In my opinion, phishing is, by far, the most complicated thing to detect. I mean, using automation, like the anti-phishing filters that Microsoft Office 365, Google, et al. provide. That is also why I always recommend putting in place user training and awareness in parallel with all the technology you can have on your side.
For sure, they detect almost everything, but bad actors just need one single email to bypass all our security measures in place. So that is the main reason you want to make sure people can detect phishing emails. Here is the checklist.
Oh, I almost forgot, here is the definition for phishing, taken from Wikipedia: Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site.
This is the first thing a user needs to look whenever he/she receives an email. Most of the phishing attempts will fail at this. The main reason for that is because, to bypass basic anti-phishing filtering, they need to use real emails, and if they do, people would likely not click. A user will click if he/she thinks the email is coming from someone known. So for those bad actors wanting to trick the user, they will use sender names known by the user, as the director of the company, their direct boss, et cetera. But something will not be right: the email address. I know some people do not pay attention to that, and it is essential. So train your users to look for the email address to search for the domain name (text that comes after @). And if the domain is similar to what they know, but not the same, it is most probable the email is a phishing attempt.
There several clues a user can get from the message itself.
Grammar and language
A well-written email coming from the HR department will most likely be legit. But one that is badly written, with lots of grammar errors, different sizes fonts, and/or mixed languages, will be a phishing email.
Urgency and consequences
A message that says it is very urgent to click in the link below and that failure to do so will have enormous consequences is probably a phishing email. Things like: you have two emails that haven quarantined. Click here to review them before these are deleted in two days. It is true you can get those emails from time to time, and that is why we need to check the link.
The last thing to check in suspicious emails. These are sometimes difficult because bad actors try to obfuscate the real link. To do that, they use URL shortener services, like bit.ly, rebrand.ly, and I could go on, so this could be a hint triggering an alarm in the user’s brain. If you use Office 365 ATP Safe Links feature, you need to train your users to identify the real URL where the link will take them, since this great feature from Microsoft adds another URL adding some difficulty to know the actual destination.
I must admit that bad actors are getting better with this item, but some are still being lazy and use the Blind Carbon Copy (BCC) to send the same email to different people and preventing these people from knowing who received it. Again, you cannot and should not rely on this, but it can help.
We have just reviewed an essential checklist that will help us to ascertain whether or not an email received could be a phishing attempt. It is not the definitive toolset to prevent all phishing, but it helps. It should be part of a full user awareness program that, together with the technical tools, will increase your security level.