For years security professionals have tried to convince family, friends, and fellow employees to be wary of unsolicited email messages. We’ve shared examples of phishing emails, sent out tests, and stressed the consequences of sharing confidential data. It all may have worked too well!
SC Magazine reported last year that employees are ignoring legitimate business emails thinking they might be phishing attempts. The service I use to scan my emails also flags some messages as phishing which are not. We call these “false positives”, that is they falsely say a message is a phishing attempt.
Fortunately, the number of false positives is small; unfortunately, many users still don’t do a good job of recognizing genuine phishing attempts (or so-called “vishing” attempts: making similar requests over the phone).
Many organizations use tools to work to spot phishing attempts. Some are paid and some are free. I pay my email provider to scan emails for spam, phishing, and other nasties. Most corporate IT departments do that or use a product in conjunction with their internal servers to do the scanning. I highly recommend that. But the tools are not perfect and I strongly recommend companies train employees to recognize phishing attempts. There are some tell-tale signs of suspicious emails.
Many phishing emails use poor spelling or grammar: the attackers tend not to have the proofreaders and high-quality copywriters legitimate companies do. The messages also try to be persuasive and appeal to emotions rather than logic. The US Federal Trade Commission has a few examples of that. I have used their list and added my own commentary.
The list isn’t exhaustive, of course, but it is a good start. The point is that everyone needs to know that phishers are out there and that they need to be wary.