The average office worker receives 121 emails per day. When faced with information overload such as this, it can be easy to let your guard down and fall for a phishing attack.
Phishing is one of the largest security threats out there. They take many different forms and often resemble the types of communications you receive every day — internal team communications, special offers from your favorite companies, or specific emails that pertain to your role (support tickets, leads, incidents, etc.). Plus, they are getting more sophisticated over time, making them even harder to detect.
Phishing attacks only work if they convince you to take an action. The best defense against them is knowing how to identify a phishing attack when you encounter one, so you can ignore it and report the incident to your security team. Familiarize yourself with the basics of phishing, so you can protect yourself, your team and your entire organization from a dangerous situation.
What is phishing?
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
There are a few different types of phishing attacks to be aware of:
- Traditional phishing. Traditional phishing emails are often sent to a large number of targets so the attacker has a better chance of getting a bite. They can vary in sophistication and are generally vague so they can apply to a majority of people.
Spear phishing. This is a pinpointed attack against some subset of people (users of a website or product, employees and executives of a company, members of an organization) to attempt to undermine that company or organization.
Whale phishing. Whaling attacks target C-level staff like CEOs, CFOs, COOs, or any other senior executives. These targets are considered to be big players in the information chain of any organization and are commonly referred to as the “whales.”
Phishing is different and more dangerous than spam. Spam is simply unsolicited emails, usually from someone trying to sell something. Unlike phishing, spam does not attempt to acquire sensitive information.
How does phishing work?
Phishing attacks work because they take advantage of your emotions. By creating a false sense of urgency or threatening a serious consequence, they can spark you to take action without thinking critically about the validity of the request.
Manipulating a situation like this is known as social engineering. Social engineering is the practice of manipulating people so they give up confidential information. Criminals use social engineering tactics because it is usually easier to exploit a person's natural inclination to trust than it is to discover ways to hack your software.
Social engineering attacks don't always look the same — they can be anything from an email to a face-to-face interaction. However, the most common form of social engineering is a phishing email.
The real threat
Security is all about knowing who and what to trust. It is important to question every piece of correspondence you receive, even when it appears to be from colleagues or even your top executives. Phishing attacks work because they catch us when our guard is down.
When asked, any security professional will tell you that the biggest security risk that any company has is the employees themselves. An employee who mistakenly trusts a false source can quickly cause a chain of events that could lead to a major security breach … and hackers know this. Because of this, the majority of cyber attacks have some sort of social engineering component.
6 ways to spot a possible phishing attack
Phishing emails often appear normal, but it’s easy to identify warning clues if you know where to look. These are a few clues you can look for to spot a possible phishing attack.
1. Suspicious email address
Even if the email seems legitimate, always check the full email address in the “from” field. For example, even if an email says it’s from Apple Support, the email address might not be within the @apple.com domain. If the address is suspicious in any way, this is a clue that you should proceed with caution and not take immediate action on anything presented in the email, even if it purports to be urgent.
2. Generic greeting and language
Phishing emails are often sent to a large batch of people, so you might see generic greetings and requests. That way the phishing attempt can appeal to the most people. For example, an “urgent matter that needs your help right away” is unspecific. If someone in your organization legitimately needed your help, they would probably use language specific to your role, industry or the organization. Lack of specifics should give you pause.
Emails from legitimate businesses don’t usually have glaring spelling mistakes, poor grammar or unnatural language. For example, an email that says ZenDesk instead of Zendesk is a small clue that the person writing is not actually familiar with the organization. This should get your spidey sense tingling.
4. Questionable links or attachments
As a best practice, never click on any hyperlinks or download any attachments from emails you aren’t expecting. You can verify the validity of a link by hovering over the link and checking if the URL is consistent with what you’re expecting.
5. No email signature
While this doesn’t always mean phishing, a lack of details about the sender can be a warning sign. Think about past emails you’ve received from vendors, partners, sales reps, etc. — they always provide contact information because they want you to contact them. If the signature is vague or lacking necessary context, think twice before taking an action within the email.
6. Unreasonable request
Use your common sense — Does the sender’s request seem natural and reasonable? Are you being strongly compelled to follow a link, open an attachment, or submit credentials? Does the message warn of dire consequences if you fail to respond? Is this the kind of language the sender would normally use? These can be clues that someone is masquerading as someone they aren’t, maybe even a top executive at your company. If it seems funny, trust your gut and report it to your security team right away.
If you suspect a possible phishing attack, do not click on anything or take any action in response to the email. Notify your security team and let them evaluate the threat. They can guide you on any further action to take if needed.
Prevent phishing attacks by enabling two-factor authentication
You can mitigate the impacts of a phishing attack at the organization level by implementing two-factor authentication (also known as multi-factor authentication) as a security best practice. That way, even if an individual on your team falls prey to a phishing attack, hackers won’t be able to access their account because they won’t have access to their second factor (often a phone or other mobile device). See here for instructions on how to enable two-factor authentication in Zendesk Support.
We all have to work together to keep ourselves and our organizations safe. Be vigilant, question everything and remember—if something seems “phishy,” it probably is.