Phishing: To click or not to click?

Chris McKinley

How to effectively manage phishing emails in your organisation

Take home message: When that email comes in that you are just not sure about, simply DO NOT CLICK. You’re giving away much more than you think.

To click or not to click, that is the question: Whether ‘tis nobler in the mind to suffer the spam and phishing of outrageous fortune, or to do the right thing and just DO NOT CLICK.

Shakespearean quantities of articles have been written about spam and phishing and we know what we should be looking out for:

  • Is the email from a trusted source?
  • Are you expecting it?
  • Are there red flags such as spelling errors, incorrect branding or requests for urgent action?
  • Do you hover over the link to check if the URL is something completely disingenuous?

Below are three screen shots of emails – two are spam/phishing emails and one is genuine. Can you guess which one is which? Answers at the end!

Email 1

Email 2

Email 3

What happens if you click on a phishing email?

So, what happens if you do click on a suspicious email? Perhaps just out of curiosity to see what it is? You already recognise that the email is fake and you’re not going to give away any information, so what’s the harm?

  • Some very sophisticated attacks can exploit previously unknown vulnerabilities in browsers and make user of clever techniques that will compromise your account just by clicking a link – no credential sharing required. These are rare – but not impossible. Keep your computers up-to-date and DO NOT CLICK THE LINK.
  • More common is that clicking the link will offer you the opportunity to leak your credentials by filling in a form. If you’re in the habit of clicking unknown links out of curiosity then you’re more likely to accidentally or absentmindedly fill in your details. Make a habit of NOT CLICKING THE LINK and exercise suspicion at all links in emails.
  • If you think you’re immune to all the above then this is what you’re also giving away by clicking a link:
    • Confirming your email address is genuine (useful to send you more attacks and use it to try to login to other systems)
    • Confirming your name (more personal data)
    • Giving away your public IP address, county or rough location, time zones, computer software and browser versions, the hours you’re active at a computer, the fact you’re a ‘clicker’. (As you’re just visited their website – and this is the kind of data all websites can easily (and often legitimately) gather)
    • Confirms you’re a real person and with all that information above probably quite easy to find you on other platforms and social media. (Vulnerable to more targeted attacks).

Educate your organisation about phishing

I hope you’re now going to be more cautious of links.

Microsoft 365 Defender has a great feature called Attack Simulation Training. You can use this feature to educate your entire organisation how to recognise and manage phishing emails effectively. The tool simulates a phishing attack and provides details how to identify an attack and how to deal with it.

So, did you spot which image above was the genuine email? I hope you got the answer correct…that’s right, they are all fake and could all leave you vulnerable.

It’s best to ignore any email you find slightly suspicious and use the Outlook feature of ‘report as spam/phishing’. Always question links and attachments and be 100% sure you trust it before even clicking.

If you would like to learn more about phishing and how you can use Microsoft 365 Defender to educate your teams about phishing, simply get in touch today.