There is no such thing as a 100% fool-proof security system that can protect your law firm from phishing emails. And that’s pretty alarming because phishing is now one of the top ways that criminals infiltrate companies with malware and ransomware. These schemes are developed by cybercriminals to steal your firm’s sensitive information or to hold your data hostage for steep ransoms.
Why do cybercriminals love phishing? Because it works. Why does it work when we have the most brilliant minds in IT working to fight it? Because phishing achieves success by taking advantage of our trusting human nature, and there is no high-tech security product or platform in the world that can block our inquisitive fingers from double-clicking the mouse button when our curiosity is piqued.
Here at Savvy Training & Consulting, we have written many blogs about the perils of phishing and why law firms need to incorporate ongoing security awareness training into their firm-wide security procedures. Today, I thought I’d write a blog that you can share across your firm to help people identify the phishing scams that hit their in-box. (Suggestion: When you share this article with your firm, you should also tell people what you expect them to do with emails that they suspect of phishing attempts. Do you want them to simply delete it? Share it with you? Make sure everyone understands your firm’s protocols when it comes to scam emails.)
10 Ways to Recognize Phishing Emails
1. Do you know the sender?
The sender’s email may look like it’s from the firm’s HR department, but is it really? Right click the sender’s email address to see its true origin. If it came from a public email address, such as gmail or Hotmail, it’s likely a scam, particularly if they’ve masked it to look like an email from someone inside your firm. Next, examine the sender’s name. Does it follow your firm’s email address standards? For example, does everyone use their first name and the first initial of their last name? Does this email follow suit? If the email just says, HR@firmname.com that may be a red flag, too. Does your firm have department emails or should it have someone’s name in it?
2. Did you expect the attachment?
Do not open an attachment unless you expected to receive it from the sender. (Check the sender’s email as suggested above.) Just because a document is titled, “Information about your raise.doc” and it looks like it’s from HR doesn’t mean you’re getting a raise nor that it came from HR. Call HR first and ask if they’re promoting you!
3. Do you see misspellings? Misspellings are a big, red flag, although they are becoming less common in phishing emails. Would your bank ever send out an email with misspellings? Not likely. Communications from big corporations are typically triple-checked before anyone hits send.
4. Are the links embedded in the email misspelled?
Imagine you’ve received an email from a bank, First Western, and you see a link at the bottom of the email that reads: http://www.firstwestrnbank.com. That is likely a bad link taking you to a malicious website or it will download malware into your firm’s network. Do not click!
5. Do the links contain a URL you recognize?
Did you know that if you hover your mouse over an embedded link you can see where the link will actually take you? If the link isn’t recognizable or doesn’t indicate a source you trust, it’s likely a scam.
6. Are you being baited with an “urgent” emergency?
If, for example, you get an urgent message from your bank saying that they need you to “follow the link below to verify recent spending,” you should think twice or thrice before clicking that link. You can follow the steps above to verify the sender and the link sources but, better yet, you should just call your bank and delete that email. Any form of emergency in an email is designed to make you withhold judgment so that you click in a panic.
7. Are they asking for personal information?
Most legitimate institutions today that use and store your personal information would never ask for that information via email. Rather, they will direct you to the trusted website that you’ve used in the past or they will ask you to call. Again, you should always check the source URL and sender email before clicking anything, especially if they are asking for personal information such as your account or social security number.
8. Is the offer too good to be true?
Just as our grandparents always cautioned: if it seems too good to be true, it probably is. Are you being offered an all-expenses-paid vacation just for following a link to a survey? Yeahhhh, there’s probably no trip and probably not even a survey. When you click that link, you may unleash mayhem on your PC and your firm’s network.
9. Did you ask for assistance in the topic? Or did you order that package?
Many phishing emails trust us to NOT trust our memory. If you receive a UPS email to help you track an order that you don’t remember placing, don’t click! If your bank reaches out to assist you with your recent failed transaction and you don’t remember a failed transaction, don’t click.
10. Is your gut telling you something’s wrong?
Sometimes, an email may pass all of the tests above but something just seems off. Trust your gut and don’t click. Pick up the phone to verify the sender. The worst that could happen is that you waste 15 minutes with a customer service rep or small-talking with an old colleague. That is a much better outcome than if you clicked and unleashed ransomware on your firm’s entire system.
If you have any questions about this article or if you’re interested in adding security awareness training to your firm’s security procedures, contact me today. Let’s brainstorm! Jay@SavvyTraining.com, 303-800-4568.