How to Protect Against Email Phishing Attacks

Phishing. Spoofing. Scamming. Exhausting. Tricksters are everywhere. We literally received a scam phone call when writing this post. And besides being downright rude, those tricksters are getting really smart, too. In the email world, they even emulate people that you know and trust. 

According to the 2019 Internet Security Threat Report, email campaigns are the top delivery vehicle for ransomware, and enterprises are most affected because email remains the predominant communication tool. And it comes at a high price. At the low end of the disaster-meter, cyber attacks can cost a small business an average of $53,987. The larger the business, the bigger the loss. 

It can be a scary digital world out there, and you need to be more vigilant than ever to protect what you’ve worked so hard to build. Knowledge is power, so let’s define a few key terms before we initiate our rallying cry.

Email spoofing:When a sender falsifies information to make a message appear as though it was sent by someone else (known or unknown to you personally). 

Phishing attack:The fraudulent sending of emails to obtain personal information such as passwords or credit card numbers. 

Malware: Short for malicious software, malware are computer programs that invade and wreak havoc on computers without user consent. Common offenders are viruses, spyware, worms, ransomware, trojans, etc. 

Here are three simple ways you can protect yourself from email scams. 

  1. Check return paths on suspicious emails. 
    Even if you recognize the name and email address of a sender (we’re talking your mom, boss, college roommate once removed), it is a real possibility that the sender was someone else entirely. If you receive an email with language that seems off, is grammatically incorrect or just doesn’t fit within any known context, red flags should be going up all over. 

    How can you tell if an “off” email is the real deal if it appears to be from a legit email address? Follow these steps to check the return path (but a smart trickster can bypass all these checkpoints, so you should still exercise caution):

    • Right click on the email in your inbox and select view source.
    • You will see a pop-up box filled with code.
    • Look for the words “return-path” within the code, and note the email address listed directly after. 
    • If the return path notes a different email address than what appeared in your inbox, you should blacklist the fraudulent email or IP addresses listed, change your email account password and alert the appropriate internal stakeholders at your company. 
  2. Know your susceptibility. 
    If you work for a small organization, you’re more likely than larger companies to be targeted by email threats from everything from spam to phishing, to mail malware. Spam levels have increased every year since 2015, and in 2018 alone, 1 in every 412 sent emails was malicious. 

    In addition, malicious email rates fluctuate by industry. For example, in real estate, 1 in 491 emails are malicious, whereas 1 in 258 emails in the mining space were identified as such. There are also certain words that are more frequently used in malicious emails, such as invoice, sender, payment, important, message, new, returned and delivery. 

  3. Never open an unexpected attachment. Ever.
    According to Symantec, in 2018, almost half of all malicious email attachments were attributed to Microsoft Office files – and that’s an increase from just 5 percent in 2017. We know; that’s terrifying.

    Even if you know the sender, never open an attachment that you were not expecting to receive. The same goes for links; don’t click on any links that you are not fully confident in the authenticity of. Pick up the phone and call the “sender” if you are unsure; at worst you double check for nothing, at best, you save yourself time, money and a never-ending migraine. 

Unfortunately, this is just the tip of the email underbelly iceberg. For more information on how to protect yourself, check out these resources: