According to the 2020 Verizon Data Breach Investigations Report (DBIR), the two most frequently used methods for hacking a company and stealing their information over the past year were phishing and use of stolen credentials (think user IDs and passwords).

Both methods actually go hand-in-hand. A hacker, utilizing social engineering techniques will send a specially crafted email that pretends to be from a company you do business with. In the fake email, the hacker will include some wording to make you believe that your account has been hacked (the irony!) and that you need to click the included link to reset your password.

Another method commonly used is crafting an email that purports to be from Amazon, UPS, or FedEx that has you click on a link to get the latest tracking information on your recent purchase. Since we are all shopping online, it is understandable why someone may fall for that trick. Unless of course you teach employees in your business or family members at home how to spot a fake email.

Fake COVID-19 emails are making the phishing rounds now too. If something is making headlines, it will make its way into a hackers social engineering toolbox! Watch out for election scams next!

How To Spot a Fake Email

Let’s talk about some red flags in phishing emails. Red flags are things to look out for that should perk your investigative senses up to someone trying to trick you.

  1. When you get any email that asks you to click on the included link to do anything. This is kind of tricky because we all send emails with links in them, especially when we are trying to share something we think would be beneficial to others. Don’t click on the link!
  2. Look for wording that indicates immediacy. For example urgent, now, immediately, etc. Take a deep breath and think about someone trying to trick you!
  3. Look at the email sender’s address for misspelling or wrong addresses. For example, an email from Amazon.com would be [email protected]. Not, [email protected]. Sometimes you need to move your cursor over the top of the email address or tap on an email address to see the full email address.
  4. Just like with the email address, investigate the link address by moving your cursor over the top of the link address to reveal the true link address (this works best on a computer as compared to a mobile device).
  5. There will probably be misspellings and broken english. This may not always be the case, but most fake emails fall into this category.
  6. There may be an attachment. Don’t open the attachment!

But what do you do if you think the email may be legitimate? Go to the company’s website and log in to your account to see if you have any messages. Remember, don’t click the links or open attachments from the email. And if the email is from a “friend” call or message them to see if the email they just “sent” you is legitimate.

Now that you know how to spot red flags that identify fake emails, hopefully you will take a little more time reviewing any email that arrives in your inbox. You may just save your company from being the next hacking victim. Or save your bank account from being emptied. Share your new knowledge and teach others how to spot fake emails and not become a hacking victim.

Source: 2020 Verizon Data Breach Investigations Report (DBIR)