To be successful, a phishing email has to be clicked on by the user. But why can’t such a simple precaution be practiced?
The answer is simple: people click on malicious links and fall for phishing email scams because they are not paying attention.
With increasingly sophisticated forgery methods, criminals create emails that are aesthetically identical to the sending company, but there is a difference (sometimes not so subtle), which could be the warning the user needs: the content of the piece.
In other words, offers with unusual benefits, calls to action that give high priority to the urgency trigger, among a host of other details, are used with the aim of “enchanting” the phishing email recipient.
In other words, this enchantment creates the distraction (and urgency) needed to get them to click on the link or button that will carry out the scam.
And there’s no way around it: clicked, gone!
Table of contents
How phishing email harms email marketing
As well as causing damage to email users, phishing detonates any company’s email marketing. This is yet another reason why anti-spam filter protection measures are so stringent.
Many people think that buying mailing lists is quicker (and more practical) than building a base of real leads.
This is the typical cheap thing to do, because bought lists, as well as being illegal, contain a lot of spam, which in turn is a great source of phishing.
Building a solid email base requires time, dedication and email verification. It is this service that will determine lead building.
How about learning how to build an email list the right way? Watch our webinar and enjoy the tips!
All email users should learn how to prevent these crimes. So read the following tips carefully!
The most common phishing email scams
Income tax refund
Income tax refund season is a favorite time for criminals. This is because the techniques involve the “enchantment” we mentioned above.
On receiving an email claiming to have received an unexpected sum, the tendency is for the user to become, at the very least, curious about the revelation.
This distraction leads them to click on the fake link on the Receita Federal website. This type of fraud causes extremely serious damage, as victims can lose their CPFs and their bank account details.
Phishing email and corporate requests
Hackers use creativity as an ally. One example is corporate email scams, containing messages from higher-ups requesting transfers of money to clients or specific departments. These transfers are made to the criminals.
Confirmation of bank account details
You receive an email from your bank saying that there is suspicious activity on your account. And that, for security reasons, the institution is asking you to enter confirmation data. Never respond to such a request.
Beware of two-factor authentication
Two-factor authentication was created to protect people from cybercrime, but hackers can get around this by sending a phishing email asking the user to enter their details on another device, such as a cell phone SMS.
Avoid this by knowing whether the email is authentic or not. See more below.
How to recognize a fake email
There is no such thing as a perfect phishing email. There will always be a trace of forgery, and that’s when your ability to recognize it must come into play.
Look at the URL and identify a phishing email
When you hover your mouse (without clicking) over the URL, you see the page. Check for spelling mistakes. For example: Netflik instead of Netflix.
Look up the company that supposedly sent the email and check the URL on Google. A phishing email often creates URLs that are very similar to the original, and this is especially true of government websites, which have the .org extension.
For example: capital_sp.gov.br is different from capital.sp.gov.br. The second option is the real one. Note that the underline is what differentiates one URL from another. Stay tuned!
Gmail users
When you open the message, find the 3 dots on the right-hand side. Click on “show original”.
Here you will find the email header, which is extremely important for checking whether an email is genuine.
Look at the “From:” field and see if the origin of the email corresponds to who the sender claims to be.
The date of sending is also important, so you can identify an old phishing email (which is usually among bulk emails).
Check for SPF, DKIM and DMARC certifications. These certifications exist to prove that the domain is the real sender of the message, and not someone trying to impersonate it.
The absence of these certifications reveals phishing emails and also assures the email provider (in this case, Gmail), that the message is authentic, i.e. not spam.
Here’s what each certification means:
- SPF – Sender Policy Framework: this is the list of all the servers that belong to the domain.
- DKIM – DomainKeys Identified Mail: this is the domain’s signature on every email it sends.
- DMARC – Domain-based Message Authentication Reporting and Conformance: If SPF or DKIM don’t meet the domain’s settings, DMARC will tell you whether the message should be quarantined or returned to the sending domain.
Important: a domain can configure only SPF authentication, or only DKIM, or both together. The important thing is that there is some kind of certification in the email header.
FAQ
Phishing emails contain a series of techniques to charm and distract the user with captivating content and miraculous offers. In this way, people are attracted and end up clicking on malicious links and buttons, which make the scams take place.
Phishing emails damage the reputation of serious companies that use email marketing as a communication channel. A phishing spam violates the GDPR and can also lead to the entire list being blocked by providers’ spam filters. With communication interrupted, companies’ investments collapse.
Fake tax refund emails, corporate emails requesting money transfers, requests to update bank details and two-factor authentication. Although this is a security measure, users need to be able to recognize the authenticity of an email by looking at the URL and message headers.