From manipulating complex emotions to subtly Miss Spelling (pun intended) run-of-the-mill URLs, feigned sincerity and the illusion of respectability are just as likely to elicit meaningful responses online as in real life. If not more so.
One illustration of the psychological prowess of cyber criminals is the well known “social engineering” technique known as phishing, in which electronic communications—emails, mostly— are sent to gain sensitive information from a victim. Phishing attacks must be convincing enough to bypass security screening and bait a recipient into clicking through to an infected website, potentially compromising the entire network.
Molding workers into hardened cynics to defend against phishing isn’t the path forward. Instead, businesses need to recognize the signs of an attack and train their employees on how to act when something small is just not quite right.
What to do?
The first assessment is to look at the email and ask if the context fits. Ask – “is the information I’m being asked to give within my role? Basically, does this make sense for me to be getting this email, in this context, right now?”
Second, examine the content. Is there a hyperlink, and where does it go?
Third, what can you tell from the text and layout: phishing text can seem slightly discolored or wrongly formatted.
Fourth, who is this from? It’s a good idea to verify the sender’s name and email. Hovering over the senders address will often show you the full email address of the sender rather than one formatted for presentation. Often this is where a look-alike domain name can be spotted.
Finally, the poor spelling often found in phishing emails has less to do with a need for remedial grammar lessons and more to do with lessons learned over the years. Savvy cyber criminals are using social engineering techniques to position themselves as non-English-speaking individuals as a form of emotional manipulation. Even savvier cyber criminals now use misspellings and grammatical errors to self-select more vulnerable targets.
But even with these helpful pointers, the phishing pond is only half full. A more secure bet is to partner with cyber security professionals, who can help businesses mitigate risk related to increasingly sophisticated social engineering techniques. With the help of hosted services, security professionals will be able to teach cyber criminals a lesson – that this phishing hole is closed.