As you likely already know cybercriminals often use emails to try to trick you into giving up your personal information. This is known as phishing and the bad guys are after your personally identifiable information (PII) from passwords and account numbers to your social security number. With such information, hackers can access your email, social media, bank, and other accounts. Such emails often have a sense of urgency and may even include the threat of fines or jail time to get you to react quickly.
It’s unfortunate, but such scammers send out such phishing attacks thousands of times a day, according to the Federal Trade Commission. What’s more, the FBI’s Internet Crime Complaint Center reports people lost $57 million in 2019 to such phishing attacks. Here are five of the most common email scams to be wary of how to protect yourself from being victimized by them.
Phishing for Stats According to Mimecast, there are an estimated 2.1 million domains tied to phishing attacks and 47 percent of phishing attacks result in compromised accounts. What’s more, 49 percent of phishing attacks resulted in malware infections as well. Another sad fact is that only one in five companies offered employees ongoing cyber awareness training. Mimecast’s State of Email Security Report 2021 shows “email remains the most popular way to try and sidestep a business’ defenses.” Furthermore, email threats rose by more than 64 percent in 2020 alone. This has a great deal to do with employees working remotely from home due to the COVID-19 pandemic. Threat actors were quick to take advantage and used COVID-19 as an ideal topic for new phishing campaigns. Unfortunately, unsuspecting employees working from home clicked on malicious URLs in emails three times more frequently in 2020 than they had before.
Email Phishing Scams
This is the primary type of phishing attack committed by bad actors. This type of attack often involves sending a spam email to hundreds or even thousands of recipients in hopes that casting a wide net will garner more personal data. Such scams may involve formal looking emails asking you to click a link to resolve an issue or learn more or include a malicious attachment for you to open. The email may even direct you to a website set up to separate you from your PII or money. It may even harbor nasty malware that could infect your entire network.
One example is the old email from an African prince or some far away nation promising you millions in return for a small, upfront investment. Mimecast shows that 40 percent ofcompanies report email security shortfalls while a shocking 13 percent of organizations have no email security system in place at all.
To avoid being phished by one of these deceptive email scams, be sure to never click on a link, open an attachment, or visit a website due to an email from an unknown source. Furthermore, if you get a suspicious looking email from a known, trusted source, don’t open it or click on anything until you reach out to the person with a phone call or fresh email you start.
There are also other security measures to take such as adding a phishing filter to your email software as well as your web browser. These steps will help reduce phishing attempts against you as will a pop-up blocker. Finally, be sure to train your employees on a regular basis regarding how to spot such email scams and who they should be reported to if they receive one.
Like the aforementioned phishing email, spear phishing can also occur through email. This type of attack doesn’t occur as a mass email but is more specialized as it targets one individual user. For example, someone may attempt to spear phish the secretary to the president of your company. Through a little research by the bad guys online, they can often learn who the important people are in your organization. A quick email from the “president” to the secretary to pay an outstanding bill may end up with the bad guys getting your company’s money. Many of these spear phishing attempts originate on the dark web, the dirty underbelly of the internet that we all use daily.
Such spear phishing attempts may appear to come from a colleague or business partner you trust. Such spear phishing is also known as an impersonation attack. The email may come with a fake address, website, or email address that appears like a legitimate one. Even one character or numeral can take you to a malicious site or email address.
Be sure to check the source of emails carefully and ensure they are from a legitimate source and look carefully at web addresses. Pay close attention to spelling and punctuation used in email addressed, web addresses, and the main body of an email.
Also watch for a change in the domain name such as a .net instead of a .com or .org designation. Replacing characters such as using a zero instead of the letter O or adding dashes or underscores are other red flags. Avoid visiting websites without a secure sockets layer (SSL) certificate as this can help you in identifying malicious or unsecured sites, but know that even some nasty sites can have an SSL certificate as well. A simple phone call can validate requests for money transfers, payments, or changes in how vendors are paid. Pick up the phone to call a supervisor, colleague, and/or vendor before completing any requests for funds or payments that seem out of the ordinary.
This is another place that good, updated technology can assist you and your business. Email authentication protocols including sender policy framework (SPF) and domain-based message authentication, reporting and conformance (DMARC) can help sort out fake addresses before they even hit your users. Automated scanning of emails entering your system, between internal users, and those being sent out by artificial intelligence can also lower the odds of a spear phishing attack. There are also other modern security tools that watch patterns of email traffic and notify a designated person such as an IT professional in your office if something seems amiss.
Whale Watching Your Email
Whaling is another type of phishing threat. This is another form of specialized phishing that targets a specific user that is higher up in an organization such as a chief financial officer (CFO) or chief executive officer (CEO). Whaling is also known as CEO or CFO fraud as these leadership positions are often the targets of bad actors in whaling scams as they are the biggest fish to hook.
In a whaling email scam, the CEO, CFO, or other higher position target will receive an urgent email claiming to be a company employee, partner, or colleague. The email will likely request sensitive data ranging from a simple password, access to an account, or a transfer of money.
The methods for avoiding becoming a whaling victim are similar to those mentioned above in the spear phishing section. Additionally, cybersecurity awareness training and email filters that scan for malicious links and attachments is a necessity. Again, watch for misspelled words, poor grammar, and changes to web or email addresses that are often sure signs of a phishing email. Finally, be sure to quickly suspend or delete the email addresses of employees that are fired, leaving, or retiring to reduce the odds of spear phishing or whaling.
Another insidious form of email phishing comes in the form of a spoofed email. This is when a cybercriminal sends you an email posing as a legitimate company or organization. One common example is spoofed emails from retailers such as Amazon or PayPal.
You may receive an email stating that your account has been suspended or even closed or that a large purchase has been made. To rectify the account, you may be asked to click a link that is ultimately malicious, harbors malware, or takes you to a fraudulent website with the intent of capturing your personal information. An upswing of this type of phishing attack was reported in 2020 as more people shopped online than ever before.
Just as with other forms of email phishing, be sure to really look at the language used, spelling, and grammar in the body of the email. Some fraudsters are very good at using company logos to create authentic looking emails.
Additionally, look at the email address from whence the email came. Even being just a letter or numeral off should be a signal that something isn’t right. You can always log into your account separately or contact the retailer by phone to ensure that everything is on the up and up. This will allow you to avoid clicking links or visit websites that are potentially very ugly. Also avoid clicking on shortened links as they are often used to fool and bypass secure email gateways.
Remember earlier when we talked about SSL certificates? If you recall, this was one way to see if a site is really secure. Rather than just the HTTP, the HTTPS at the beginning of a web address is typically considered “safe” since there is encryption used to improve the site’s security. While most legitimate businesses now have the HTTPS to establish legitimacy, the bad guys have also caught onto this.
You may receive an email requesting that you visit a site from a “partner” or “retailer,” for example. While this may be similar in other phishing email attacks, this one is a slight change in that it doesn’t request personal information in the email, but will send you to a legitimate looking site to phish you for information.
There are a couple of ways to determine if a website link is legitimate or not. First, make sure the link is in its original, long-format form. If it is a shortened web address or if all of the URL is not visible, ignore it and DO NOT click on it.
Another sign that the website may not be legitimate is if all of the links are embedded in the text. These “clickable” hypertext links are often used by hackers to hide the actual URL and throw you off your defense game. Also, as mentioned above, look for replaced characters, underscores, and misspellings, even if the address is just one character off.
This type of email phishing attack leverages services the target user had previously used to trigger an attack. For example, bad actors know that many businesses use apps that require links to be clicked such as DocuSign. A smart cybercriminal may send an email with a link for a DocuSign contract to an unsuspecting victim in a company to create havoc with ransomware or malware.
To identify clone phishing, watch for unexpected emails or timing of emails that seems “off.” If you get an email requesting you to click a link, open an attachment, or “sign” something that you weren’t expecting, call the sender, even if it’s a trusted partner, client, or colleague to be sure it’s legitimate. Also, avoid answering any questions, clicking links, or opening attachments in emails requesting any personal information, especially when the service provider has never requested it before.
For more information regarding email scams and how to prevent yourself and your employees from becoming victims, contact Stonebridge MSP today at (520) 834-8783. The call is free and there’s no obligation.