Avoiding the phishing hole

Phishing, the term for fake emails designed to corrupt files or steal valuable information, is on the rise, more than doubling since 2010. Phishing cost organizations about $4.5 billion each year. Yes, that’s billion with a B. Let’s make sure your company doesn’t contribute to that figure by considering how to first prohibit such emails from reaching your staff, and then to identify tactics used by phishers.

Blocking illegitimate emails is the best line of defense. By using a Domain-based Message Authentication Reporting and Conformance (DMARC) standard, businesses prove the authenticity of the message before delivering to the recipient. Additionally, it’s a good idea to work with a provider like BlueCore who can offer email threat data for attacks that are out of the scope of DMARC.

Even with the best tools to block phishing messages, some are going to get through. And often those messages are incredibly hard to spot, as they do a good job of duplicating brand logos and text as well as masking their true address to look identical or very similar to the one from the company they are copying.

Recent studies show that 97 percent of the population cannot tell a sophisticated phishing email from a legitimate one, so here are your BlueCore team’s top 10 tips for identifying such a message.


Don’t trust the display name.
Cybercriminals love to spoof, or copy, the display name of an email. Some studies say that as many as half of all email threats spoofed a brand in their display name.

Check out the links but don’t click.
Use your mouse to hover over any links in the email. If the address looks weird, don’t click on it. To test the link, open a new window and type in the website address directly.

Whip out the spell check.
Major brands will not make major spelling mistakes or use poor grammar in their email text.

Notice the salutation.
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Keep your personal information personal.
Legitimate companies will never ask for personal credentials via email. A mental red flag should go up if you receive an email that does.

Watch out for urgent or threatening language in the subject line.
Beware of claims of account suspension or that there was an unauthorized attempt to log in to your account. Urgent and threatening language is a common phishing attempt.

Review the signature.
A legitimate business will always provide contact details.

Don’t click on attachments.
Never open an email attachment that you were not expecting. A phishing message will often have attachments that contain viruses and malware. These types of files can damage files on your computer, steal passwords or log your keystrokes without your knowledge.

Don’t trust the header from an email address.
Email cons are able to spoof brands in the header of an email address.

Don’t believe everything you see.
Even if you see brand logos, a normal-looking email address and a nice look and feel, it doesn’t mean a message is legitimate.