October is Cybersecurity Awareness Month, and the perfect time to provide a refresher course on phishing emails to your clients. According to the 2023 Verizon Data Breach Investigations Report (VDBIR), social engineering remains a top threat for organizations. This form of cyberattack accounted for 17 percent and 10 percent of all data breaches and security incidents, respectively.
The Verizon report attributes the increase in social engineering largely to pretexting—the most common form of social engineering used in business email compromise (BEC) attacks—and phishing. Phishing represented 44 percent of all social engineering attacks behind pretexting and was the leading cause of confirmed data breaches.
Armed with newly acquired skills in generative AI, cybercriminals are crafting phishing emails that look more legitimate than ever before. While it’s easy to scroll and click on emails without giving it a second thought, encourage your clients to “pump the brakes” when reading emails and think twice about before clicking on links or attachments. Additionally, here are five ways in which your clients can spot a potential phishing email.
- Beware Of “Surprises”
Many successful phishing attacks are involve sending employees something that they would expect such as a shipping confirmation or a notice from IT to update their password.
Encourage your clients to think before they click on any attachments or links included in an email. For example, they should ask themselves, “Did I actually order anything from this company?” If they receive an email from a store that they don’t usually order from, it’s likely a phishing attempt.
- Name Check
Encourage your clients to validate the sender of any email or instant message, especially if it’s not a familiar name. They should be extra cautious if the sender directs them to sign into a website or provide sensitive information such a password, credit card number or social security number. Remind them that no bank or financial institution will ask them to send their account information via email or instant message.
- Avoid Clicking On Unfamiliar Links
Most phishing scams try to convince people to provide their username and password so they can access their online accounts. Once they have that information, they can clean out their bank accounts, max out their credit cards, lock them out of their email and much more.
In many cases, hackers will include embedded URLs to take victims to a different website. A quick glance at these URLs could show that they look legitimate. Teach your clients to hover over any URL so that they can see the actual hyperlink. If the hyperlink address is different than what is displayed in the URL, it’s likely to be a phishing attempt and they should avoid clicking on it.
- Watch Out For Poor Spelling Or Grammar
Prior to ChatGPT, it was easier to spot phishing emails based on misspelled words and poor grammar. While cybercriminals are using AI writing tools to reduce or eliminate errors in their emails, your clients should still be vigilant about spotting them.
Your clients should also think twice before clicking on an email with a generic greeting such as “Dear Customer” or “Dear Member.” Most companies that you do business with will send emails with personalized greetings.
- Be Skeptical About Threats
Hackers often use threatening language to elicit a panicked, knee-jerk reaction from their potential victims. Teach them to avoid opening emails containing threatening language like, “Urgent action required!” or “Your account will be closed!”—it’s just a tactic to get them to provide their personal information and avoid “disaster.”
Consider implementing Fortinet’s phishing simulation training for your clients. FortiPhish tests your clients against real-world phishing techniques based on the latest research by FortiGuard Labs. Armed with the latest phishing knowledge, your clients can learn to recognize, avoid and report email-based cyberthreats including phishing, impersonation, Business Email Compromise (BEC) and ransomware.