Training phishing.

Red Flags of Phishing Emails: Think Before You Click

A single click can be the difference between maintaining data security and suffering massive financial losses. From the moment just one employee takes the bait in a phishing email, your business is vulnerable to data breaches and extensive downtime.

Email Security

This starts by identifying:

• Where the email is coming from? By understanding the source, several malicious messages received can be blocked immediately at the edge, before an email is delivered to an inbox.

• Who the sender is? Is the person, brand and or domain authentic? We check that the sender really is who they appear to be by authenticating the source to prevent against spoofing, another common phishing technique with which emails look like they come from someone that you know or trust.

• What’s inside the email that could be compromising? We utilize standard anti-virus and anti-malware engines to detect malicious content, combined with Safe Attachment and Safe Links capabilities. Machine learning models check for malicious signals or intent and apply deep link inspection.

• What post-delivery protections need to be put in place once the email is delivered to the recipient? Sophisticated attackers will plan to ensure links pass through the first round of security filters. They do this by making the links benign, only to weaponize them after the message is delivered. With Safe Links, we are able to protect users right at the point of click by checking the link for reputation and triggering detonation if necessary.

Quickly spot the red flags and put phishing emails where they belong:

1. Poor spelling and grammar

While occasional typos happen to even the best of us, an email filled with errors is a clear warning sign. Most companies push their campaigns through multiple review stages where errors are blitzed and language is refined. Unlikely errors throughout the entire message indicate that the same level of care was not taken, and therefore the message is likely fraudulent.

2. An offer too good to be true

Free items or a lottery win sure sound great, but when the offer comes out of nowhere and with no catch? There’s definitely cause for concern. Take care not to get carried away and click without investigating deeper.

3. Random sender who knows too much

Phishing has advanced in recent years to include ‘spear phishing’, which is an email or offer designed especially for your business. Culprits take details from your public channels, such as a recent function or award, and then use it against you. The only clues? The sender is unknown – they weren’t at the event or involved in any way. Take a moment to see if their story checks out.

4. The URL or email address is not quite right

One of the most effective techniques used in phishing emails is to use domains which sound almost right. For example, [microsoft.info.com] or [pay-pal.com]

Hover over the link with your mouse and review where it will take you. If it doesn’t look right, or is completely different from the link text, send that email to the bin.

5. It asks for personal, financial or business details

Alarm bells should ring when a message contains a request for personal, business or financial information. If you believe there may be a genuine issue, you can initiate a check using established, trusted channels.

While education is the best way to ensure phishing emails are unsuccessful, a robust spam filter and solid anti-virus system provide peace of mind that your business has the best protection available.

The 5 most common types of phishing attacks.

You’ve likely heard of phishing attacks. Phishers use scam emails or spoofed websites to obtain user credentials or financial information. This might be an email that looks like it’s from your bank asking you to log in and update your details, or a supposed tax alert needing immediate action, or contains a malicious attachment. Phishing is one of the most frustrating threats for business of all sizes in the digital environment. The scam, which involves criminals sending messages that masquerade as legitimate senders, targets hundreds of millions of organizations every day. Although the criminals’ ultimate goal is always the same, they’ve found many ways to launch their attacks. Here are some of the most common ways in which they target people:

1. Email phishing

Most phishing attacks are sent by email. The attacker will register a fake domain that mimics a genuine organization and sends thousands of generic requests. The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’. Alternatively, they might use the organization’s name in the local part of the email address (such as paypal@domainregistrar.com) in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox. There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download a attachment.

2. Spear phishing

There are more sophisticated types of phishing involving email, like spear phishing, which describes malicious emails sent to a specific person. In these cases, the attackers do their homework first and target a specific company. They scour directories and employee social media to gather information to gain credibility. Therefore, criminals who do this will already have some information about the victim:

• Name

• Company they work for

• Job title

• Email address

• Specific information about their job role

3. Whaling

The executives of your company are the big fish in your sea. Yet cybercriminals think of them as whales. In fact, whaling is a new and more targeted cybersecurity threat. The high-value target is a senior-level employee and the fraudster typically impersonate one of the target’s C-suite counterparts.

Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff. Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers and bank account information.

In whaling, information gathered in advance adds credibility to the social engineering. The target has higher value, so it’s worth their time to appear knowledgeable and make a request to and from someone important. The sender’s email address will look convincing (e.g. from smithj@companyx.co instead of smithj@companyx.com). The messages will have corporate logos and legitimate links to the company site. Because humans want to help, the communications typically involve an urgent matter.

Whaling attacks are on the rise. In 2016, Snapchat admitted compromising employee data after receiving an email, seemingly from its CEO, asking for payroll information. In another high-profile example, Mattel nearly transferred $3 million to a Chinese account. Company policy required two signatures, but the attackers (taking advantage of a recent shakeup) faked the new CEO’s signature. The second executive went ahead and added a signature. The only thing that saved the company was that it was a Chinese bank holiday.

4. Smishing and vishing

These are other fraudulent attempts to steal protected data, but the cybercriminals are going to use the phone to make contact, instead of emails. They might pretend to be a vendor needing to confirm account details for bill payment. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.

A common vishing scam involves a criminal posing as a fraud investigator (either from the credit card company or the bank) telling the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.

5. Angler phishing

A relatively new attack vector, social media offers several ways for criminals to trick people. Fake URLs, cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware. Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.

In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.

When the user next logged in to Facebook using the compromised browser, the criminal was able to kidnap the user’s account. They were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.

One thing is for sure: Your employees are your last line of defense.

Organizations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven not to be enough. Malicious emails will still get through regularly, and when that happens, the only thing preventing your company from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.

“The primary way to protect against phishing attacks is to question everything.”

Train your staff members to guard what they share on social media. Encourage them to question any unsolicited request. If they weren’t expecting an attachment or link, they should follow up. If a request is unusual, they should trust their acute sense and proceed with caution.

It’s also a good idea to develop a policy for handling requests for money or personal information. By requiring that two people must always weigh in, you're more likely to catch a scam before it’s too late.

Also, train all your employees to look carefully at email addresses and sender names. They should also know to hover over links (without clicking on them) to reveal the full URL.

Security awareness is crucial. It’s also a good idea to test your employees with mock phishing emails.

Need help training employees or testing social engineering? Contact our experts today, call us at (305) 400-0992.