Can You Spot A Spoofed Email?: How To Protect Your Business From Today’s Biggest Phishing Risks

Have you ever received an email from a client you regularly communicate with, but it looks… “off”? Or perhaps you’ve received an email from a bank that you don’t hold an account with, or a company requesting that you pay an invoice for goods you never even purchased.

What you’ve encountered is most likely a phishing email.

A first in a series of blogs on phishing, we want to educate you about what phishing is, the different types of phishing that you could encounter, and how you can protect yourself from this widespread cybersecurity risk.

Read on to learn more about email spoofing and brand impersonation, the most common phishing risks employees encounter, and how we at Orange County Computer can help you implement solutions to guard against a phishing attack.

What is phishing?

Did you know that 97% of employees cannot identify a sophisticated phishing attempt? Phishing is a cyberthreat that employees face every day and they’re unfortunately likely to take the bait.

Phishing is the star of the cybercrime world. It is a type of social engineering attack that is used to steal user data – this can include usernames and passwords, credit card numbers, sensitive company information, and more. Cybercriminals pose as a trusted entity, tricking the victim into opening an email, instant message, or text message, which could contain a malicious link or attachment. The link could lead to a website prompting the victim to enter login credentials or other personal details, as well as install malware. An attachment may contain a harmful script or compressed file, which upon opening could deploy a ransomware payload that encrypts the victim’s data, make it inaccessible, and held ransom by the cybercriminal until the “ransom” is paid for. At this point, the victim finds himself in a vulnerable position. Even if he pays the cybercriminal, there is a chance that the decryption key will not be given as promised.

From business email compromise to malware / ransomware, all of today’s harmful cyberattacks begin with phishing, most of which lead to catastrophic consequences. For companies and individuals alike, this can include the loss of intellectual property or money, damage to reputation, data theft, and disruption of operational activities. With people continuing to work from home and hybrid work environments persisting post-pandemic, individuals and employees across the board need to be extra careful and stay alert when reviewing emails. Of the types of phishing risks that have become widespread, businesses need to take email spoofing and brand impersonation seriously.

Can you spot a spoofed email?: Beware of email spoofing and brand impersonation!

Email spoofing and brand impersonation are two of today’s biggest phishing risks. According to Digital in the Round, about 25% of the emails that companies receive from brands like Amazon, LinkedIn, or Google are phishing attempts. In the case of spoofing, cybercriminals take a real email, copy it, then use it to initiate a phishing attack. With brand impersonation, a cybercriminal pretends to send messages from a well-known brand or company to pass off as a trusted source. Both methods con unsuspecting recipients into interacting with the message by masking those messages as something harmless or including product that’s desirable. And while Microsoft normally spearheads the list as a brand that cybercriminals imitate the most, ZDNet reports that DHL tops the list as the most imitated brand at the end of Q4 in 2021. With more individuals and companies relying on email, online shipping and shopping options, it is important to know how to spot the difference between a real and fake message. Educating employees is a first step companies can take to stop a cybersecurity risk from turning into a cybersecurity threat — we at Orange County Computer are more than happy to take it further by assessing your network environment and help implement security solutions for you, based on your company’s IT needs.

New Emails in Your Inbox: Red Flags to Look For

Don’t currently have a strong firewall or an email scanner in place to filter out potentially harmful emails? Informed and attentive employees are the first line of defense. Identify phishing risks and prevent them from turning into cyberattacks, using the list below:

1. Check the sender’s domain and email address: Real companies send emails from their official domain – look at what follows after the “@” symbol in an email address. For example, a legitimate email from Microsoft would include “@microsoft.com”, not variants like “@microsoft.business.com”. If a domain looks unusual, check the address on the company’s website.
2. Pay attention to the header and footer for clues: If the header or footer conflicts with or is different from previous emails you’ve received from that brand or company, it is likely the email is a phishing attempt.
3. Look at the subject line and preheader: Does the subject line or preheader of a message seem a little “off” to you? Are there odd phrases, emojis, or weird items in the subject line and / or preheader? If yes, that indicates phishing.
4. Analyze the content and implied urgency: Insisting that an action is urgent, offering a special that’s too good to be true, or demanding that a company must make a payment before services are cut off are all signs of phishing.
5. Beware of formatting red flags: This is where most people catch phishing attempts. If the email has strange formatting, spelling errors or bad grammar, or company colors, fonts, and logos are “off”, it’s most likely phishing.
6. Be wary of unexpected attachments like PDFs or Word documents: If you aren’t expecting an attachment or an attachment looks suspicious because it has a strange name, the attachment might be malware or ransomware, which are usually deployed through phishing.
7. Use caution if a message asks you to log in through a new link: Hover over the links that a message asks you to click to see if they’ll lead you to the company’s actual domain or log in on their site directly. Phony password reset requests are a staple of phishing.

If your email address has been spoofed, breached or if you have been a victim of a phishing scam and have concerns about your system or network, our team is happy to help. For information on how to secure your data and protect your domain reputation, contact a member of our sales team by calling (949) 522-7709 or email us today.