Cybercriminals are becoming more sophisticated than ever, creating complex malware that can attack your computer and steal your sensitive information. However, some of the most devastating attacks don’t require any computer viruses or advanced hacking. They simply need people to fall for a fake email — and this is a growing risk for small businesses. Here’s everything you need to know about spear-phishing and how to detect it.

What Is Phishing?

Phishing is any malicious cyber activity in which the criminal sends a message that pretends to be a legitimate sender. The message (usually an email) asks the recipient to click on a link or provide sensitive information (such as a password). The criminal can then gain access to a company’s employee portal, payroll system, or internal databases — often through normal methods!

That means that phishing can happen even if your company uses firewalls, password-protected servers, and other security measures. It works because phishing attacks rely on “social engineering,” which is the practice of manipulating victims to believe that (a) the emails are legitimate and (b) they have to take action, or they could be at risk of termination, not being paid, or just seeming unprofessional.

Thankfully, it’s fairly easy to detect phishing emails if you know what to look for. Read on to learn the four email subjects that may indicate an attack.

1. “Are you at your desk?”

It’s common for people in office environments to send quick, informal emails to each other. Scammers know this and will make phishing emails that appear casual. People tend to drop their guard when they receive these sorts of messages because they seem so innocuous.

Similar subject lines include:

– “Are you available?”
– “Can you look at this?”
– “Got a moment?”

Emails with these subject lines are more likely to be opened because the recipient thinks they won’t take much of their time. They also suggest that the recipient and the sender have a trusted relationship.

To resolve this issue, discourage the use of emails for these quick check-ins. Set up an internal instant-messaging platform such as Teams or Slack, so that your team uses that instead. And of course, discourage your staff from clicking on links in emails unless they are 100% certain they’re legitimate.

2. “RE: our discussion”

Since email’s early days, “RE:” has been used to indicate a reply in a thread. Phishers will often add a “RE:” to make their email seem like a legitimate message. Then, they’ll add a vague phrase that could apply to any office relationship, tricking the recipient into taking the email seriously.

Similar subject lines include:

– “followup on our chat this morning”
– “here’s the document you asked for”
– “RE: your request”

These subject lines tap into the recipient’s sense of familiarity, making them more likely to open the email. Often, phishers will keep the message content very simple, enticing recipients to click on links they believe lead to a document or download.

To resolve this issue, ask your team to share documents through internal, password-protected portals such as Dropbox or your preferred project management system. Train your staff to verify that their colleague is sending a document or link with a quick phone call or IM before they click on any links.

3. “IMPORTANT: your direct deposit”

There’s nothing quite like finance-related subject lines to get people’s attention. Many companies do send out HR and payroll alerts through emails, so recipients may not be able to tell the difference between a legitimate message and a phishing attack.

Subject lines vary widely but often include the following keywords:

– “Payroll”
– “Finance”
– “Invoice”
– “Payment”

Recipients will often open these emails because they fear the repercussions of leaving them unread: Will they not get their paycheck? Will they get in trouble for not paying an invoice? Money is an important issue to most people, and social engineering attacks rely on this.

To prevent your team from falling for these attacks, make it clear that your HR/payroll department will never request sensitive information via email. Train staff to log directly into their employee portal to check their financial information rather than clicking on an email link to access it.

4. “Request for information”

Phishers will often send emails under the ruse of requesting documents, access to a project management system, or other legitimate business purposes. These types of attacks also affect companies that do business with other companies/freelancers, as well as companies that are large enough to have multiple separate departments.

Similar subject lines include:

– “Quick question”
– “Need access please”
– “Can you send me X?”

Here, the phishers rely on people’s expectation that colleagues outside their office may need to collaborate with them. No one wants to hold up the project, so they’ll feel a sense of urgency

The best thing you can do to prevent these sorts of attacks is to ensure that it’s difficult for those outside your organization to pose as employees. Setting up DMARC authentication and other anti-spoofing methods is a great first step. Then, train your staff to only send documents through approved file-sharing platforms and verify all access requests through a separate message (e.g. phone call, IM).

Conclusion

As you see from the examples above, spear-phishing subject lines are often vague yet have a sense of urgency. They’re designed to be basic enough to entice clicks while posing as a legitimate sender. Especially if your staff has publicly available email addresses and your company domain is easily spoofed, it’s quite simple for cybercriminals to conduct phishing attacks. Thankfully, a combination of staff training, domain authentication, and mail shields can keep most phishing attacks from being successful.

Want to keep your company and team safe from spear phishing? Contact BCC for a free security audit and learn how we can help you ward off cybercriminals!