Not a day goes by without another phishing scam hitting the news. For many of us, these are just headlines. For the organizations and individuals affected however, a phishing attack can be disastrous. Phishing emails are increasing in frequency, sophistication and severity. How can you best stay protected?
Criminals have realized that in order to steal money or information, you don’t need to rob a bank. A simple email will do the job just fine. Phishing emails have been used to steal huge amounts of money ($12 billion according to the FBI) and are responsible for countless data breaches, credential theft, ransomware attacks and other types of malware deployment.
What’s more, thanks to criminal activity on the Dark Web, it’s not only credit card details that are for sale – now full phishing kits are available, starting at around $25.
Most email threats fall into the following categories:
- Simple scams
- Phishing emails
- Fraudulent emails
Simple scams: these range from the classic “you’ve won a competition” to “we’ve been recording you on your web cam” or “your account’s been compromised”. Generally, these are pretty harmless and easy to spot. They rely on emotions such as fear to trick a user into taking action.
Phishing emails: these are emails that purport to be from legitimate senders, yet are cleverly disguised fakes. They range from sophisticated Business Email Compromise (“BEC”) emails – where a fraudster targets someone specific in an organization pretending to be the CEO, for example – to more general emails pretending to be from Microsoft, Netflix, or any other well known organization.
These emails either get you to click a link or download a file – deploying malware onto your system – or direct a user to a fake website where they enter sensitive information.
Fraudulent emails: a subset of phishing emails, these emails target companies pretending to be from suppliers whose banking details have changed. Money is paid into the new account, and the fraudster rides off into the sunset.
Next, we’ll look at what exactly to look out for so that you don’t fall for any of these.
What to look out for
Here are the most important things to look for when checking if an email is legit:
Sender: start by looking carefully at the sender’s address. Not just who they say they are – but the actual address that the email is coming from. Check for any additional or missing letters (“@microsofts.com”), or even non-English characters that can be used to spoof well-known addresses. A common trick is the use of subdomains – don’t be confused by amazon.xyz.com.
Content: look out for anything that’s made to look urgent. Is the message addressed to you, or is it generic, like “Dear Sir” Mouse-over the links. Do they lead to the real company’s website? Asses what action the email is asking for: anything that requires you to “confirm your account” or “update your payment details” should be met with suspicion.
Be wary of any email that mentions voicemails that are waiting for you, or subscription details that need to be updated.
Advanced – header information: most popular email clients – including Gmail and Microsoft Outlook – let you see the original header information (in Outlook: File / Properties / Internet Headers). For more advanced users, going through these headers can give immediate clues as to whether an email is legitimate.
An important note: when it comes to emails, almost anything can be faked. When it comes to email phishing protection, a specific anti-phishing product is the best way to identify and stop phishing attacks. It’s also really important to stay aware, use a healthy dose of skepticism, and where possible confirm details with a phone call.
Staying Email Safe
By protecting your email, you’re taking a massive step in terms of keeping your entire organization protected against cyber threats.
A winning combination combines awareness, training, and tech-based solutions working together to keep you safe.
If you want to find out more about keeping your organization protected against cyber threats, don’t hesitate to get in touch.