Savvy Security
how to prevent phishing emails feature image of a woman opening a phishing email with a malicious attachment
Email Security

How to Prevent Phishing Emails & Attacks from Being Successful

By 13 Mins Read

Learn how to prevent phishing attacks by knowing how to spot the signs + a few other key tips!

If you’ve heard about phishing and you’re worried it might happen to you, that is perfectly understandable. After all, 65% of U.S. organizations report that they experienced successful phishing attacks in 2019. In addition, there are over 150 billion spam emails sent every day! So, it’s fair if you want to know how to prevent phishing attacks.

One of the best ways is to know what you’re dealing with when it comes to phishing. You need to know what it is, why it happens, and how to prevent phishing emails and attacks. Below, we outline how to spot the signs of a phishing attack and how to conduct yourself in a way that lessens the likelihood of you getting phished.

What Is Phishing?

Okay, before we can dive into how to prevent phishing attacks, we first need to briefly cover what phishing is in general. Phishing is when a cybercriminal uses some type of communication channel — commonly email — to trick a user into doing something. This “something” includes a variety of things, such as downloading malware or providing financial information about your company. Ultimately, the goal of a phishing scam is to trick the user into providing the cybercriminal with some type of information that they can capitalize upon for monetary gain.

However, this isn’t always the case. Technically, a hacker could use a phishing tactic to trick a user into downloading malware. Instead of seeking payment, the goal here could be to infiltrate the larger network that the device is connected to, which can result in big issues (such as high costs, compliance issues, etc. depending on what they gain access to) and data compromise.

Cybercriminals commonly use text messages, emails, and social media messages to carry out different types of phishing. So, it’s important you not just know how to prevent phishing emails, but rather how to prevent phishing attacks in general.

What Is Spear Phishing?

Spear phishing occurs when a cybercriminal performs a highly targeted phishing attack. What I mean by this is that the cybercriminal will  impersonate someone you know. This could be a colleague or someone from your personal life. Also, the message’s contents will read more naturally, and the requests will be more sensible because they’ve taken the time to research and learn about you.

Phishing attacks are often sent out in mass quantities while spear phishing attacks are sent to target a specific group or individual. Spear phishing attacks are a quality-over-quantity approach.

How to Prevent Phishing — Understanding That It All Starts with a Click

Phishing attacks are very much about social engineering. They use manipulation and tricks to get the target user to do something. That “something” is often to get the user to click on something. This could be:

  • Click on an attachment that downloads malware,
  • Click on a link that downloads malware, and
  • Click onto a website that is designed to collect the user’s data.

Sometimes, the cybercriminal will ask the user to provide something, which would involve more than just a click. The cybercriminal could ask for any number of things. This type of attack would typically take place in a spear phishing setting. That way, the cybercriminal could use their knowledge on the target to trick them into sending:

  • Login information,
  • Financial data, like a credit card number,
  • Contact information (could be a customer email list),
  • Personal information, like a social security number, and/or
  • Data of value.

How to Prevent Phishing Attacks by Spotting the Signs

If you, a coworker, or one of your employees come across a phishing attack, they must know the signs. Here are some of the most common signs of a phishing attack:

Offering Something Intriguing or Valuable

A common tactic by cybercriminals performing a phishing attack is to create some sense of intrigue or excitement with an offer or reward. This fake offer could include:

  • Winning money, a car, an all-expense-paid trip, or something else valuable.
  • Recommending you for a job or nominating you for an award.
  • Asking you to engage in a too-good-to-be-true business or investment opportunity.
  • Sending a mysterious or intriguing attachment (something like a love letter from a secret admirer).

It’s important you (and other people in your organization) know to look for suspicious emails like this. I know that it’s disappointing that an email saying you won a brand-new car is suspicious. However, here’s a more positive way to think about it: you win a metaphoric “not getting phished” award every time you don’t click on a dangerous link or attachment. Here are a few real-world examples to help you better learn the signs.

Examples of Phishing Emails

Let’s look at a few phishing emails as examples.

A screenshot of a phishing email attempting to get the target to invest money.

There are some obvious red flags to pay attention to. These include:

  • No “to” info, which means they BCCed you (and probably a lot of other people that they don’t want you to see).
  • A generic greeting, no name or personalize message.
  • The message itself doesn’t make sense. It talks about the “country’s” investment profile and then talks about partnering with your business.
  • Comes from “Junior” but tells you to email a separate account (Marcel). This likely indicates that they’re trying to direct you to a new email address because they worry that the one they’re using will be shut down or blocked by email service providers.
  • A suspicious email address in sender field. ([email protected] — I mean, really?)
  • The use of poor grammar (big ol’ run-on sentences).

Now, let’s consider another example of a phishing email.

Screenshot of a phishing email with a potentially malicious downloadable attachment.

Here are the red flags in this particular email:

  • The message contains a strange opener line: “hello greetings.”
  • The body of the email doesn’t make sense or allude to what the purpose of the email is.
  • The attachment has a strange “virus detected and removed” file name and, judging by the vague content of the email, it doesn’t seem promising that the attachment is safe.
  • It uses multiple text colors (not including the hyperlink blue). Talk about a bad copy-paste job…

Creating a Sense of Urgency

“Your manager wants you to ACT FAST on this!!!” Yes, that was three exclamation points. Another telltale sign of a phishing attack is when a user attempts to create a false sense of urgency. This tactic is designed to panic you as a recipient, making you feel pressed for time and that you need to make a quick decision. This could lead to you making the wrong decision, which would be clicking on something dangerous or providing the cybercriminal with the information or payment they seek.

A few examples of such urgent scenarios include:

  • The hacker telling their target that they need to send specific financial information before the next billing cycle begins.
  • Acting as if the CEO of your company needs a credit card number “ASAP” to close “a big deal.”
  • A hacker could disguise themselves as a HR rep who needs your login information “by end of day.”

Using Poor Grammar, Spelling, Punctuation, and Sentence Structure

One of the most common traits of a phishing attack message is bad grammar and misspelled words. Another telltale sign is awkward wording and poor sentence structure.

The reason for this poor writing could be from the fact that many phishing attacks are mass email campaigns. This rapid-fire style could lead to the cybercriminal not taking the time to write a crisp email. Phishing attacks also know no regional boundaries, so the email could be written by someone in a foreign country who isn’t a native English speaker.

Utilizing Hyperlinks and Redirects

Another common tactic by a cybercriminal performing a phishing attack is to hide their links. If they want to trick you into clicking on a link to a website about pet food, but it’s really a data-gathering site that has nothing to do with pet food, then they will try to hide the link.

There are a few ways they can do this:

  • They can do this by hyperlinking the word “Pet Website” or even “Pet.Com.”
  • A cybercriminal might also use a shortened link that is a more trustworthy URL (something short) that redirects you to the dangerous website (often a long URL that has nothing to do with the topic).
  • They can take it a step further and use a URL that contains key language about pets as part of their domain or subdomain. (Such as petfood.randomsite.com.)

A good trick is to simply hover your cursor over the link to see what the actual link is (see below). If it matches the legitimate domain that the email claims to represent, you’re good. If not, be aware that someone’s trying to phish you.

Place the mouse cursor over the call-to-action button to display the hyperlink on the “Learn More” text. This action shows the URL.

How to Prevent Phishing by Avoiding Dangerous Websites & Networks

How else can you prevent phishing? Here are a few more tips that we’ve put together to help you prevent a phishing attack from being successful.

Don’t Use Public Wi-Fi Networks

If you use a public network, you really should not do anything on it but general internet browsing (if that). Don’t use accounts that you have to log in to use — and be sure to sign out of all accounts so you don’t leave them open and vulnerable.

Public networks are usually not encrypted, which means hackers can steal data from you while you are sending communications and otherwise engaging with websites. They could steal your login credentials to get into your accounts and use them for spear phishing attacks against your friends or coworkers. They could also use the data they discover to learn more about your life. This way, they can better hone their spear phishing attack against you. If you want to know how to stop phishing emails, this will help!

If you need to use a public network, you should use a VPN (virtual private network). While this is much safer than using a public network without a VPN, still keep in mind that there is a gap in your protection briefly after you connect to the network. So, it’s still not the safest way to use the internet.

Look for HTTPS Protection

Very similar to a public network, websites that do not use an SSL/TLS certificate are not protected by encryption. This means that hackers can steal data when you communicate or engage with a website. The results can also be the same in that a hacker can use this to perform a spear phishing attack against you or the people in your life. Make sure you know how to identify a website that has HTTPS protection.

Furthermore, you can verify the identity of the organization who got validated for the SSL certificate by checking the certificate’s details (pictured below) to make sure they are legitimate. Establishing trust goes a long way in helping you build your business and customer base, and SSL/TLS certificates are all about doing precisely that. After all, digital certificates from reputable third-party certificate authorities are trusted by all of the major browsers because they adhere to the industry’s baseline security requirements.

A website that is protected with HTTPS would have the padlock icon besides their URL (pictured here). You can check their certificate details by clicking on the padlock and then “Certificate.”

If you want to purchase an SSL certificate for your website (so you, your employees and your customers don’t get phished), we have some of the most affordable SSL certificates on the market right here at CheapSSLSecurity.com. Our SSL certificates come from globally trusted CAs and are backed by excellent warranties.

Be Protective of Your Contact Info

It’s surely impossible to not have your contact info trickle into the world somehow. However, while this might seem minor, you should try to avoid handing out your phone number and email every chance you get.

  • It helps to have a burner email that you can use for having receipts, coupons, or other non-important things emailed. That way, no one you know personally would send an email to you there.
  • Also, if you want to download something like a free eBook, you don’t have to give your actual phone number.
  • You could also consider not stopping in the middle of the mall and entering a free giveaway, but if you have to, give them your burner email. If they want your phone number, you can also try insisting on only providing your email and not your phone number. Worst thing that can happen is they say no.

How to Prevent Phishing Emails from Reaching Your Inbox in the First Place

This is one important step we’ve yet to cover. How can you stop phishing emails before they ever reach your employees? Here are a few things you can do:

Use an Email Spam Filter

Email spam filters do exactly what you would think — filter spam emails. There are many options available, but it is best to find a filter with these elements:

  • One that doesn’t just filter emails based on preprogrammed keywords.
  • One that includes a sophisticated malware scanner (not one that simply depends on fingerprinting files).
  • Uses real-time data to detect spam i.e., keeps record of the latest spam blacklist (a list of IPs, domains, emails that have been flagged as spam senders).
  • A spam filter that makes it simple to add IP addresses, domains and email addresses to a whitelist and blacklist. (Speaking of…)

Implement Email Whitelists and Blacklists

One way to stop phishing emails from reaching you or your employees is to utilize an “email blacklist.” If you blacklist an email account or domain that’s associated with spam and phishing attacks, it basically means that you won’t receive messages from that account or domain in your inbox. You can block specific addresses or entire domains.

Whitelisting an email is the opposite in that if you whitelist an IP address, those emails won’t be marked as spam. This helps ensure that emails you deem trusted make it to you and emails you find dangerous or a waste of time don’t.

Bonus Tip: Check for an S/MIME Certificate

An S/MIME certificate allows for an email sender to digitally sign their email (so that the recipient can confirm their identity). And it uses end-to-end encryption to protect the contents of the email when sent and received. Not all businesses use S/MIME certificates, but it is worth looking for one when you receive an email from someone claiming to work at a legitimate organization.

How to Prevent Phishing – A Final Word

We have come to the end of our article on how to prevent phishing attacks. Unfortunately, you can’t just prevent phishing all together, but if you know the signs, you have a good chance of preventing a phishing attack from being successful. Remember these tips as you go forward!

  • Know the signs of a phishing email or phishing email attack.
  • Don’t go on public networks (or use a VPN if you do).
  • Only interact with websites that have HTTPS protection and that legitimate organizations own.
  • Be protective over your contact information.

Use an advanced email spam filter (with malware detection and blacklist/whitelist features).

Author

Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.

Related Posts

bold
Close