By now, you’re likely well aware that a Nigerian prince isn’t sending personal emails to your inbox offering to pay you millions in exchange for helping him get his royal fortunes out of the country. All he asks is that you supply your bank routing number and some personal information.
To many, the absurdity of this classic email hoax is laughable, but studies show that most users are overconfident in their ability to detect phishing scams. Hackers are becoming more cunning and sophisticated as they evolve their tactics to deceive unaware employees and individuals. Tens of millions of phishing scam emails are sent to inboxes every year and, according to GreatHorn’s 2017 Spear Phishing Report, the average employee faces at least one risky email per day.
And it only takes one click. That’s why news of major cyberattacks continue to hit the headlines, and it’s clear that organizations need to better equip their employees to detect these scams. Here are some clues to look for when determining if an email is legitimate or if it’s a red herring.
1. Fake Invoices
An email with an attached fake invoice is the number one type of phishing scam, with one in four malware spam campaigns taking this approach in 2016, according to Symantec's 2017 Internet Security Threat Report.
2. Unexpected Attachments
If you receive an email that contains an attachment you weren’t expecting — even from someone you know — step away from the mouse!
3. Inconsistent URLs
If the URL within an email displays differently when you hover over it, it’s likely an attempt to hack your computer.
4. Requests to Update Your Information
Emails claiming that you need to update your account are classic attempts to obtain access to personal information and should cause immediate suspicion. They may appear to come from the IRS, a bank or other institution. Most institutions will never request this type of information via email.
5. Misspellings and Poor Grammar
We all make spelling errors on occasion, but when an email is riddled with obvious grammar mistakes and poor sentence structure, it’s a clue that an email was written either by a computer program or a foreign hacker who’s not associated with a professional organization and may be making a poor attempt at using Google translate.
6. Something’s “Off”
Is the formatting of the email different than usual with strange spacing or margins? Is the company logo pixelated or are the colors off? If you’ve subscribed to an email list from a reputable company and regularly receive correspondence from them, be wary if those emails suddenly show up in your inbox looking different than they normally do.
7. W-2 Form Requests
This scam is especially prevalent around tax season and surged early in 2017. The email may appear to come from a company’s internal HR department or high-level executive requesting an employee’s W-2 form. When released, the scammer can file fraudulent tax returns and claim any potential refunds.
8. An Email from the CEO
Who wouldn’t comply with the CEO’s request? Wait! Chances are, that request to transfer funds, pay an invoice or release sensitive information on his or her behalf is really coming from a scammer. Hackers are becoming masters at researching a company’s high-level personnel and then impersonating them. So much so that this type of scam accounted for more than $5 billion in losses between October 2013 and December 2016, according to the FBI.
9. You’ve Won a Contest!
Did you actually enter a contest? No? Then it stands to reason you didn’t win one.
10. A Tone of Desperation
Don’t fall for emails claiming that your “immediate action is required.” If the email claims that your account has been compromised or that the account will be closed unless you respond right away, it’s a sure sign something’s up.
There are countless more types of email scams out there. Bottom line: If an email seems phishy, don’t take the bait! If it appears to come from someone you know, or from an organization you’ve dealt with before, don’t reply. Instead, contact the individual or company some other way to follow up, or manually access your online account by separately entering a known URL into your browser.
Also, don’t forward a suspicious email to ask if it’s legitimate, even to your own IT department. Instead, pick up the phone or send a separate email explaining your concern. Then, delete the email, empty your trash and, as Dory would say, “Just keep swimming.”
More employee tips for preventing cyberattacks are available in our handy Cybersecurity Tips for Employees infographic. Click the link below to get your copy, print it off and hang it around the office. We promise it’s legitimate. No, really!