Cyber criminals are exploiting the COVID-19 situation, stepping up their efforts to get users to click on links to a donation site, look at a virus cure, or buy ‘hard to get’ items such as hand sanitiser.
Their emails are specifically designed to get you to click before you think, and with so many people currently working from home it’s a timely reminder not to relax our vigilance when it comes to spotting malicious emails.
More than 90% of cyberattacks start with phishing emails and even the savviest of us can occasionally be fooled, especially when we are particularly busy, under pressure or outside our usual environment.
Here are a few simple tips worth remembering, before you click.
- Has the email come from a trusted source?
Take a look at the ‘From’ address. Attackers can easily impersonate email addresses or domains that are familiar to you, such as HMRC, or your bank, the TV Licensing Authority or even your boss. Some will even contain official-looking logos or graphics.
- Are your contact details correct?
Be wary of emails that use generic terms of address such as ‘hi there’ or ‘dear customer’ rather than your name, especially if they purport to be from a reputable organisation that you know have your proper contact details.
- Phishing emails often look genuine.
We often see what we expect to see. For instance if you have accounts with Netflix, Google or Amazon Prime and often receive emails, it would be relatively easy to accidentally open a spoof email purporting to be from them. Watch out for tricks such as emails offering Netflix deals, when you are already a member. Or a message about details of content from Amazon Prime, but that is not to the email address you registered with Amazon.
If you are quick to click you can inadvertently go to a spoof site that will ask you to log in and it will look real but it will be asking you to validate the wrong details. The test here is that you could log in with complete nonsense and it will let you in – the spoof site thinks it has just stolen your real login details. We recommend setting up a separate email just for things like iPlayer, Netflix, Amazon Prime etc and don’t use that email for anything else, so that when spoof emails come in you can easily see it’s the incorrect address.
- What’s the subject of the email?
Does it look suspicious? Is it worded in such a way that you might be lured into clicking before you really think about it, such as being titled ‘important updates’? A subject line that encourages fear or curiosity can often make us react in haste.
- What’s the urgency level?
Does the email encourage you to ‘act now’ or lose out? For example it might say there has been fraudulent activity on your credit card and you need to click a link or call a number to discuss it. Criminals want you to act quickly, and before you think about it.
- How is the spelling and grammar?
According to the National Cyber Security Centre many phishing emails originate overseas and often the spelling, grammar and punctuation are poor.
- Is the mail relevant to your job role?
Check whether the content relates to what you do. If you work in the first line support team of an IT company and someone appears to be chasing payment of an invoice, it’s likely to be an attempt to get you to forward the email, link or attachment to your colleagues in the finance team.
- Does the email refer to an action you haven’t taken?
Does it say ‘further to your enquiry about X, here is some more information…’ yet you know you haven’t made any enquiry? Check whether there is an email trail legitimising the tone, or whether the email has come out of the blue.
- Is there an attachment showing up?
Attachments can come in many forms, from html and pdfs to what look like simple Word documents. If the email looks in any way strange, do not open the attachment or forward the email to anyone else.
- Watch out for links
Attackers want you to click on malicious links, to get you to download malware that can quickly spread through your organisation causing disruption or even total paralysis accompanied by a ransom demand in return for your business information. An easy way to check a link is to hover
your mouse over the ‘click here’, and this will reveal the real destination of the link.
- Report it
Always notify your IT manager or support team of any emails that look suspicious. Your organisation should have a multi-layered combination of technological, process and people-based security in place to improve resilience and protect the business.
By reporting fake emails, you protect yourself and your organisation and help to prevent others falling victim to a cyberattack.
And don’t forget that our experts are here at the ready to help you with any training needs or security managed services.