For several decades, email has been the primary form of professional and casual communication on the internet. In April 2019, Statista estimated that 293.6 billion emails are sent around the globe each day. Because it is such a widely used form of communication, scammers are the first to take advantage of its scope and exploit it.
Statista reports that over 55% of emails sent are considered spam. Although spam inboxes assist in weeding these fake messages out, there are still many that slip through filters and end up where trustworthy emails are sent. These emails, disguised as legitimate, are actually phishing scams that aim to attack users like you.
What is Phishing?
Phishing is the act of attempting to manipulate the recipient of a malicious email into opening and engaging with it. A sender of these email intends to trick the victim by making the email seem important and from a reputable source. These phishing emails may include harmful attachments, like PDF or Word documents, which can cause damage to the user’s computer by installing forms of malware, ransomware, or other destructive software once opened. Phishing emails can also contain malicious links in the body that can lead a user to a fraudulent site. These sites are used to collect confidential information such as usernames and passwords, or to install malware onto a device. Once the victim’s information has been obtained, scammers will monetize the data by selling it to the highest bidder on Dark Web sites. Your information is currently worth anywhere from $1-$2000 on the dark web, which is why having our Dark Web Monitoring Service in place is very important.
Types of Phishing
Deceptive Phishing, one of the most common phishing scams, is any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials.
Spear Phishing, is when cyber criminals customize their attack emails with a target’s name, position, company, work phone number or other information in an attempt to trick the recipient into taking some action being requested by a known connection.
CEO Fraud, also called “whaling”, is targeting a high-level executive of an organization. Offenders attempt to isolate an executive and steal their login credentials. With these credentials they can perform a CEO scam. CEO scams occur when an email, seemingly addressed from a CEO or other member of senior management, is falsely created by a scammer to exploit the trust of employees. The impostor email seeks for the target to wire funds or share confidential information with the scammer.
How to Identify a Phishing Email
Now that you know the different types of phishing attacks, the next step to keep your data, company data and tech safe is to identify them. With the number of spam emails sent daily growing, it’s increasingly important to be able to spot the tell-tale signs of a fraudulent email.
1. Confirming Personal Information – Often you will receive emails disguised to look authentic. They might mimic the style of your current company or an outside business such as a bank or credit card company. These emails may have requests for personal information that you would not usually provide, such as banking information or login credentials. It is important you don’t click on or respond to these emails. Before responding, determine the legitimacy of the email by contacting an organization directly or searching on the internet.
2. Fraudulent Email and Web Addresses – Phishing emails often come from an address that appears to be legitimate, but at a closer glance can have some discrepancies. These emails may contain the names of genuine companies and might be made to replicate the company’s personal sites or email accounts. Brand logos and trademarks do not guarantee that an email is real. Hackers can use these images or download them from the internet to mimic an existing company. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source.
3. Grammar – Phishing emails can sometimes contain poor language in the body of the message. Grammatical errors and conflictive sentence structure are common in phishing emails. A legitimate company would have constructed an outbound communication professionally and checked for spelling errors and other mistakes. While poor grammar is a giveaway, not all phishing emails will have sloppy grammar, so it is important to be aware.
4. Scenarios – Many phishing emails attempt to instill a sense of worry into the recipient. The emails may give a scenario that depends on you entering your credentials to solve it. For example, an email may state that your account will be closed if you don’t enter your personal information and act now. If you are unsure of what an email is asking of you and why, be sure to contact the company, or sender, through other methods.
5. Attachments – If you receive an email from a seemingly random company you do not affiliate with, and the email references something unexpected, the attachment might include some malicious malware or virus. These attachments may contain a URL or Trojan horse designed to compromise your system if opened. Send these emails to your security team instead of opening them yourself.
How to Avoid Falling Prey to Phishing
Phishing attacks primarily disguise themselves as trusted organizations and people, preying on and exploiting individuals’ loyalty. You should be wary of email titles and phrases such as:
- Your account has been locked
- Update your records
- Click to learn more
- You missed a delivery
- Confirm your account
- Suspended account
- Unwarranted refunds on taxes or purchases
Emails can also be sent from seemingly reliable individuals such as your company’s CFO or CEO. When in doubt, contact the sender or company directly through the official website or the individual in person. Do not click any links or attachments!
1. Be Wary of Links – Hover over potential links in emails to verify the legitimacy before clicking on them. This can prevent navigation to fraudulent sites or links that may contain malware. Hovering lets you see a site’s full URL. From there you can determine if the website is secure and is the correct destination before visiting.
2. Anti-Phishing Toolbars – Some internet browsers can be fitted with anti-phishing toolbars that run checks on sites before you visit and compare them to lists of known phishing sites. This helps prevent you from navigating to fake sites and decreases the risk of downloading any malicious content. Discuss this with your company’s security team or Managed Service Provider before adding.
3. Verify a Site’s Security – URLs that begin with “https” and have a closed lock icon near the address bar, are secure websites. These sites allow sensitive information to be entered with little risk. However, there has been a new development in cyber actor’s phishing exploitation. They can now imitate “https” AND the lock icon. It is important to verify EVERY questionable email that you receive now that cyber crime is advancing.
4. Don’t Send Personal or Financial Information Via Email – You should only communicate secure information such as usernames, passwords or banking information via a secure website or over the phone. Don’t fill out any forms in emails unless verified as legitimate. If you receive an email from your CFO asking to send the 2019 budget over with urgency, it is wise to give them a call to see if it is actually them sending the email.
5. Educate – Many companies offer thorough training programs to help employees and individuals learn to identify and combat phishing techniques. Through necessary training, examples and procedures, you can reduce employee and individual susceptibility to different kinds of phishing. RMON Networks offers an employee security training kit to get you started. Download this FREE kit here!
With regular training that includes phishing simulations, data protection and compliance training, and courses on IT and security best practices; businesses can significantly reduce risk, decrease infections and related help desk costs, protect their reputation by experiencing fewer breaches, and secure their overall cyber security investment.
Email being the main form of business communication poses different threats to organizations and individuals. Spam mail and phishing attacks can often be detrimental to an organization. These attacks can cause a breach of personal or clientele information, or a loss of funds. The best way to avoid and protect yourself from an attack is awareness and education. Knowing the different types of attacks, motives and identifying key features will help.
Keep Your Business Safe
You can stay safe by investing some time into educating your employees on best cyber security practices to ensure that they will not take the phishing bait. Contact RMON Networks today and let us help you develop a custom cyber security solution to fit your business needs.