It’s midweek, or a Friday, and you’re interrupted in a meeting or some other task at work by an urgent email labelled as important. It demands your immediate attention…or else, your job, customers, company reputation, or even your workspace account, is on the line.
Frantically, you open the email and are threatened into believing that you need to take action now. You’ve seen so many other urgent emails from colleagues with last-minute deadlines, even from your boss, so this seems like nothing out of the ordinary. You click on it and open the link or attachment, only to realize that you’ve just exposed the data on your work laptop to cyber criminals who have no rights to access the private information. Or perhaps your laptop is compromised and some of the software stops working.
This is exactly what we know as cyber attacks. Cybersecurity attacks come in a wide variety of forms. They can range from ransomware (a software that can unsuspectingly be downloaded and then locks you out until you pay a ransom), to Trojan horses (where a malicious computer program is hidden behind a a seemingly safe and legitimate one), to phishing emails (where emails are deceptively worded to trick you into revealing sensitive information).
Research conducted by Comparitech, in which 100 countries with the highest GDP were researched (but only 16 reported monetary values), shows that an estimated 88.5 million fall victim to cybercrimes globally. The same research noted that although an estimated $714 billion is lost to cybercrime each year, experts anticipate figures reaching an eye-watering $10.5 trillion by 2025. For businesses in particular, looking back at 2022, data breaches cost businesses $4.35 million on average.
This explains why cybersecurity is one of the most in-demand skills. Half of the top tech skills listed as skill trends in Coursera’s Job Skills Of 2024 report are cybersecurity skills, ranking in the top 10, with almost 3.4 million jobs in this field available worldwide.
However, while cybersecurity is ultimately everyone’s responsibility at work, it is of particular relevance to current and aspiring business leaders. Although it may be tempting to quickly skip through the yearly cybersecurity refresher training because other management responsibilities are more pressing, it’s essential to pay critical attention to the details of the training provided, whether you are in the IT department or not.
At the World Economic Forum’s convention in Davos held from January 15 to January 19, 2024, Bloomberg reported JP Morgan executive Mary Callahan Erdoes to have said: “The fraudsters get smarter, savvier, quicker, more devious, more mischievous.”
Maintaining the basic rules of keeping your company data and regularly reiterating them to your team ensures that not only is your team safe from being exposed to unauthorized access, but that projects are better protected from risk. Without being aware of these common traps, you risk exposing jobs, company reputation, and even your own reputation as a leader to these threats, not to mention the irretrievable damage of the millions of dollars thrown away.
As noted above, one of the easiest ways cyber criminals gain unauthorized access to company data is by sending phishing emails. If you’re in a hurry or innocently unsuspecting, you might click on it not realizing what is happening, and by the time you do, it might be too late.
So how can you spot fake or phishing emails at work? Here are five easy steps:
1. Check The Email Address
The email address can be a big giveaway that it is not from who it appears to be, so you should always take time to analyze the email address before concluding the sender is genuine. Often, the phishing email address might come from a reputable organization or someone you work closely with who you might be expecting an email from—so this is why you should exercise double vigilance. While the the email address may appear identical to the genuine one at first glance, it’s important to look twice and see if there are any inconsistencies, slight variations, or misspellings.
2. Look Out For Tell-Tale Signs
Some of the most common red flags in phishing emails can include:
- Grammatical mistakes
- A sense of urgency in the message, pressuring you to act fast, click now, pay now, etc.
- Requests for sensitive information, for example, a request from IT soliciting your laptop or system password
- Unexpected attachments or links
- Generic greeting such as “Hello,” without mentioning your name
3. Hover Over Links
Next, even if you feel the email is genuine, always hover over a link to ensure the destination URL matches the legitimate website. Sometimes a fake website designed to capture sensitive company or personal information can be masqueraded as the real one, so it can be easy to be convinced that it is genuine, making you and your organization all the more susceptible to an attack.
4. Stop And Verify
If you feel uncomfortable with the content of the email and have even the slightest reason to believe it is a scam, verify the purported sender using another communication tool such as phone, or a Teams or Slack message. This is especially essential if the email contains a request for sensitive information.
5. Take Security Precautions
Lats but not least, work in collaboration with your company’s IT department, reporting any concerns to them immediately, and encourage your staff to do the same. Some employers have IT policies that restrict employees from downloading software to their work devices, to prevent them accidentally downloading malware.
However, if your company does not have this policy, it is your responsibility to be vigilant with what you download and with what website, and make use of security features from your email provider or on the laptop to ensure your organization is secure.
Following these steps will make it easier for you to identify phishing emails at work and reduce the risk of you or your team falling victim to cyber attacks. And don’t forget, technology is constantly evolving—and so are cyber criminal tactics—so be proactive by keeping informed on potential threats and engaging fully in cybersecurity awareness training.