Technology Advisor Blog

Have you ever been hooked to a phishing attempt? Did you know that phishing is involved in 70% of breaches? Whether it’s an email, phone call, or text message, these are some of the common ways bad actors use to obtain your personal and financial information for malicious gain. Phishing emails were introduced into our lives decade(s) ago and have grown increasingly creative and sophisticated with native language use and perfect grammar.

Phishing This, Phishing That, What IS a Phishing Scam?

Phishing involves sending fraudulent messages to a victim with the appearance of being a credible, reliable company to have victims click a malicious link or suspicious attachments.
According to Varonis; “to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT. Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.” (Source: https://www.varonis.com/blog/spot-phishing-scam).
Events such as these are a stark reminder of just how essential ongoing cybersecurity training is for you and your team to continue to be aware and successful. Understandable, for a lot of small businesses, not knowing where to begin implementation of cybersecurity awareness can be overwhelming.

Thankfully, our Ekaru team can quickly step in and get you started with cybersecurity training to help reduce the stress off your shoulders.

The Bait That Hooks the Target

Compelling messages are the first bait potential victims sees. It often comes in the form of:

• Emails (most common)
• Text messages (smishing)
• Phone calls (vishing)
• Social media messages or DMs

Some of the common baiting tactics you may have heard about or come across yourself are:

• Urgency or fear: “Your account will be suspended in 24 hours!”
• A Suspicious Sender: Of course sending suspicious requests also wrapping in with a sense of urgency and confidentiality.
• Tempting offers: “You’ve won a $500 gift card!”
• Authority mimicry: “This is your bank/security team. Immediate action required.”
• Generic Greeting: “Dear User, Dear Customer, Hello Dear, etc.” Never addressing you personally.

Notice a common denominator? Each message is crafted with a precise sense of urgency that is meant to throw you off balance emotionally or mentally and force you into blind resolve. They can include a compelling CTA (Call-To-Action), urging users to click a link, download an attachment, or reply to the email with the sensitive data they are demanding.
The idea of a stranger reaching out and demanding personal and financial information from you can be very unsettling. You don’t trust them and are likely hesitant to do what they ask. Bad actors understand that you won’t want to converse with them, and so they have begun to use higher authoritative figures such as bank/financial institutions, government agencies, delivery services, law enforcement, and sometimes even company HR/IT to lower your guard down.

The Tell-Tale Signs Of a Phishing Scam/Attempt You and Your Small Business Needs to Know

The following characteristics can help identify a typical phishing attempt across email, and text.

Terms To Keep In Mind:

• Subject Line: The first thing that you may notice is the created sense of urgency and intense language of important essentials have been potentially compromised under you or your businesses name.
• “From” Field: To get you further hooked, the bad actor will pretend to be from a legitimate company, institution, police or law enforcement offices. While the email address may appear to be one institution, the actual source may be completely different. Bad actors can be seen using their phishing attempts to mimic customer support for a recent order you may have purchased. Another instance to consider is a phishing attempt in disguise as your bank account informing you that there is a potential compromise and you must act immediately to save your information. 
• “To” Field: You'll see general terms such as “User or Customer”. In most customer service cases of reaching out, they will ensure they are addressing you by your first name, along with the correct email attached, rather than salutations. 
• Body Copy: Designed to encourage the reader to act without thinking. Additionally, there may be grammatical errors that sometimes go unnoticed depending on case and scenario. Look for inconsistencies in their sentence and grammatical structure.
• Malicious Links and Attachments: Malicious links can come in forms like a hyperlink URL, PDFs, Word docs, or ZIP files with embedded malware (e.g., keyloggers, backdoors). Never trust any attachments from somebody you do not know!
• Scare Tactics: The bad actor uses intense language in a conniving, concise and reactive format. They want to convince you to act NOW to bend to their will. The goal is to get you to act now and act irrationally while subtlety isolating you. 
• Call To Action: Once the target is convinced, the scam needs action This action can be seen as clicking a link, entering data, downloading a file, or calling a fake number to provide the sensitive information demanded.
• Email Signoff: Here they do not usually address you by name and are rather impersonal when signing off. This is another indicator that it could be a phishing attempt.
• Footer: Incorrect information that is not consistent with the header or where they claim they are reaching out from.

Source: https://www.varonis.com/blog/spot-phishing-scam

How to Defend Against Phishing Scams

Awareness is key, but layered defenses are essential. Here’s how to protect yourself and your organization:

Behavioral Tips

• Check sender addresses carefully.
• Don’t trust unexpected links or attachments.
• Be skeptical of high-pressure or emotional messaging.
• Never provide personal data over email or SMS.
• Actively search the message’s layout for any inconsistencies or errors in spelling, grammar and tone.

Technical Protections That Ekaru Helps Provide To Clients and Anyone Willing to Increase their Cybersecurity Hygiene

• Enable two-factor authentication (2FA) on all accounts.
• Install email filtering and anti-phishing software.
• Update software regularly to patch vulnerabilities
• Educate employees about the ever-evolving cybersecurity landscape with ongoing cybersecurity awareness training.

When it comes to special case scenarios like vishing from phone calls, the best course of action Ekaru provides for their clients is ongoing cybersecurity awareness training. The more you are aware of scams, phishing and fraudulent attempts, the easier it is for you and your team to identify scams and react appropriately.

If You Believe You or Someone Else Has Been Affected By a Phishing Scam

• Change any related passwords immediately across all devices and confirm that passwords are never reused on multiple sites.
• Monitor your accounts for any further suspicious activity.
• Notify your bank or credit bureau if financial data was exposed following their next steps.

Phishing scams have evolved into well-crafted, multi-step attacks designed to exploit human behavior. By learning to recognize signs and the structure of a phishing attempt, you can stay ahead of cybercriminals and protect what matters most.

Whether you’re an individual or an organization, the best defense against phishing is vigilance, verification, and a proactive security culture.

Interested in how Ekaru can help you and your business stay on top of phishing scams and cybersecurity awareness for you and your team?
Schedule a call to chat with us at 978-692-4200 or www.ekaru.com/contact-us.