What is a Cyber Response Playbook?

A cyber response playbook is a plan you develop that outlines the steps you will take in the event of a security incident. Most organizations keep their incident response plans very simple and then augment specific types of incidents with cyber response playbooks. Cofense helps many organizations with cyber response playbooks for phishing email.

Phishing emails are a specific type of security incident and require steps to identify an outbreak, determine the type of malware or method of attack involved, and then remove those emails from end-user’s inboxes to end the outbreak. With some organizations reporting hundreds of phishing emails per day, it becomes very difficult to sort the false reports from the actual phishing emails that pose a threat.

Cofense has a suite of products that are designed to help organizations with their entire cyber response playbook for phishing. When deploying the full suite of Cofense solutions, organizations can educate employees on how to identify and report phish, detect phish in their environment and respond quickly to remediate threats. Cofense PhishMe and Reporter help organizations develop phishing simulators and training aimed at conditioning end users to identify and report suspected phish, while Cofense Triage groups them together and applies a priority score so analysts know which email to look at first; Auto Quarantine, a feature in Cofense Vision, will remove phish from end user inboxes before they’ve had a chance to click on them.

Cyber response playbooks can be simple and easy to implement if you have the right vendor that can help you identify, prioritize and respond to any security incident.

 

19 Minutes: A Minute-by-Minute Account of Collective Defense in Action

See how one company stopped an attack in 19 minutes.

Read More

Social Media Phishing: What You Need to Know

What should you know about social media phishing, or SMP? Many of us associate phishing risk with get-rich-quick links or attachments in marginally literate email messages, not our social media accounts and activity. What you should know is that phishing threat actors are deviously clever at setting traps by exploiting popular and trusted platforms, apps and topics in the news. What better hunting ground, then, for the digitally savvy criminal than social media?

Here are some answers to common questions asked about social media phishing.

What is social media phishing (SMP)?

Social media phishing is used by attackers seeking to steal personal data to sell on the dark web or to gain access, typically, to financial accounts. They may also troll for personal details for credential phishing purposes. For example, when armed with your birthday, social security number, middle name, mother’s maiden name and the like, combined with educated guesses about where you bank or keep retirement accounts, they can reset your password and pillage your accounts. Too much of this type of detail is easily found on social media websites.

Alternatively, an attacker may simply post an irresistible phishing link (e.g. “You won’t believe your eyes” or “See how I made $200,000 in 10 minutes”) on a friend’s social page. When the link is clicked, the victim is routed through a series of screens and spoofed webpages where attackers harvest important identifying information. You can read all about the methods they use – some are diabolically clever – on our Phishing Prevention & Email Security Blog.

As of 2021, more than 3.96 billion people worldwide are using social media. The average social-media consumer has 8.6 accounts on different networking sites; popular platforms like Facebook see 66% of their users logging in daily.[1] This type of heavy and diverse traffic makes for a bottomless trough from which phishing threat actors gorge.

Why is social media a target for phishing attacks?

Social media is invaluable to threat actors for social engineering, which is a variety of deceptive tactics through which attackers use your good nature against you to get confidential information. Social media users choose their platforms to get and generously give information. They often make public where they live, work and vacation. They offer up the names, ages and birthdays of their children, friends and colleagues. They probably don’t realize how easy they’re making it for a digital criminal to structure and launch a targeted attack.

The attack may come in the form of, for example, a post with a link designed to entice the victim to share it on their social media. The victim’s contacts – trusting the source – may click on the link. From there, they’re taken to a phishing (but genuine looking) website. An authentication challenge will appear, obliging the user to validate their identity by supplying their social media (or Google Drive or OneDrive or other) credentials in order to see the content they were tricked into pursuing. Typically, the authentication will fail, forcing the victim to reenter credentials. In many cases, these credentials are all that’s needed for an attacker to wreak digital devastation.

What are examples of social media phishing?

On Facebook, beware of third-party apps that demand excessive amounts of information. Also, criminals can easily create a phishing site that looks just like the Facebook login page. On LinkedIn, look out for fake recruiters. They may send a document you must download to pursue that amazing opportunity. Once downloaded, the document unleashes malware via macros that aren’t readily visible to the untrained user. Educate yourself on how criminals manipulate other platforms – Twitter, Instagram, YouTube and more – to launch attacks and steal your stuff. Check out Cofense resources, and those offered by trusted organizations such as National Cyber Security Alliance.

How can I protect myself against phishing on social media?

To steer clear of phishing on social media, a few quick best practices include these “don’ts”:

  • Don’t accept friend requests from strangers.
  • Don’t click on links to update your personal details – instead, visit the platform’s support pages to see what updating is needed, and how and when to do it.
  • Don’t use the same password and user name for all your accounts because once one of them is stolen, all your accounts will be in jeopardy.
  • Don’t ignore prompts to update your operating system; many attacks exploit unpatched vulnerabilities.

Social media is meant to be fun and informative. Don’t let the crooks ruin it for you. Keep in mind that attackers will try to use one successful exploit to go after not just you but your family, friends, colleagues, neighbors and employer.

For more information on staying safe against SMP, and other types of phishing attacks, visit us online and check out articles like this one, What Are Phishing Attacks and How Do You Stop Them? We’re here to help.

[1] Source: Backlinko, https://backlinko.com/social-media-users

What are Email Protection Tools?

Email protection tools are security tools designed to protect your email from malware and hackers. They include tools like Secure Email Gateways, anti-malware software and anti-phishing tools like the Cofense suite of products.

Most email protection tools sit on the gateway and monitor email coming into the network for known malicious attachments, URL links and other malware. Some use blacklist/whitelists to segregate email, but most use algorithms to parse for known malware signatures. Still others are looking for patterns to identify zero-day threats.

What is a zero-day threat?

Email protection tools have been available for more than 20 years now, and some, like Secure Email Gateways, are becoming commoditized as the push for vendor consolidation and cost savings pushes vendors to provide more value. 

In the past, most email protection tools were deployed on-premises, meaning the company installed its own appliances and maintained them themselves. Nowadays, more and more companies are moving to cloud-based solutions that are much easier to deploy and maintain. 

Some companies will provide managed services and the customer simply has to point their email gateway to the service to begin filtering email. Cloud-based products have made products designed for high-end enterprises available to mid-sized companies and they have been moving to these cloud services for a number of years.

There is no reason to go without email protection tools these days as they are often bundled in with other services like Microsoft does with Defender o365. Bundles are also available from Google and other providers. They are becoming more popular as customers see significant cost reductions and have fewer vendors to maintain.

Still, most email protection tools available in bundles can’t protect against things like zero-day and other emerging threats that haven’t been identified yet. In this case, it is best to spend money on solutions that have high-quality intelligence feeds that identify emerging threats before they can cause problems. 

This is where Cofense comes in. The Cofense Phishing Detection and Response (PDR) platform empowers organizations to use their strongest defense – people – alongside our automated response and intelligence technology to achieve the most comprehensive phishing response and detection available. Cofense’s PDR platform is designed to deploy as an integrated suite of products or delivered as a comprehensive managed PDR service through the Cofense Phishing Defense Center (PDC). Both options effectively stop phishing attacks and combat the savviness of attackers through a combination of people and automated technology to quickly reduce and remove the risk.

Email protection tools that focus on creating a human network that can report on emerging threats like phishing emails are very valuable for their ‘network effect’ that is, when one person reports malware, everyone in the network becomes protected against it immediately. It is this kind of intelligence that makes certain email protection tools more valuable than others. 

Email protection tools have been around for a long time and work to protect customers against a wide range of threats from spoofing to phishing and many types of malware. It is important to have the right kind of email protection tools to protect against the current known threats and unknown, or zero-day threats that are emerging. Good intelligence is always found in the best tools and that’s where customers are spending a good portion of their security budgets today.

Sign Up for a Demo Now!

Teach users to identify real phish. Discover how Cofense PhishMe educates users on the real phishing tactics your company faces.

What is a SIEM Alert?

A SIEM alert is a tool most commonly used by SOCs to protect an organization. SOCs entrust the reliability of the processes on their IT systems to this kind of automated technology, which reports any issue that may occur.

Ah, but what is a SIEM, you ask?

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure. A SIEM collects security data from network devices, servers, domain controllers, and more. SIEMs store, normalize, aggregate, and apply analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.

Some 575 organizations that work in threat hunting or alongside threat hunters were surveyed in the SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters. The results showed that SIEM alerts are still widely used in organizations, and that 66.2% of organizations employ a SIEM because they are easy to use.

SIEMs tools analyze the state of the processes that are occurring on the IT system and classify thousands of events to evaluate their behavior and detect possible anomalies that could lead to a cyberattack. And should an attack happen, this kind of alert scours the system in order to analyze the possible causes of the attack and how to stop it.

Keep in mind, though SIEM alerts are one of the most commonly used tools does not mean that they are everything you need to keep your network secure. One of the difficulties with checking SIEM data for values is there is no standardized format for information that is contained in these messages. Therefore, the data needs to be normalized into a standard model. From this, alert rules can be created, which check for correlation and aggregation across multiple devices or apps. Additionally, the standardized data model also helps with noticing specific occurrences of value on particular devices or apps. Also, SIEMs are based on searches for threats that they already know, but not for unknown threats. These unknown threats will be at the mercy of customized alerts. Customizing alerts to discover new threats is an insurmountable task for most organizations, since many SOCs do not have enough professionals to update search criteria frequently.

SIEM alerts can evaluate many events individually, but when an event occurs with others, they may fall short. One of the constant challenges when writing alerts is balancing the goals of reducing false positives and preventing inundation while still alerting on all suspicious events. Security teams are constantly looking for opportunities to improve alerts to reduce the false positive rate. With a SIEM, an alert taken in isolation could be a threat, but when run with other events, is not dangerous. This causes an increase in false positives detected.

As a rule, SIEM alerts should not be used alone, but in conjunction with a proactive security approach and strategy, which constantly hunts for previously unknown threats, and which acts autonomously to detect and classify them.

Cofense Intelligence delivers threat intelligence in multiple forms:

  • Machine-readable threat intelligence (MRTI) follows industry standards for quick integration with your existing security devices, like a SIEM.
  • Analysis reports in PDF and HTML format are optimized for threat analysts and incident response teams.
  • Published threat intelligence that shows how individual elements of an attack are related and the relationships between seemingly disparate attacks.

Our proactive approach enables you to prime your existing security infrastructure to disrupt these potentially dangerous attacks. Tactics used to penetrate your network are also exposed along with the relationships between phishing campaigns and Indicators of Compromise (IOCs). The combination of actionable threat intelligence and understanding the correlation between phishing attacks and their motivators helps your team prioritize, investigate, and respond.

Cofense Intelligence key benefits:

Integrates with existing security solutions to speed phishing threat response

Provides timely, accurate, and actionable phishing threat intelligence

Expert threat analysts to help operationalize threat intelligence and provide guidance

Attack analysis and context to help make rapid, informed decisions

Our unique combination of technology and human insight — paired with our 26M+ strong global reporters network — makes it easy to get the information you need to protect your organization.

What is the difference between threat feeds and threat intelligence feeds?

Threat feeds are a valuable way to gather information regarding adversaries and their capabilities and infrastructure. Threat feeds are made up of a large quantity of data but are usually not intelligence. 

Threat Intelligence Feeds are an actionable threat data related to artifacts or indicators collected from any third-party vendors in order to learn from other company’s visibility and access to enhance your own cyber threat response and awareness. Threat Intelligence Feeds concentrate on a single area of interest.

Then there are free threat feeds. These are almost always defined as data gathered solely from open sources. Because these threat feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of a SOC, rather than reduce it. 

Sometimes a free feed can cost your organization time and resources, and often are not relevant to your business and security objectives. Threat data does not equal threat intelligence. But this doesn’t necessarily make feeds that provide raw data useless: they can still play a role in producing intelligence. Often, free threat feeds are the first place where organizations begin their threat intelligence journey.

When building a security program, organizations will often turn to free threat feeds when trying to assess their specific needs. However, to effectively evaluate a threat feed, you should ignore the “more feeds, more intel” mindset. Instead, focus on the relevance of the intelligence provided to your security and business operations and the source from which the intelligence is gathered. It’s a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization, and inaccurate threat reports. 

On the surface, threat intelligence feeds are precisely what they sound like — continuously updated feeds that provide external information or data on existing or potential risks and threats. In practice, however, the type of context (or lack thereof) these feeds provide is what sets them set apart from each other. With a threat intelligence feed, there are things to consider like update frequency, context, timely information, and delivery format.

The purpose of monitoring a threat feed is to find useful information about dangers online and the adversaries behind them. One critical step that most organizations need to take on their path to maturing a cybersecurity posture is to acquire threat feed data. 

Looking at intelligence reports about the various threats targeting organizations can provide a lot of awareness about cyber dangers and threat actors. But some organizations equate security with the number of feeds they subscribe to, not realizing that their analysts couldn’t possibly monitor the hundreds or thousands of threat reports generated every day. Having too many threat feeds is almost as bad as not having any at all. Unless you have some way of managing that information, there is just too much noise to identify the relevant attack reports needed to protect your organization.

Understanding how and from where your feeds get their information will help determine the process that turns data into actionable intelligence. All organizations need threat feeds and threat intelligence feeds but putting context around them is the crucial part.

Cofense Intelligence

Cofense Intelligence provides the phishing alerts, information, and insights you need to proactively defend your organization against phishing threats. Our unique combination of technology and human insight — paired with our 26M+ strong global reporters network — makes it easy to get the information you need to protect your organization.

With Cofense’s unique security intelligence, you are armed with the weapons you need to identify, block, and investigate threats hitting your enterprise daily. This precise information is available in multiple forms for your teams to prepare and respond to active attacks to your network:

  • Human-readable threat intelligence reports provide deep-dive and trending analysis of your biggest threats. These reports include our expert analysis of the attack methodology. 
  • Machine-readable threat intelligence (MRTI) or threat intelligence that can feed directly into security devices and threat repositories. Firewalls, IDS/IPS, SIEM can now detect and block emerging threats at the earliest stages of the attack. 
  • SaaS investigation apps to investigate phishing and malware attacks. These on-demand tools provide the latest insight on which attacks are related and how the attacks are being executed.
  • Expert guidance from Cofense’s world-class security team to implement best practices to reduce threats against your network.

Phishing emails with malicious attachments or links continue to be a threat to bypass most organizations’ security stack and reach the end user. Cofense takes a fundamentally different approach in identifying threats as they emerge daily—before your network gets hit

What is a Business Email Compromise (BEC) attack?

Business email compromise, often known simply as BEC, is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. 

Most attacks target specific employee roles within an organization by sending a spoof email (or series of spoof emails) which fraudulently represent a senior colleague (CEO or similar) or a trusted customer with instructions to approve payments or release client data. The emails often use social engineering to entice the victim into making money transfers to a fraudulent bank account. 

According to Gartner Research, business email compromise attacks increased by nearly 100% in 2019 and in some cases, resulted in substantial financial losses. Further, BEC attacks will continue to double each year to over $5 billion, and lead to large financial losses for enterprises through 2023.

Business email compromise attacks do not use malware or links in email, rather it is the user who is compromised (an account takeover). Attacks are pretty simple to execute, and traditional email content inspection techniques cannot detect BEC phishing because the emails resemble regular email content; of course, with the goal of exploiting business process errors. 

As an example, something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization. When in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.

What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.

Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.

These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization. 

According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.

There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. Among other steps, all employees should be told to:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials in response to any emails.
  • Keep all systems updated.
  • Verify the email address used to send emails, especially when using a mobile device by ensuring the senders address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.  

Malware Intelligence: What is Cryptojacking Malware?

Stay Ahead of Cryptojacking Malware with Cofense’s Malware Intelligence

Cofense’s malware intelligence service provides accurate and timely alerts about cryptojacking malware and ransomware being circulated in phishing emails. Subscribe to our malware intelligence service and stay ahead of email-borne threats in order to better protect your network, your data, and your users. Sign up for complimentary threat alerts here.

How much would a successful ransomware attack cost your organization? $2.4 million? $3.8 million? How about $7.35 million? These are the average costs incurred to recover from ransomware attacks depending on whether you agree with Accenture ́s, Microsoft ́s or IBM ́s calculations. Scary, isn’t it?</p

Even scarier is that ransomware may not be your biggest problem. Several security companies have reported “cryptojacking” is growing in popularity among cyber criminals due to it being a cheaper, less-risky-yet-more-profitable form of malware than ransomware. Furthermore, it’s virtually undetectable.

Think Like
a Cybercrook

This special report focuses
on the realities of phishing
and recommends defenses
you can use to reduce your risk.

Read More

What is Cryptojacking?

Cryptojacking definition: Crypto-jacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Cybercriminals infect computers with a crypto-mining code that works in the background, mining cryptocurrency and delivering it to attackers as unsuspecting victims use their computers normally.

Although individual computers don ́t yield much processing power on their own, attackers can build a botnet of infected devices and make them work together – harnessing vast processor resources across a network of infected computers and stealing a small amount of bandwidth from each.

The cost to the organization is the loss of performance, or – if operating in the cloud – the cost of provisioning more resources to cope with greater processing demands. However, the latest strains of crypto-jacking malware have the built-in ability to crash victims ́ computers if they attempt to remove it.

How is Cryptojacking Malware Deployed?

It will come as no surprise to learn the most common way computers are infected is via phishing emails. Cybercriminals send the phishing emails to unsuspecting victims, inviting them to click on a link, which either downloads the crypto-mining code directly, or redirects the victim to a compromised website.

The compromised website could be entirely genuine except for an injected script that automatically executes, and will therefore fail to appear on URIBL or SURBL blacklists.  Cryptojacking detection is difficult for anti-virus software because scripts are constantly changing.

Although some security solutions are waking up to the threat of crypto-jacking, there is no perfect cryptojacking blocker. The best way to avoid becoming a victim of this malware strain is to stay ahead of the phishing methods being used to deploy cryptojacking, and the best way to stay ahead is with Cofense’s malware intelligence service.

1:1 Demo
Powerful Solutions

We'll talk with you about your company's
specific needs and provide
demonstrations of our
recommended solutions.

GET A DEMO

Cofense’s Malware Intelligence Service

Cofense’s malware intelligence reports are compiled from millions of suspicious emails we receive daily through our Cofense Reporter service and other sources. The Cofense Triage service filters out false positives and spam emails, leaving only genuine threats for our team of analysts.

Once genuine threats are verified and confirmed, we issue detailed malware intelligence reports that not only alert organizations to new or emerging threats, but that also inform them of the URLs of compromised websites so access to the malware can be blocked by web filtering applications.

Organizations can choose how they receive our malware intelligence reports. We distribute them by email and as Machine-Readable Threat Intelligence reports that can be read by Security Information and Event Management applications (SIEMs) and Threat Intelligence Programs (TIPs).

Stay Ahead of Cryptojacking Malware and Other Email-Borne Threats with Cofense

The speed with which our malware intelligence reports are distributed enables organizations to act quickly to stay ahead of email-borne threats – not only threats related to cryptojacking, but all formats of malware and ransomware, and other phishing attempts that could have serious consequences.

Cofense integrates seamlessly with more than twenty common security solutions in order that threats can be blocked faster through automation, while the depth of intelligence provided enables security teams to better understand the nature of the threats and their potential impact.

To find out more about Cofense’s malware intelligence service, do not hesitate to contact us. Our team will be happy to organize a free demo of Cofense in action for you to better understand how your organization can stay ahead of email-borne threats with malware intelligence reports from Cofense.

Ransomware Resources Centers

What is ransomware?
According to TrendMicro, “Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces users to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.”

  • Ransomware is readily-available and changes faster than detection technologies can respond
  • In most cases, paying ransom is the only way to free hostage data and systems
  • Recent successful ransom situations will only encourage more attempts
  • Cryptocurrencies such as Bitcoin can be used to force untraceable ransom payments
  • Without proper ransomware awareness training, humans are widely susceptible to phishing, the most commonly used ransomware attack vector

How does ransomware affect businesses?
Cofense co-founder Aaron Higbee explains ransomware and its business impact on CNBC:

Help Create
Active Defenders

Our new study shows why email
reporting — human action — is the
beating heart of a strong phishing
defense.

READ NOW

How susceptible are your users to the top active threats?

With phishing still the #1 entry point for cyber-attacks, your defenses need to focus on the most pressing threats—active phishing campaigns that are probing your organization. This report breaks down the Top 10 threats, with metrics showing how well users respond to each.

Download the Free Report

All nets have holes—including your ‘secure’ email gateway

Learn how 90% of verified phish were found in environments using secure email gateways (SEGs). That’s just one of the key findings in this expanded report, now covering phishing threats as well as malware developments. Download the 2019 Phishing Threat and Malware Review to learn new tactics threat actors are using to ensure malware delivery and tips for defending against evolving phishing and malware threats.

Download the Free Report

It’s not easy to keep up with today’s threats. Now, with Cofense Threat Alerts, you’ll have a simple way to stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox. FREE.

Subscribe to Cofense Threat Alerts

Phishing Prevention: 8 Email Security Best Practices

To advance phishing prevention, most security professionals concur that anti-phishing best practices for organizations must include regular and effective workforce training to identify phishing emails that evade detection by common technology controls. It is also important to have a mitigation strategy in place for phishing prevention, and to limit the consequences of a phishing email that avoids identification and is acted on.

Phishing emails – particularly social engineered phishing emails – are often highly sophisticated, and are designed to evade detection during an email filter´s front-end tests by having the right Sender Policy Frameworks and SMTP controls. They are rarely sent from blacklisted IP addresses, and therefore pass RBL checks before being delivered to the recipient´s inbox.

When a phishing email evades detection by all the technological solutions available and arrives in a target´s inbox, the only thing that will now stop the phishing attack from being successful is the vigilance of the intended target. In order to ensure employees remain vigilant, anti-phishing best practices for organizations should include sharing the following information. Phishing prevention requires constant vigilance; these characteristics commonly found in phishing emails will help your teams stay safe.

1. Emails Insisting on Urgent Action
Emails insisting on urgent action do so to fluster or distract the target. Usually this type of email threatens a negative consequence if the action is not taken, and targets are so keen to avoid the negative consequences that they fail to study the email for inconsistencies or indications it may be bogus.

2. Emails Containing Spelling Mistakes
Most companies now use spell-checking features in email clients or web browsers to ensure their corporate communications maintain a professional appearance. Emails purporting to come from a professional source that contains spelling mistakes or grammatical errors should be treated with suspicion.

3. Emails with an Unfamiliar Greeting
Emails sent by friends and work colleagues usually start with an informal salutation. Those addressed to “Dear XXXXX” when that greeting is not normally used, and those containing language not often used by friends and work colleagues, likely originate from an attacker and should not be actioned or replied to. Instead they should be reported to the organization’s IT security team as an important phishing prevention precaution.

4. Inconsistencies in Email Addresses
Among other email security best practices to introduce is the random checking of senders’ email addresses – especially when an email address belonging to a regular contact is unfamiliar. By checking the sender email address against previous emails received from the same person, it is possible to detect inconsistencies.

5. Inconsistencies in Links and Domain Names
Links to malicious websites can easily be disguised as genuine links. Therefore, it is also advisable to encourage employees to hover a mouse pointer over a link in an email to see what `pops up´ as an address. If an email claims to be from (say) a business contact, but the pop up indicates an unfamiliar website, the email is likely a phishing email.

6. Be Wary of Suspicious Attachments
File sharing in the workplace now mostly takes place via collaboration tools such as Dropbox, OneDrive or SharePoint. Therefore emails from colleagues with file attachments should be treated suspiciously – particularly if the attached file has an unfamiliar extension or one commonly used to deliver malware payloads (.zip, .exe, .scr, etc.).

7. Emails That Seem Too Good to Be True
Emails that seem too good to be true incentivize targets to click a link or open an attachment with the promise that they will benefit by doing so. Even when phishers use social engineering to appeal to the target ́s curiosity or greed, the intended targets have  not usually initiated contact. These emails should be flagged as suspicious at once.

8. Emails Requesting Login Credentials, Payment Information or Other Sensitive Information
Emails requesting login credentials, payment information or other sensitive information should always be treated with caution. By adopting the anti-phishing best practices detailed above, recipients of these emails should be able to determine whether or not they represent a threat, and deal with them accordingly.