Phishing is the most common type of attack by cybercriminals. It is a fake message crafted to mislead the receiver into revealing sensitive information, transferring funds, or clicking on a malicious link. It is typically sent via email, direct messages on social media or other forms of text-based communication. Due to its effectiveness, phishing incidents have been consistently rising over the years. Meanwhile, phishing methods keep getting more sophisticated.

There are many types of phishing, but a large organization like ours is most vulnerable to phishing by impersonation or whaling. In this type of attack, the cybercriminal pretends to be a company’s senior executive to target the employees. Deceptively identical email addresses and display names and strategically drafted messages are used to misguide the receiver. It’s a particularly effective method since an email from a professional acquaintance or senior management is usually assumed to be genuine and doesn’t raise suspicion.

As a responsible organization, while we maintain the highest cyber security standards, there’s always a possibility for a phishing email to sneak into your inbox. That’s why awareness is often the best defence against phishing attacks. So, watch out for these five tell-tale signs to identify a phishing, scam, or inauthentic email:

1. Unexpected or unsolicited correspondence

Your first sign that it may be a scam email is when it’s an unexpected correspondence. Consider whether there has been an in-person or offline discussion on the said matter. If you receive an email from a senior leader, customer, or vendor out of the blue without any prior context, it is a red flag that it may be fake communication.

2. Check the display name and email address

Always double-check the sender’s display name and email address. It may appear genuine at a passing glance, but on closer inspection, you may find that an ‘O’ has been replaced with a ‘0’ or an ‘i’ with a ‘!’. You must also habitually check the domains of the emails you receive. Communication within the organization will always be from the official company domain and rarely from a free email service. It’s the same for external communication received from other companies and businesses. Sometimes the domain may look authentic or be similar to the company’s email, but if you hover over it, you will see the fraudulent domain.

3. Prompting urgency

Phishing emails usually have an urgent tone. Their goal is to get the victim to act without thinking or verifying the email’s source or content. So, a senior executive unexpectedly asking you to transfer funds or reveal information over email urgently should make you suspicious. Always verify such requests by other means. For instance, personally contact the sender via call to validate the communication.

4. Unusual ask

Consider what the email is asking of you. Phishing emails have some typical calls to action. They ask you to share personal information or sensitive company data that should ideally not be exchanged over email in a first-time or unexpected exchange. It could also ask you to click a link to enter this information. It could mislead you to believe a senior executive has sent you a work-related document in the email attachment. It may even ask you to transfer funds — personal or the company’s if you have the authority.

As an organization, we have proper channels and processes for all our operations. If the request doesn’t abide by these, it’s cause for suspicion and reason to verify.

5. Poor grammar

Finally, an effective warning sign of a phishing email is poor grammar, spelling and sentence structure. A genuine professional email would always make the effort to articulate a clear message. Scam emails are usually written shabbily — either to bypass spam filters or because they have been drafted using translation tools.

What to do when you receive a bogus email?

If you suspect you have received a phishing email, the first thing to do is to do nothing.

That is — do not reply and never click on any links within the email or download any attachments. Next, if you’re doubtful of the communication’s authenticity, always verify it with the sender by alternate means — either via call, text, or in-person. Always report phishing emails to the IT team. Timely alerts can help us initiate immediate action and prevent damage.

So, always be aware of the emails you receive in your inbox. Be particularly careful when it’s an email or sender you weren’t expecting — even if they’re from within the organization.