People May be Too Fearful of Phishing Now

For years security professionals have tried to convince family, friends, and fellow employees to be wary of unsolicited email messages. We’ve shared examples of phishing emails, sent out tests, and stressed the consequences of sharing confidential data. It all may have worked too well!

SC Magazine reported last year that employees are ignoring legitimate business emails thinking they might be phishing attempts. The service I use to scan my emails also flags some messages as phishing which are not. We call these “false positives”, that is they falsely say a message is a phishing attempt.

Fortunately, the number of false positives is small; unfortunately, many users still don’t do a good job of recognizing genuine phishing attempts (or so-called “vishing” attempts: making similar requests over the phone).

Many organizations use tools to work to spot phishing attempts. Some are paid and some are free. I pay my email provider to scan emails for spam, phishing, and other nasties. Most corporate IT departments do that or use a product in conjunction with their internal servers to do the scanning. I highly recommend that. But the tools are not perfect and I strongly recommend companies train employees to recognize phishing attempts. There are some tell-tale signs of suspicious emails.

Many phishing emails use poor spelling or grammar: the attackers tend not to have the proofreaders and high-quality copywriters legitimate companies do. The messages also try to be persuasive and appeal to emotions rather than logic. The US Federal Trade Commission has a few examples of that. I have used their list and added my own commentary.

• say they’ve noticed some suspicious activity or log-in attempts
  Such messages may appear to come from your own organization or your bank. In the latter case, the attackers choose a large bank knowing that they will send some messages to people who are not customers of the bank.
• claim there’s a problem with your account or your payment information
  Similar to the bank example above, they might choose a large credit card issuer or online business. I frequently receive emails claiming issues with my PayPal account.
• say you must confirm some personal information
  Such requests are seldom, if ever, genuine.
• include a fake invoice
  This is increasingly common with so many people working from home.
• want you to click on a link to make a payment
  Most web users are aware that hovering over the link will display the target. That is still not enough protection. Users should contact the genuine provider directly.
• say you’re eligible to register for a government refund
  This is a significant issue in the US as governments issue checks to assist citizens during the pandemic.
• offer a coupon for free stuff
  Everybody loves free stuff. Don’t fall for it.

The list isn’t exhaustive, of course, but it is a good start. The point is that everyone needs to know that phishers are out there and that they need to be wary.