According to a report from the Anti-Phishing Working Group, 2016 was a record-breaking year for phishing attacks: more than 1.2 million documented attacks, representing a 65 percent increase over 2015. Although they've been around for years, phishing attacks continue to pose a serious threat, especially for small businesses that lack formal cybersecurity education for their employees.

With the risks including data breaches, outages and ransomware, many companies simply can't afford to fall victim to a phishing attack. Clearly, it's more important than ever for employees to learn how to identify and avoid phishing emails.

What Is Phishing?

The term "phishing" comes from the cybercriminals who go "phishing" for victims by sending mass amounts of fake messages. If you've ever received an urgent message informing you that your email or Facebook account is about to be shut down, you know how it feels to be the target of a phishing attack.

Phishing emails are effective because they take advantage of basic human psychology. They often try to appear as an official message that the recipient would find important, such as a shipping notification, a speeding ticket or an instruction to change your password.

Recipients who click on a link in the email are redirected to the criminal's website, which spoofs the appearance of the website of a legitimate company or institution. From there, they may be directed to enter sensitive data such as passwords or financial information or to download a file containing malware onto their computer.

Apart from "normal" phishing attacks targeting a broad audience, there are also several advanced varieties that you should be aware of. "Spear phishing" refers to phishing attacks going after specific high-value targets, such as a bank or government agency. Meanwhile, "whaling" involves targeting specific individuals within a company, such as executives or managers with valuable credentials.

How to Identify Phishing Attacks

Fortunately, phishing messages usually have several key differences from legitimate emails, making it possible for recipients to identify them. Some noteworthy traits of phishing messages include:

  • Email address: Don't trust the name, double check the email address to ensure that the sender is who they claim to be. Look at the email address closely for typos, and other small changes that may trick users into thinking the address is legitimate.

  • Links: Look but don't click. Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.

  • Content: Poor spelling, grammar and punctuation and unprofessional vocabulary are almost always key indicators of a phishing attack. The message has a generic salutation, such as "Dear Customer." The text usually has a sense of urgency or mystery in order to make you click on the link.

  • Design: The appearance of the email--including formatting, layout, design and color scheme--is different from other emails you've received from the sender.

  • Attachments: The email contains attachments that have generic names such as "file" or "photos," or with a potentially dangerous file type, such as .zip or .exe.

How to Avoid Phishing Attacks

Although you can teach employees to identify phishing emails, it's much
better to avoid them in the first place:

  • Block email attachments from automatically downloading and use a
    whitelist of acceptable file types.
  • Use an email provider with strong capabilities to filter spam and
    phishing emails.
  • Install a web filter that can identify potentially
    malicious domains.
  • Keep up-to-date with all security patches and upgrades and use
    modern antivirus and anti-malware software.

A cybersecurity service like Todyl can help protect your business against phishing and other attacks. Todyl's multiple layers of defense scan email attachments and other files for viruses before downloading, and its secure domain name server blocks users from visiting fraudulent and malicious domains.

Todyl is the first cybersecurity service designed specifically for small businesses, offering comprehensive protection and detection capabilities. In the case of a breach, we can help you respond and come back online so that you can keep operating with minimal disruption.