Phishing email attacks are on the rise with research suggesting that 90% of global enterprises were targeted by phishing attacks in 2019. According to the latest Microsoft Security Intelligence Report, phishing emails rose by a staggering 74% in 2019 over 2018. If you have an email address and not surprisingly most of us do, then you have likely received a phishing email or multiple phishing emails at some point over the past couple of years. As far back as 2010, we were warning our clients about these malicious emails, (Don’t become Cyber Bait) and before I give you our top tips to avoid falling victim to a phishing attack, let us first look at the methods employed in a phishing attack.
Phishing emails are sent to a large number of users simultaneously with the intention to “fish” sensitive information by posing as known and reputable sources. These emails will likely have legitimate-looking graphics and logos included. Banks, credit card providers, revenue, financial institutions and large corporations such as PayPal and Microsoft are just a few of the common ones. A phishing campaign typically sends out emails to huge numbers of recipients. Most recipients don’t use the bank, card provider etc, that the mail purports to be from but by sheer weight of numbers, these emails will arrive in the inboxes of some actual customers of the institution it claims to be from and who may very well fall victim to the scam.
This form of phishing is much more focused and will target an individual or small group by gleaning data from social media sites to con the recipients. This email will be personalised and will appear to be from legitimate organisations that you may very well have an association with.
Similar to Ssear phishing in that the cybercriminals target individuals. In this case, however, the targets are persons in a company who have the power to make payments or release sensitive data on behalf of the company or a senior executive of the company. The intention here is to siphon off money from accounts or steal confidential data. Personalisation and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
Social engineering is utilised primarily in spear phishing and whaling attacks. Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. Social engineering will likely include the mining of information from social media sites. Twitter, LinkedIn, Facebook and other social media platforms provide a wealth of information about you and your organisation. This may include your contact information, connections, friends, ongoing business deals and more. With the average person having a presence on several social media platforms, it is important to be mindful of the information you upload and share.
Someone who has never met you, and never will, can easily project themselves as a friend-of-a-friend, or a colleague you’ve worked with electronically but never met face-to-face. Using social engineering as well as other data harvesting methods, the cybercriminals can gather a lot more information about you than you might expect.
Scams of these types often work because they play on the trust and maybe a little fear of superiors. An email that has an urgent request or demand for information or payment from someone higher up the organisation chart has proven very successful. Executive whaling often referred to as CEO Fraud has proven very profitable for cybercriminals who prey on this trust and fear. At IT.ie we recommended to our clients that a safe-word or phrase be used in all correspondence that requests the release of data or payment. With the recent introduction deep fake voice as a tool for the scammers, this should also be extended to phone calls.
Scammers know that you are likely to check up on the source of the email to make sure that the sender and its content is legit. To help you verify the legitimacy of the email, the scammers will often provide you with a number to call or website to visit to check their authenticity. They may even warn you about other scams to gain your trust. If the sender is legit, then it will be very easy to verify their authenticity and that of the company they claim to represent outside of the email that they have sent.
This is probably the most important tip I can give you. If you don’t trust the source or destination of a link, Don’t Click on it. Clicking on links can allow cybercriminals access to your sensitive data and in the case of a ransomware attack, total control of your system or network.
When I write posts such as this, I always ask a colleague to proofread the piece and more often than not they find an error that I missed. The same should apply to any email that requests you to carry out an action. Get a colleague to have a read and give you their opinion. Phishing emails very often have spelling or grammatical errors that you would not expect from professional correspondence and might only be picked up by having a second person read the email content. A second opinion might save you from divulging sensitive data, handing over company funds and ultimately save your job.
If I was to suggest two key takeaways from this post, they would be; Treat every mail with a healthy level of scepticism and Don’t Click on unknown or untrusted links.
Below are some links to other related posts.