What is Phishing?
Phishing is the practice of sending fraudulent emails that look like they are from a reputable source. Phishing emails intend to persuade the recipient to reveal personal information such as login credentials or credit card numbers. This act is one of the oldest scams on the internet, and it continues to be a concern for both individuals and businesses. In fact, according to Phishing Activity Trends Report for 2017, there was an average of roughly 48,500 confirmed phishing attacks per month in the United States during the first half of the year. Some of the key takeaways from this report show that several hundred companies are regularly targeted, at least every few weeks, while a smaller number of companies are attacked intermittently. Over time a few companies fall off the lists completely, only to be replaced by new and up-and-coming targets of opportunity. Phishing attacks are most common in the Payment, Financial, and Email sectors.
Phishing attacks can be challenging to identify. The reason is that the malicious attackers are smart and sophisticated in the manner that they target and attack users. They disguise their emails to look like organizations such as Netflix, Target, Bank of America, or Amazon so they can steal personal information or login credentials. These attackers design their emails to look precisely like the emails you receive from legitimate organizations. For example, some of these emails claim that “your order has shipped" and you should “check the tracking number.” Then, of course, to check the tracking, you need to “click the link below” to log in to your account. However, because you didn't order anything online recently, so you want to log in and make sure something terrible hasn't happened to your account. Absentmindedly, you click the link, log in, and then without realizing it, your login credentials have just been compromised.
Phishing emails arrive in inboxes across the country every day, and spam filters do not always catch them. Luckily, you don't have to panic. This blog details both real-life examples of malicious emails and tactics you can use to identify them and not fall victim to these sneaky jerks.
Emails that Stink
Below are some examples of emails that individuals close to our team have received recently. We didn't have to dig too hard to find these emails because they show up frequently. The best way to combat them is to use a spam filter first. However, as a reminder, spam filters and helpful tools such as Microsoft Office 365's Advanced Threat Protection don’t catch every suspicious email. New malicious phishing methods pop up every day and these tools take time to update.
Your Account Has Been Compromised Spoof
In the example above, the email looks to be from Microsoft's Secure Department. It appears to be legit, right? It says that someone attempted to log into my Microsoft Office 365 account and that I should enable second step verification so that any unauthorized locations can be canceled. Makes sense, right? I want to protect my Microsoft Office 365 account!
Stop. Look closer.
The sender's email address looks strange. It shows @email.nonreplymsdomain.com, and that doesn't look like a Microsoft domain; this is an excellent example of a phishing email. Clicking the link in that email will compromise the user’s credentials.
Your Account Needs Confirmation Spoof
One of our employees received this email. It appears to be from someone who states that his Bank of America account would be limited over 24 (hours) if he did not confirm the account by logging into his account through the email.
The email above is an example of using a threat to coax the recipient into clicking a link and entering their credentials.
Stop. Look closer.
Again, the sender's email address looks strange. It shows firstname.lastname@example.org, and that doesn't look like a Bank of America domain; this is another excellent example of a phishing email. Clicking the link in that email will compromise the user’s credentials.
Someone Needs You to Buy Gift Cards Spoof
Scam artists use phishing emails to entice people to do all kinds of things. These scammy emails can look a little different than the typical phishing email, but they are just as devastating.
The example above came to the inbox of our Director of HR with the sender posing as Vince Mayfield, our CEO. This email asks for a simple response. In the email, the sender tells Mallory that he is busy and needs her to reply to the email. What is occurring here is that someone is on the other side of that email waiting for Mallory to respond. If she chooses to email back, the sender would then email her again and ask her to purchase a specific dollar amount of gift cards, scratch off the back and take a picture and send it to them. Still posing as Vince, they would then claim that they are very busy and are in meetings and to please communicate only through email.
Luckily, Mallory stopped and looked closer and did not respond.
Because Vince is our CEO, we know that he does not have an email address with the @inbox.lv
domain. Stopping to look at both the name and the email address is very important because any email account name can be changed in the account settings. Pretty sneaky.
Reputable Organization Invoice Spoof
Viruses and ransomware can easily be spread through phishing emails as well.
This example is especially concerning because it comes from a reputable source. Anyone doing business with this organization may see this email and consider that the attached PDF is legitimate.
Stop. Look closer.
If you don't typically receive invoices through email or if you pay for services through a web portal, that is the first flag that should make you stop and think. If you are unsure whether or not an attachment is safe to open, you should not open the email at all. Again, stop, look closer, and think before clicking.
We Know Each Other, So Open the Attachment Spoof
This example email came to me directly, and it is another powerful example of a malicious email. When I received this email, I realized that I did not know the sender.
I stopped and looked closer.
Of course, I took the time to look into it a little further. I found out that my contact information is saved in this person’s email. The hacker who compromised the account sent emails to the entire contact list of the person whom they hacked. So, for this example, the email did come from a legitimate account, but it is still malicious. Because I recognized that I didn’t know the person I immediately flagged the email and trashed it. I also took the time to locate this person on LinkedIn to inform her of the situation.
Always, stop and think – but then what?
If it looks phishy and smells phishy, then it probably is phishy - Clearly, you should always stop and think. However, what is the next step? It is more straightforward than you might think.
You can start by asking yourself the following questions to help eliminate threats before they can cause you, your business or your contacts harm.
Staying safe online
- Why am I receiving this email?
- What is it asking me to do?
- What is the sender's email address (not just the sender's name)?
- When hovering the cursor over the link (whether it's text or an image) what is the website URL displayed? This is the link you will visit if you click.
is part of everyday life today. We must all pay attention to what we are doing online—email is no different. I hope this blog has been helpful. Please comment below if you have questions or comments.
If you think your business needs to improve your overall IT
security, please get in touch.