Have you ever received a text message or email from a convincing-looking sender asking you to hand over important information or money? That’s an example of a phishing attempt.
Phishing is a cybercrime that aims to extract money or valuable information from unsuspecting individuals or companies. Unlike other cyber threats, it doesn’t always involve malware or malicious files; many attempts rely purely on deception and social engineering.
Whether at work or in general life, email phishing is surprisingly easy to fall victim to, and you may not realise until it’s too late. Therefore, it’s crucial to identify signs of phishing before they happen.
This blog will discuss some common examples of phishing attacks and signs to watch for.
What is a Phishing Scam?
Put simply, phishing is a type of online scam where hackers trick you into giving away personal information, such as passwords, bank account details, or credit card numbers. They achieve this by pretending to be a trusted entity or person, such as your bank, workplace, delivery service, or even a family member.
Scammers usually spoof legitimate websites to trick you into thinking it’s real. If you click the link and enter your details, scammers can steal and use your information for fraud. These attacks can lead to ransomware deployment and financial loss.
Types of Phishing Scams
Phishing Attacks
A phishing attack is usually performed on a large scale after an attacker gains access to a business email or contacts database. The breadth of data accessed means they can take advantage of everyday problems, such as missed deliveries, bank account issues, and family emergencies.
These attacks were especially prevalent during the COVID-19 pandemic, with scammers relying on a sense of urgency and fear to trick people. It correlates with the NHS’s heavy use of SMS and email client communications during this time, which allowed scammers to intertwine their efforts with legitimate email campaigns.
Some sources cite incidents rising by upwards of 220% during the height of the global pandemic, proving that email phishing efforts are exceptionally damaging during difficult or stressful times.
Spear Phishing
Spear phishing differs from regular phishing as it incorporates a personal touch and usually has a specific set of targets.
An attacker will typically investigate you—whether as an individual or an employee—to create a more personal story to convince you to do something. They may even impersonate someone you know, like a family member or a colleague, and they usually target low-level employees to infiltrate businesses.
Vishing
Vishing is short for ‘voice phishing.’ It occurs when a scammer tries to steal sensitive information over phone calls, such as login credentials, names, addresses, or financial information. Once the scammer obtains these details, they are often exploited for criminal activities like fraud, financial theft, or identity theft.
Attackers usually pretend to be from reputable companies or organisations, like a bank, a delivery service, or gov agencies like HMRC, and they may use freephone numbers to make their efforts more believable.
These attacks don’t always start over the phone—it’s common for scammers to deploy other phishing methods, such as smishing (SMS phishing), where they send fraudulent text messages urging the recipient to call a number. Once they’ve called, scammers often use social engineering tactics to coerce the target into sharing personal details.
How to Spot Phishing – Signs of Phishing to Look Out For
Recognising and acknowledging red flags can mark the difference between staying secure and avoiding potential cyber threats. Here are some key signs of phishing that may help you identify a potential phishing attempt:
Spoofed Phone Numbers and Emails
Phishing emails often originate from domain names that resemble legitimate sources but with subtle differences. For example, a scammer might use ‘support@payypal.com‘ instead of ‘support@paypal.com‘. At first glance, an unsuspecting user may not notice this, but carefully observing the domain name can almost always help distinguish between a fake email and a legitimate email.
The same goes for phone calls; scammers often use numbers that may closely resemble an organisation or company’s actual phone number. For example, if a company’s number is ‘0800 123 456’, a scammer might use ‘0800 213 456’.
Urgent or Threatening Language
Phishing messages often try to incite feelings of panic or a sense of urgency, making the recipient more likely to act quickly or irrationally without thinking. Common phrases include:
- “Your email account has been compromised! Act now!”
- “Immediate Action Required: Unauthorised Login”
If an email phishing attempt pressures you to act immediately, verify the request with the actual company through official channels.
Not Addressing the Recipient by Name
Legitimate companies will distinguish themselves from hackers by addressing you by your first, last, or full name. Scammers will rarely have access to this information, especially large-scale attackers who obtain datasets to target groups of people.
Usually, they use a generic greeting like ‘Dear Customer’ or refer to you by your email account.
Companies may also employ other security measures to identify themselves as legitimate email senders, such as providing partial or intentionally incomplete information about you. Again, scammers are very unlikely to have access to such sensitive information unless it originated from a data breach or a past phishing attack.
Grammatical Errors and Misspelled Words
Scammers often include misspellings or make grammar mistakes when writing and sending email phishing messages; this is usually a consequence of a lack of resources or, occasionally, a foreign sender.
Most companies—especially large, recognisable ones like Microsoft—will proofread emails before they send them. Ensure you read suspicious emails carefully before interacting with them, as errors can often identify fraudulent behaviour.
Unprompted Email Attachments and Malicious Links
Cybercriminals often disguise malicious links and files as invoices, receipts, or urgent documents designed to trick victims into opening them. When opened, these files will likely run malware, ransomware, or spyware, causing disruption and financial turmoil.
Always verify the sender before downloading a file, and if an email phishing attempt seems suspicious, contact the sender through an official channel to confirm legitimacy. In particular, watch out for attachments with unusual extensions like .exe, .zip, or .js.
How to Train Your Staff to Avoid Email Phishing Attacks
Training your workforce on the signs of phishing, dangers, and consequences for themselves and the rest of the company is essential to minimising potential cyber threats. All it takes is one person to open a fake email or malicious website for it to spread across a company’s network.
At Stream, we’ve tackled multitudes of cybersecurity and connectivity issues for almost twenty years. We offer KnowBe4 Security Awareness Training, which includes a free phishing test.
You can immediately start your test for up to 100 users, choose languages and landing pages, show users the signs of phishing they missed, and compare your organisation’s susceptibility to others in your industry.
To further enhance security, companies should implement multi-factor authentication (MFA) for all email accounts and business systems. MFA adds an extra layer of authentication, making it significantly harder for hackers to gain access, even if passwords are compromised.
Contact us below to get started and discover more about how we can help your organisation become phish-proof.