Based on CISA, the American-based Cybersecurity and Infrastructure Security Agency, 90% of all cyberattacks begin with phishing. Phishing is consequently a major issue that should be addressed by all companies.

Let’s start with the basics: phishing is “the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers” (Oxford dictionary).

Thus, phishing emails aim to fool employees into getting access to the company’s information system. That’s why the best strategy is to train your staff to let them earn the ability to spot them.

Let’s play!

Here is a small quiz to test your phishing awareness. Can you tell which one of the below emails is phishing and which one is genuine? Please leave a comment and share your answer!

Well, as you certainly noticed, the four above are all phishing emails! Have you found out why?

How do we spot them?

To recognize them, you can look for some common characteristics. If both you and your workforce are familiar with them, the attack risk can be reduced to a minimum.

Below are 8 tips to help you recognize them. Let’s familiarize ourselves with them and thwart the attacks!

• The email is from an Unknown Sender. 

The email should belong to your company or be from a known one (e.g., @microsoft.com, @mysupplier.com, @myclient.com).

• The body of the email is an image.

Usually, a phishing email is not a text, but a screenshot. Recipients wouldn’t know they’re looking at a screenshot. Therefore, it’s hard to detect. To test if it’s an image, you can hover the text with the mouse, if it’s an image, an URL will be displayed. Legit companies won’t send you image-based emails. Also, the screenshot usually is blurry.

• The email is with bad grammars and spelling mistakes.

• The greeting is generic.

Phishing emails typically use generic salutations such as “Hi Dear,” “Hi User,” or “Hi antoine@apisconsulting.cn.”

• The email requires an urgent action.

Mostly, those emails will emphasize the urgent part of the message (“the password will expire today”; “you should update your bank details now” …). If you feel an emergency, the first step is to slow down and analyse the message!

• The email receiving time is inappropriate. 

Unless you are working for a multinational company, your IT department won’t contact you outside of business hours. After all, IT people are also human beings!

• The email is with Infected attachments.

Do not open any files attached if the sender is unknown and/or the email is unexpected. Be on the lookout for high-risk attachment file types include .exe,.hta,.html,.application,.vba,.ps2, etc..

• The email includes suspicious links. 

Do not click on any links! Hover the image with the mouse and the real URL will be displayed. If you don’t know the URL, don’t click on it!

How can companies protect themselves?

Awareness and education are key!

Companies can protect themselves in two main aspects:

• By regularly training their staff on cybersecurity risks,
• By hardening their email system with, for example, some anti-phishing software and some warning messages when suspicious emails are received.

At APIS Consulting, we can help you reinforce your IT security practices and cyber security awareness. You can contact us by email: contact@apisconsulting.cn or by adding Antoine on WeChat via the QR code below if you need some trainings, cyber security audits, strengthening your IT security, and/or outsourcing your IT security.

---