses American phrases or terminology, that is out of alignment with what someone in the UK would typically use.  Examples we have seen include language like “Call me on my new cell number” or “could y’all give me an update on paying that invoice”, things that look out of place with communication you would expect to see.

Check the spelling and grammar

Phishing emails are often riddled with poor spelling, grammar and punctuation mistakes, often making them easier to spot.  Whilst AI is making this less of a thing, it is still something that occurs due to the context in the message being messed up in translation.

Be wary of urgent or threatening language

Phishers want things to happen quickly because they only have a small window of opportunity, so they will use urgent or aggressive language to try to make the recipient act quickly, without thinking about the consequences.  Phishing attacks often use social engineering to get information about senior people in the organisation, then they target someone, often in a junior post and spoof an email coming from the senior member of staff, often with an email with a payment request such as "Pay this invoice NOW!! It is urgent” and as it appears to come from a legitimate source, they often fall for it and pay the invoice to a phishing recipient.

Check links in the email and do not click on any if you don’t need to

Links in emails are a common means of phishing, so it is imperative that you are sure that the link in the email is valid rather than an attack site.  To check the validity of a link, move your mouse over a link but don’t click on it.  This will show the actual address that the link will take you to, rather than the text displayed in the link.  For example, this link here says “www.microsoft.com” but if you hover your mouse over the words, the actual link www.google.com will show somewhere on the screen (bottom left corner in Microsoft Edge), this is because the display information and link are independent from each other, which is why it is so often used for deception in phishing attacks.

NEVER open unexpected attachments in an email

Email attachments are one of the most common mechanisms of getting malware, viruses or ransomware onto a computer so if you are not expecting an email attachment to get sent through to you, do not open it.  If you are unsure, ask your managed service provider for advice or for them to check it first on your behalf, which they should be able to do without risk to their infrastructure.

What should you do if you suspect it’s a phishing email?

1. Don’t open anything in it, like attachments. 
2. Don’t respond to it. 
3. Don’t click on any links in the email. 
4. Report it to your IT partner to check to see if the email is valid or malicious.

If you want to find out how secure your email environment is and you use Microsoft 365, we can run a free security scan on it to check for any threats that may have got through.  Call us on 01722 411 999 and we can arrange a scan.