HR Blog | BerniePortal

How to Identify Phishing Emails

Written by Germeen Tanas | Feb 1, 2024 3:06:06 PM

In March of 2017, Google and Facebook confirmed they fell victim to a massive phishing scam. 

A man named Evaldas Rimasauskas posed as a manufacturer and was able to deceive Google and Facebook for nearly two years (2013-2015). All it took were some well-written emails and seemingly official invoices to con $100 million out of two of the most popular domains in the world. 

Unfortunately, Google and Facebook are not isolated cases. Phishing scams have become very common and increasingly difficult to detect. While it's impossible to avoid phishing scam attempts completely, there are ways to identify them and save your organization from costly errors. 

 

 

What Is Phishing?

Phishing is a type of cyber attack where someone attempts to steal your money, your organization’s money, secure information, or your identity by getting you to reveal sensitive information like passwords, credit card numbers, etc. People who conduct phishing attacks are considered cybercriminals and they often impersonate reputable companies, friends, or coworkers. 

Phishing attacks are usually not conducted on one person, but rather as mass campaigns. It’s likely you’re not the only one at your organization who received a phishing email. Scammers will send out hundreds or even thousands of phishing emails. While most of these attempts are unsuccessful, at least one person “takes the bait”.

When you take the bait, scammers will be able to install ransomware or other programs that can lock you out of your data. According to the Federal Trade Commission, these ransomware installations can even spread to the entire company network. If you share passwords, scammers will have access to all your sensitive accounts. 

Let’s look at some signs of a “phishy” email.

 

Signs of a Potential Phishing Scam Attempt

  • The email offers you free stuff or claims there’s a problem with your payment information. 
  • The email has an urgent call to action message or a threat: DO THIS OR PERISH! They might not say exactly that, but the call may sound that urgent as you’re reading it. 
  • The email contains subtle or obvious spelling or grammatical errors.
  • The email address of the sender does not match company standards or does not seem reputable. 
  • The email includes an attachment you weren’t expecting. 

Here’s an example of a phishing email I recently received: 

Sender: mattwebbthlks@hotmail.com

“The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours. 

{link here}

The US Postal team wishes you a wonderful day”

First of all, I knew not to press the link, because I wasn’t waiting on a package from USPS. But what if you are waiting on a package? 

Another big red flag is the sender address. Always pay attention to who the email came from. Sometimes it will be easy to detect, but other times it won’t be. A reputable company like USPS will most likely not be emailing you from a personal email address. If USPS needed me to confirm my address, they would not email me through a Hotmail account. 

Phishing messages will often leave you confused. The email includes a very urgent call to action with a time frame, but doesn’t explain why they give that time frame. What happens if I don’t confirm within 12 hours? 

Lastly, they did not end their well wishes with a period. While this may seem trivial, a reputable company will rarely, if ever, make grammatical mistakes in their communication. 

If an email seems even slightly suspicious or inauthentic, take a few moments to think before clicking into any links or giving out any personal information. Always check links for authenticity and ensure websites requesting payment information are secure. You can also expect emails from reputable companies to be consistent with that company’s brand and uphold a certain writing standard. 

 

What To Do When You Receive a Phishing Email at Work

Even if you think an email may be authentic, always take the necessary precautions before clicking any links or opening attachments. 

If an email appears to be from a coworker, you can go straight to the source to inquire about the legitimacy of the request you’ve received. Do not reply to the email, but try to have a conversation either in person or over the phone. 

If the email asks you to click on a link, Microsoft recommends hovering your mouse over the link before actually clicking on the link. You can then look at the address that pops up and “ask yourself if that address matches the link that was typed in the message.”  If it does not, the link is likely a scam. 

You can also ask your manager or another coworker to look over the email with you. Maybe they will catch something you didn’t. 

When you know you’ve received a phishing email: 

  • Report the email. Most email platforms like Microsoft and Gmail will have a report feature, but you can also forward all phishing emails to The Anti-Phishing Working Group at reportphishing@apwg.org
  • Warn your team members. Share screenshots of phishing emails when you receive them as a heads-up for the rest of your organization. 
  • Delete the email. This will ensure you don’t accidentally stumble upon it again

 

How Can HR Safeguard Their Organizations Against Phishing Scams 

Make it a priority to teach your employees about common phishing attacks and how to identify them. You can even make phishing training part of your new hire orientation, so employees feel prepared from day one.  

To secure sensitive information, ensure all employees have two-step authentication for their workplace accounts and regularly back up their data. In case a phishing attack is successful, securing data outside of your network can save your organization from total loss.  

 

Additional Resources

You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources:

  • BernieU—free online HR courses, approved for SHRM and HRCI recertification credit
  • BerniePortal Blog—a one-stop shop for HR industry news
  • HR Glossary—featuring the most common HR terms, acronyms, and compliance
  • Resource Library—essential guides covering a comprehensive list of HR topics
  • HR Party of One—our popular YouTube series and podcast, covering emerging HR trends and enduring HR topics