Phishing scams - How to spot a phishing scam, fake email, and text
Phishing scams are wreaking havoc on businesses
We’ve outlined how you can spot a phishing email, text, and phone call!
As phishing scams are on the rise, you might be wondering how to spot them. These scams can present themselves as emails, calls, and texts.
You don’t need to launch a big investigation every time you want to see if an email is a phishing scam. There are some simple tips and tricks that’ll give it away.
However, if an email doesn’t contain any of these techniques, you should still follow your instinct if you suspect it's fake. This is the same for potential fake calls, social media posts, and text messages. Always be vigilant and make sure you and your team are reporting potential scams.
The amount of cyber-attacks has increased significantly over the past few months, especially via email, call, and text. Social engineering, one of the most common threats, has skyrocketed more than any other attack.
Every business is at risk of receiving these types of cyber-attacks, regardless of the business size. Data is important to any business, making it exceptionally valuable to hackers. But, by making sure you have the right security protection in place, you can help to prevent these unwanted attacks.
At CapNet, we want to help you and your team identify phishing scams. So, here are some useful tips on how to spot phishing scams, fake emails, and texts!
1. Check the email address of the sender:
Typically, when someone opens an email, they’ll check the content as well as the name of the sender. However, it can be easy for people to ignore the email address of the person who sent it. The email address can hold many clues as to whether it’s a phishing scam. Here are two of things to look out for:
The domain name: Most legitimate companies will have their company name as their domain. If it ends with gmail.com or WordPress.com, there’s a chance it might be fraudulent.
Random placement of letters and numbers: All companies should include their name within the structure of their email or web address. However, if you notice there are spelling mistakes or random placements of letters or numbers, this could be an indication that it is a fake email.
For example, if an email address looks like this: amazon@customers-service-345.com. Though you can see the genuine company name ‘Amazon,’ in the address, the random numbers ‘345,’ aren’t present in a genuine Amazon email. This indicates that this is a fake email.
However, even if the domain or email is genuine, you should still be cautious. Cybercriminals can often hack into accounts and find conversations between yourself, customers, or suppliers. They look for these conversations because they know trust has been built. They can then complete these conversations and take valuable information from yourself, your suppliers, or your customers. So, you need to make sure everyone is aware of this, and any suspicious emails/texts you might receive, it’s worth following up with a phone call just to be sure it’s legitimate. It’s also worth asking your suppliers and customers to call you directly if they suspect a text/call is fake.
(An example of a fake email designed to look like it’s from Outlook).
2. Check the tone that’s being used:
When you receive any communication from a professional company, they shouldn’t make you feel threatened.
Here is an example of how this might look:
‘Hello
How are you doing? I'm in an important conference right now, can't talk o phone only available through texts at the moment and i need some certain tasks to be carried out by you ASAP. Kindly drop me your cell/whatsapp number to text you on immediately.
NB: This is Urgent.’
It’s not best practice to make anyone feel that they need to respond to them or risk repercussions. Like the example above, scam emails will often make you feel this way and create a sense of urgency.
If an email is making you feel this way, don’t worry about it. Report the email as the likelihood is, it’s a scam and it’s trying to make you feel that way.
The image on the right is a common text that is going around at the minute. The cybercriminals are impersonating Royal Mail and have sent the message to a random selection of people. They will rely on these victims to have ordered a package that’s genuinely being delivered by Royal Mail.
These people will then panic as the text is telling them that ‘Failure will result in your parcel being returned…’ This is threatening/pressuring language. It’s easy to see why so many people will fall for this, especially if you’re waiting on an urgent package.
It can be common for cybercriminals to impersonate suppliers and send these messages out to multiple companies. If you’re unsure if it’s a scam, you’re best to contact your supplier’s genuine phone number and ask them to track your parcel.
(A common phishing text from a cybercriminal pretending to be Royal Mail).
3. Check the language that is being used:
Most phishing scams will attempt to tell a story so that they can mislead you into clicking on a link.
Examples of this can include:
Wanting you to click on a link to make a payment.
Saying they’ve noticed some suspicious activity or log-in attempts.
Telling you there’s a problem with your account or your payment information.
Saying you have a withstanding balance to pay, despite already paying that balance to the genuine company. It's also possible that you've never shopped with that company before.
Asking you to confirm personal information.
Including fake invoices.
Saying you are eligible to register for a government refund.
The example on the right is telling a false narrative that the victim’s billing information is incorrect, and they will risk their account being terminated. Rather than ask them nicely to ring them, or pop into their local store, they are asking them to click a link to update this information. Usually, the victim will enter their bank details and send them straight over to the cybercriminal.
A company would never ask you to send over your bank details. They would also avoid using language that can scare you into handing personal information over as it’s unprofessional.
(A fake email that is asking for your bank details).
4. Check for any spelling or grammatical mistakes:
Emails that are being sent on behalf of a company will have been produced by professional writers so they can check over the content for spelling, grammatical, or legality errors.
If you’ve received an unexpected email from a company, and it’s filled with these mistakes, it could be a sign that it’s a phishing scam.
However, hackers will usually have access to spell check, so don’t rely on spelling mistakes alone. Keeping a lookout for grammatical errors is also a good way to spot phishing scams.
A theory that many believe is that cybercriminals produce poorly written emails/texts on purpose so they can see who isn't paying attention.
Notice how the image on the right spells ‘information,’ as ‘informations,’ and they don’t address the customer by their name? These are usually a sign of a scam, so always look out for these errors.
Sometimes a mistake in an email or text can just be an accidental typo, but you should always be vigilant and never send someone your personal information.
(A fake PayPal email with common phishing errors).
5. Check what they are asking for:
Companies will never ask you to send over personal details by email, text, or call. Most companies are very understanding that people might not feel comfortable handing these details over without proof the company is legitimate. If a company is demanding that you send over bank details, you need to be careful.
Usually, when an email/text is asking for this information, it’s because they’ve either been hacked, or someone is sending out messages or calls from their account.
If you typically receive emails asking for certain details from another department that you trust, you should still be careful in case their account has been compromised.
However, if they are asking for details that they’ve never asked for before, you need to report them.
The image on the right looks like an innocent notification from Android. However, this is an account a cybercriminal created to replicate Android. If a victim were to enter their bank details, they’d be sending them straight over to a cybercriminal.
(A cybercriminal impersonating Android).
6. Check all our above tips before taking further action:
Before you even consider opening an attachment, checking a link, or sending any details over, you need to make sure you have thoroughly analysed what it is they are asking you to do.
Once you’ve opened one of these attachments, links, or sent personal details over to a hacker, it’s too late. You’ll have possibly opened malware, or even compromised customer or employee details.
Everyone in your team must work together to make sure you are following the right steps when you receive a possible phishing attack. It only takes one person in your team to fall for these phishing scams, and your business will face a lot of serious consequences.
The image on the right is an example of a malware attack. If staff click this link and download the PDF, they will risk this spreading and damaging the network or data.
(The PDF will likely contain threatening Malware).
To conclude…
Just because an email, text, or call seems genuine, doesn’t mean it is. Despite what some people may think, hackers are exceptionally intelligent. Creating a fake email account, website, or gaining access to someone’s genuine account is easy to work for them.
Just because an email or text contains a company logo, doesn’t mean you should trust it. Also, a lot of scammers may come across as genuinely nice people, especially over the phone. They take advantage of kind people, so make sure they don’t take advantage of you or your business.
Falling for these attacks will show them that you might be an easy target in the future, causing them to bombard you with constant phishing scams.
If you receive a phone call and you’re unsure if it is genuine, the best thing you can do is hang up and dial the number on any old correspondence. If you ring the company and tell them about any suspicious communication, they can confirm if it is a scam.
For example, if you receive a call from your bank, and you’re unsure if it is real, hang up and call the number on the back of your card.
Now that you know how to spot phishing scams, it’s down to you and your team to make a cybercriminal’s job more difficult. By not clicking on suspicious links, handing over personal data, and reporting them, you will be able to avoid this dangerous attack.
At CapNet, we always want to help our customers. We offer many security services such as Cyber Essential Training, Email Spam Filters, and Pentest’s. We also offer many other great services to keep your company safe.
Additionally, we offer free cybersecurity news and advice on our blog, as well as more on our security services.
Additional examples of a phishing scam:
Example 1:
(Example of a phishing attack designed to look like a genuine PayPal email).
The image above might seem like an innocent email from PayPal. Especially as many of us don’t have the time to sit and skim through large paragraphs.
However, it’s this very thinking that will have cybercriminals targeting your business with frequent phishing scams.
(Common mistakes that identify it as a phishing scam).
Taking just a few minutes to analyse the email, text, or call and what exactly it is they’re asking from you, will make you less susceptible to falling for a phishing scam.
The analysed image above doesn’t address the customer by their name, doesn’t use a correct URL, and contains some unsecured websites.
However, even if an email is typed out perfectly and doesn’t contain any of these common mistakes, doesn’t mean that it isn’t a phishing scam. You should ALWAYS be vigilant and never send any sensitive data over to anyone unless you are 100% sure.
Example 2:
(Phishing scams imitating suppliers is extremely common).
This email from UPS is an extremely common type of phishing attack. Since lockdown, with most shops being closed for extended periods, more and more people have been ordering online. So, we have seen a rise in cybercriminals impersonating suppliers.
It can also be easy to fall for. The cybercriminal has managed to make the email look realistic, using the company logo. Usually, when you click the link, it’ll take you to a website that looks identical to UPS.
However, cybercriminals are experts at replicating websites and emails. So, you need to be careful and look for mistakes or clues that give it away.
(UPS wouldn’t make these types of mistakes or have fake URLs).
This UPS email has been almost perfectly written by a cybercriminal. We found very few mistakes, which would have caused a lot of people to fall for this phishing scam.
However, notice how they use an uppercase for ‘Suspension,’ and ‘Ongoing,’ when we know that they should be lowercased.
These are the types of errors you should be looking out for. It’s also best practice to check all the URLs in the email. This is because some of them can be genuine, to increase the chance that someone will fall for them. However, when we ran one of the links, we discovered that it was fake.