Google has over 1.5 billion people globally using their Gmail service, many of whom will be based here in London. So when Google says scammers are sending out – and they are blocking – over 100 million hoax phishing e-mails every day to Gmail users, we should all sit up and take notice of the danger. What’s more, we should all know the Google five checks for spotting and stopping e-mail phishing attacks.
Note that nearly 20% of Google’s blocked phishing e-mails relate to Covid-19 scams, so it would seem Coronavirus has earned itself another dubious first – the biggest phishing scam topic ever.
Why knowing the Google five checks for spotting and stopping e-mail phishing attacks is vital during the Covid-19 pandemic
Phishing is one of the largest, long-standing and dangerous methods of cybercrime in which criminals (often working in organised gangs) try to trick us into revealing personal data, let malware into our systems, donate to fake charities and so on. For this reason alone you should know the five checks for spotting and stopping e-mail phishing attacks.
But the Covid-19 pandemic has made matters worse. According to another technology giant, Verizon, in their 2019 Data Breach Investigations Report, around 32% of all cyber attacks involved phishing. And now it seems a huge variety of bogus e-mails are being sent out impersonating a wide range of legitimate authorities on the subject of Covid-19. These range from the World Health Organization (WHO), the Centre for Disease Control and Prevention (CDC) to government departments and even leading officials, such as President Trump.
Not only that, cyber-security company Barracuda Networks said it had seen a 667% increase in malicious phishing e-mails during the pandemic.
While the good news is that Google’s machine-learning tools are able to block more than 99.9% of such e-mails from reaching potential victims, it’s up to every small to medium-sized business leader here in London and beyond to understand and prepare for the threat from such phishing attacks.
Do you know how to spot a phishing e-mail?
Most of us in small to medium-sized businesses think we’re too smart, savvy and switched on to fall for such cyberattacks but millions of us do. So in this blog post, we’re going to tell you more about phishing attacks and the Google five checks to detect and stop one. Please read on to discover:
- Phishing e-mails – the telltale signs
- Check 1: Is the message sent from a public e-mail domain?
- Check 2: Is the domain name spelled correctly?
- Check 3: How is the e-mail written?
- Check 4: Does the e-mail include suspicious attachments or links?
- Check 5: Does the message create a false sense of urgency?
- Awareness and training are key to preventing e-mail phishing attacks
Phishing e-mails – the telltale signs
We take your cybersecurity and these phishing e-mails seriously, especially in light of the Coronavirus pandemic when many of us are now working remotely. So do the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security. In fact, they issued a joint advisory statement to warn individuals and businesses how ‘…malicious cyber-actors were exploiting the current Covid-19 pandemic for their own objectives.’
So here are five Google checks you can make to spot and stop phishing e-mails…
Check 1 to stop phishing emails: Is the message sent from a public e-mail domain?
No legitimate organisation will contact you from an address that ends ‘@gmail.com’. Not even Google.
Yes, individuals and independent workers, like freelancers, may well have a public domain e-mail address. But every organisation, from banks to charities and government bodies, will have its own email domain and company accounts.
Always check that the domain name (i.e. the part after the @ symbol) matches the apparent sender of the email. If it doesn’t, the message is probably a scam. One quick and simple way to check an organisation’s domain name is to type the company into a search engine.
To be doubly sure, also look at the actual e-mail address a message has come from; something most of us routinely don’t do. Scammers hope that by using a display name, like ‘IT Governance,’ and matching subject line they may ensure you ignore who the message is from and leap straight into the content.
Top tip: cybercriminals are becoming ever more sophisticated so will use a spoofed organisation’s name as part of a bogus email addresses. For example, in a recent phishing e-mail attacking PayPal customers, the senders’ – or scammers’ – address was ‘email@example.com’. But a genuine email from PayPal would have their name in the domain name, indicating that it had come from someone at (@) PayPal.
Check 2 to stop phishing emails: Is the domain name spelled correctly?
Anyone can buy a domain name from a registrar. And although every domain name must be unique, there is a load of ways to create addresses that are indistinguishable from the one that’s being spoofed.
Incredibly, scammers often misspell the names of even some of the world’s biggest enterprises in fake domains!
In one much-publicised example, an ethical hacker successfully ‘phished’ the CEO of the Gimlet Media podcast, despite purposely misspelling the Gimlet domain name as ‘gimletrnedia.com.’ That’s r-n-e-d-i-a, rather than m-e-d-i-a, by the way. No one spotted it. Despite the fact the show was all about falling victim to scam e-mails!
Top tip: you don’t have to fall victim to a phishing scam for a criminal hacker to gain vital information from it because the way you react (circulating the bogus e-mail to your team, for example) can provide them with valuable intelligence. So it’s not enough to spot a phishing scam e-mail, you have to be confident enough to check, decide and delete it at the first opportunity.
Remember: if the message was genuine and important enough, the sender will get in touch again or through another channel.
Check 3 to stop phishing emails: How is the e-mail written?
A dead giveaway of scamming e-mails is poor spelling and/or grammar.
Note, though, that many cybersecurity experts will tell you that such errors are part of a scammers’ ‘filtering system’ by which they target only the most gullible people believing if someone ignores clues about the way the message is written, they’re less likely to pick up clues during the scammer’s endgame.
However, this really only applies to manually operated scams, in which the scammer has to reply in person, once someone takes to the bait; not phishing attacks that are nearly always automated and simply dump thousands of crafted messages on unsuspecting people.
Nonetheless, phishing e-mails are often badly written. This is generally because many of the cybercriminals are from non-English-speaking countries and from backgrounds where they will have had limited access or opportunity to learn the language.
So, the bottom line is to always check for poor English, spelling and grammar.
Top tip: look out for grammatical rather than spelling mistakes.
Scammers can easily use spellcheckers or translation machines to help draft a passable phishing e-mail but grammar – particularly in the English language – can much more difficult to master.
- Is any typo a commonly made error (like hitting an adjacent key)?
- Is the context wrong?
- Is this the kind of e-mail that should have been proofread and edited (such as corporate communications message from, say, your bank)?
- Is it consistent with previous messages received from this sender?
If anyone is in any doubt about the validity of any e-mail, text or message they should take a minute to contact the sender using an alternative method, by phone or via their website, for example.
Check 4 to stop phishing emails: Does the e-mail include suspicious attachments or links?
Phishing e-mails come in many forms but the one thing they all have in common is that they contain a payload. This will either be an infected attachment containing malware that you’re asked to download or a link to a bogus website that requests login and other sensitive information.
Such documents can range from bogus invoices to letters from your local tax authority and once opened will unleash malware on your computer, which could damage or lock up your IT, business, data, or confidential information in numerous ways.
The golden rule is that you should never open an attachment unless you are fully confident that the message is from a legitimate party. Be especially cautious if you receive a pop-up warning about the file’s integrity or you’re asked to adjust any of your device’s settings to accommodate it.
You can often spot a suspicious link because the destination address doesn’t match the context of the rest of the e-mail. For example, if you receive an e-mail from Netflix, you would expect the link to direct you towards an address that begins ‘netflix.com’. Unfortunately, many legitimate and scam e-mails hide the destination address in a button, so it’s not immediately obvious where the link goes to, although it’s simple enough to check.
Top tip: on your computer, hover your mouse over the link provided and the destination address appears in a small bar along the bottom of the browser. On a mobile device, hold down on the link and a pop-up will appear containing the destination address.
Check 5 to stop phishing emails: Does the message create a false sense of urgency?
Scammers know that most of us procrastinate and the longer we think about something, the more likely we are to notice things that seem wrong.
As a result, scammers usually ask you to ‘act now’ or create some other sense of emergency. They do this in a wide range of ways, from sending a final demand for a bogus unpaid bill to threatening to suspend services we regularly use such as PayPal and Netflix.
This manufactured sense of urgency is highly effective in the workplace when it purports to be a message from your boss. The criminals know full well that most of us will drop everything if our line manager (or senior manager) emails us with a vital request, especially if the suggestion is that other senior colleagues are awaiting your response.
Top tip: phishing scams like this are especially dangerous because no one wants to check the validity of the message, even if they fear foul play, and upset their boss, or endanger a deadline. So as part of your cybersecurity strategy and policy, do create an environment in which your whole team feels confident and empowered enough to stop, think, and check – no matter who the e-mail comes from.
These may be clichés but when it comes to cybersecurity prevention is always better than cure and it’s always better to be safe than sorry.
Awareness and training are key to preventing e-mail phishing attacks
Spam filters will never be fully effective, and your cybersecurity defences are only ever as strong as the weakest link. Research shows that for a small to medium-sized business in London or elsewhere, that’s your employees, because of human error. Staff training and awareness is mission-critical when it comes to preventing e-mail phishing attacks and keeping your people, business, IT infrastructure, data, IP and confidential financial and customer information safe and secure.
Make sure every member of your team, working remotely or not, understands the dangers of phishing scams and the whole host of other risks washing around online. Encourage them to be extra vigilant about unexpected, unrecognised and unsolicited e-mails, messages, texts and social media posts. Emphasise the need for each of them to stop, think and check before clicking on or opening anything they do not recognise. Empower them to make a quick phone call to verify the legitimacy of an unusual request.
And it also only takes a quick phone call to have an informal, confidential and no-obligation chat with the go to IT support team for London, totality services, to ensure your cybersecurity defences are up to the job.