We all know what spam is. No, not the tinned meat kind, but the annoying email messages that look so dodgy you might wonder how anyone could fall for these scams. However, the reality is that many people do fall victim to cybercrime originating from spam and phishing emails. Sometimes, differentiating between scam messages and legitimate emails can be harder than you’d think, meaning that no one is immune to this form of cybercrime
That’s why today, we’re sharing the things to look out for to protect yourself and your organisation from cybercriminals who use fraudulent messaging to get what they want. Read on to discover the murky and dangerous world of spam and phishing as well as some of the best tips for protecting yourself and your business.
How spam and phishing scams work
There are many ways opportunistic cybercriminals can make money from spam email. They could use spam to run “Nigerian prince” style scams where the recipient is asked to be the middleman in a very large money transfer, promising you a considerable paycheck.
They ask you for your bank details and will either require you to make a payment to start things off or, worse yet, use the information they’ve gathered in your exchange to gain access to your bank account and drain it.
Another thing that spam is often used to spread viruses, ransomware and spyware. Clicking on a link in a spam email designed for this purpose could mean you inadvertently download malicious code onto your device. This could damage your computer and its associated network or give criminals access to your organisation’s confidential data.
Spam is also a common tool used for phishing scams. Phishing messages often look like they’re coming from a legitimate source, such as your bank, a government agency or an e-commerce site. These messages will ask for your personal information, such as your password or bank details. The aim here is to get access to your account in order to steal your money.
Businesses should also be aware that sometimes, cybercriminals aim to steal your contact information instead of your financial details. They will use this information to pretend to be from your organisation and launch scams targetting your employees or clients.
As the emails they send look like they’re coming from your organisation, the recipients are more likely to trust their authenticity and fall victim to the phishing attempts within. Cyber attacks like this are called spear phishing.
The way spam and phishing attempts work is by casting a wide net: the criminals behind these scams know only a handful of people will fall for their deceitful messages, but they’re able to make lots of money from each of these people. It’s worth noting that these days, scams like this aren’t only spread through email: more and more cybercriminals rely on text messages, automated calls and in-app messaging to reel victims in.
What does a spam email or phishing attempt look like?
A common tactic that spam and phishing emails use is creating a sense of urgency. Having a limited amount of time to complete an action makes the recipient less vigilant and more likely to make a mistake.
An example of this tactic is a message saying that your password is about to expire and that you need to follow a link in the email to go change it. If you do need to change your password, access the website by typing the URL into your browser or searching for it in your search engine.
When it comes to messages that look like they’re coming from your bank or another reputable organisation you have an online account with, vigilance is key. Subtle mistakes can help you distinguish between genuine and fraudulent messages.
These mistakes could be things like slightly altered domain names (eg. .com instead of .co.uk) and spelling errors. There might also be extra subdomains included in the URL – this is another sign that the message you’ve received could be a phishing attempt.
Tips for staying safe online
Never answer spam emails: most scammers keep a log of active email addresses, so by answering one, you verify that your inbox is in fact monitored, resulting in more spam being sent your way. You should also never give out your password to anyone, either by answering an email or following a link included in a dodgy message.
If you suspect that an email you’ve received is a phishing attempt, get in touch with the organisation that the email looks to be from to make sure it’s genuine. It’s extremely important that you don’t do this by answering the email you’ve received or by following any links included in it. Instead, you should google the company and get their customer service contact details this way.
To receive less spam, flag any email that is clearly junk mail with your email provider – most email platforms have an option to mark a message as fraudulent. This way, the email will be immediately removed from your inbox and over time, you’ll train your inbox to automatically mark suspicious emails as spam. Do make sure to occasionally check your spam folder, as legitimate emails sometimes end up here as well.
You should always use the strongest form of authentification possible to access accounts, have a strong password policy across your whole organisation and make sure that you give admin access to important accounts only to those in your business who absolutely need it.
As human error is the key to a successful phishing scam, you should consider investing in cybersecurity awareness training. You can also run a phishing simulation to educate your people about what a forged message looks like.
How two-factor authentication can protect your organisation
One of the best ways you can protect your organisation from phishing attacks and similar scams is two-factor authentication (2FA). Also known as multi-factor authentication, this tactic requires at least one other way of identifying you after you’ve submitted your username and password. This could be something like a verification code sent as a text message to your phone.
This way, even if you or someone else in your organisation falls victim to a phishing scam, cybercriminals won’t be able to access your accounts since they can’t verify that they have authority to access them. Our next blog post will go into more depth about the benefits of multi-factor authentication, so make sure to tune in to our blog next week for more information about this cybersecurity tool.