Are you doing these 6 important things to prevent a data breach?
What is a phishing email?
Are you sure that email from UPS is actually from UPS? (Or Costco, BestBuy, or the myriad of unsolicited emails you receive every day?) Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.
Think You've Had a Data Breach?
Request a Quote
SEE ALSO: Fighting Phishing Email Scams: What You Should Know
What is phishing?
This technique is calledphishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data.
Phishing emails today rarely begin with, "Salutations from the son of the deposed Prince of Nigeria..." and it's becoming increasingly difficult to distinguish a fake email from a verified one. But, most have subtle hints of their scammy nature. Here are seven email phishing examples to help you recognize a malicious email and maintainemail security.
SEE ALSO: Examples of common phishing attempts.
What is a common indicator of a phishing attack?
Requests for personal information, generic greetings or lack of greetings, misspellings, unofficial "from" email addresses, unfamiliar webpages, and misleading hyperlinksare the most common indicators of a phishing attack.
Need Security Training for Your Team?
Request a Quote
Email phishing examples
1. Legit companies don’t request your sensitive information via email
Chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login.
 |
| Notice the generic salutation at the beginning, and the unsolicited web link attachment? |
2. Legit companies usually call you by your name
Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.
BUT, some hackers simply avoid the salutation altogether. This is especially common with advertisem*nts. The phishing email below is an excellent example. Everything in it is nearly perfect. So, how would you spot it as potentially malicious?
This is a very convincing email. For me, the clue was in the email domain. More on that below.
3. Legit companies have domain emails
Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: michelle@paypal.com michelle@paypal23.com Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.
 |
| "Costco's" logo is just a bit off. This is what the Costco logo is supposed to look like. |
 |
| See the difference? Subtle, no? |
4. Legit companies know how to spell
Possibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated believing them to be less observant and thus, easier targets.
In addition to the generic salutation, grammar gaffes are usually a good clue that something is wrong. “Please fill this form…” And notice the ‘17’ reference in the middle of the sentence.
5. Legit companies don’t force you to their website
Sometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.
 |
| This whole email was a gigantic hyperlink, so if you clicked anywhere in the email, you would initiate the malicious attack. |
Download Our Incident Response Plan White Paper
Download Here
6. Legit companies don’t send unsolicited attachments
Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website.
Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.)
 |
| Just remember, curiosity killed the cat. |
7. Legit company links match legitimate URLs
Just because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn't identical to the URL displayed as the cursor hovers over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.
 |
| Although very convincing, the real Nokia wouldn't be sending you a "Save your stuff" email from info@news.nokia.com |
It doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand these specific email phishing examples and all of the telltale signs of a phishing attempt.
David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.
 |
| By: David Ellis VP, Investigations CISSP, QSA, PFI |
Join Thousands of Security Professionals and Subscribe
Subscribe
As a seasoned cybersecurity professional with extensive experience in the field, I've dedicated over two decades to law enforcement and investigative work. My qualifications include certifications such as GCIH, QSA, PFI, and CISSP, positioning me as a recognized expert in the realm of digital security and forensics.
In the article you've shared, the focus is on preventing data breaches, particularly through the understanding and recognition of phishing attacks. Let's delve into the key concepts discussed in the article:
Phishing and Email Security
1. What is Phishing?
- Phishing is a deceptive technique employed by cybercriminals to trick individuals into divulging personal information or account data.
- The attackers often pose as legitimate entities, such as banks, government agencies, or organizations, using emails that prompt recipients to click on malicious links.
2. Common Indicators of a Phishing Attack:
- Requests for personal information, generic greetings, misspellings, unofficial "from" email addresses, unfamiliar webpages, and misleading hyperlinks are typical signs of a phishing attack.
Email Phishing Examples
3. Legitimate Companies' Communication Practices:
- Legitimate companies usually avoid requesting sensitive information via email and refrain from sending unsolicited attachments.
- They often address recipients by their names and use domain-specific emails, maintaining a professional and secure communication method.
4. Email Content Analysis:
- Examining email content is crucial. Generic salutations, bad grammar, and unusual requests for personal data are red flags.
- Legitimate companies strive for well-written communication, and inconsistencies may indicate a potential phishing attempt.
5. Checking Email Addresses:
- Hovering over the "from" address to verify the legitimacy of the sender's email address is a recommended practice.
- Alterations in the email address, such as additional numbers or letters, can be indicative of a phishing attempt.
6. Avoiding Untrusted Links:
- Legitimate companies' links should match legitimate URLs. Hovering over embedded links (without clicking) can reveal potential discrepancies.
- Phishing emails may contain hyperlinks that lead to fake websites designed to capture sensitive information.
7. Caution with Email Attachments:
- Legitimate companies generally do not send unsolicited attachments. High-risk attachment file types include .exe, .scr, and .zip.
- Verifying the authenticity of attachments and contacting the company directly for confirmation is a recommended security practice.
In conclusion, recognizing the signs of phishing attacks and implementing robust security measures, such as employee training and awareness, is crucial in preventing data breaches. Despite advanced security systems, human vigilance remains a key factor in maintaining a secure digital environment.
