What they are and how to spot them!
You receive a call on your cell phone from an unknown number and when you pick up, the first thing you hear is, “This is the IRS…” before the message has a chance to play out you’ve already hung up. Voice phishing feels like a new thing (it isn’t) because it has become so prevalent thanks to auto-dialers and caller ID masking technology. Much like voice phishing, email phishing attacks have been around since the dawn of email, they’ve also become more prevalent and dangerous thanks to new technologies. You didn’t send $500 to that Nigerian Prince and you should probably take another look at that email from your CEO asking you to quickly wire transfer funds to a strange new account.
There are a wide variety of email phishing attacks. They range in sophistication from a poorly written bulk email sent to thousands of addresses, hoping for a small percentage to respond with compromising actions, to a carefully worded email sent to a single high-level employee that appears to be coming from their CEO. How do you avoid falling prey to these attacks? Be skeptical, suspicious, put on your tin-foil hat as you’re reading through your emails. You will receive phishing emails, that is a certainty, whether you detect them before it is too late is entirely up to you. A good spam and malware filter can help, but it’s never a matter of if, but when a phishing email will pop into your inbox. Will you know what to do?
Phishing emails should be ignored and deleted once identified, but how do you spot one? Many phishing campaigns are carried out by foreign actors (but not all) and the English in these emails is often poorly written. If you’ve received an email from someone and their writing style has suddenly changed that should raise eyebrows. Be wary of emails that try to foster a sense of urgency, this is an attempt to get you to follow their instructions without asking any questions. Hover your cursor over links in emails (hyperlinks or fully written URL’s) and make sure they go where you expect them to. Just because the link says Bank of America doesn’t mean it can’t go to a URL with a similar looking name and a web page that appears identical to your usual online banking portal. Don’t forget that attachments can be a vector for malware to make its way onto your computer. Be sure you trust an email and its sender before opening any attachment.
Check the email address, not the display name. I can make an email account with the display name Bill Gates, that doesn’t make me a billionaire or mean that bill.gates@gmail.com is actually Bill Gates. Check the email address again, helpdesk@vvvvcs.com looks pretty close to helpdesk@wwcs.com if you don’t squint hard enough. While most email systems can detect a spoofed (faked) email address and stop it before it ever appears in an inbox, things don’t always work as they should and sometimes that email account has been compromised. Even if the email address is correct be sure to follow up on strange or new requests relating to any sensitive information. Follow up in person or through a phone call if possible, to verify the validity of an email. It may seem like a pain, but it could save you and your company to be diligent.
An average phishing attack in 2017 cost mid-size companies $1.6 million. 76% of organizations reported being the target of phishing attacks in 2017 and 92.4% of malware is delivered through email. The weakest part of a businesses defense against a successful phishing attack is its individual email users. Each user will assuredly receive phishing emails and it only takes one person making one mistake to cost your business. Susceptibility rates are as low as 5% when employees are well trained, and phishing tests are executed and reported on correctly. Always run an email by your IT administrators if you are unsure whether it is a phishing email or not.
– Peter T. Belies