How To Arm Your Company Against Email Phishing Scams (and why it matters now more than ever)
It’s called phishing because they drop bait into your inbox.
They try to hook you with an urgent warning that requires your immediate action.
They ask for sensitive information while posing as a trusted source, and threaten the loss of valuable assets if you don’t act instantly.
And time and time again, experienced, knowledgeable, and seemingly well-protected organizations get baited, hooked, and scammed by a phishing email.
We’re calling attention to this topic because it’s our role as a managed service provider to inform, equip, and prepare our clients (and all technology-reliant companies) so their networks and people stay safe, and so their profits aren’t wrecked by these digital deviants.
Why Protecting Your Company Against Email Phishing Scams Matters Now More Than Ever
Even though email phishing scams have been around since the dawn of the World Wide Web, a frightening combination of factors continues to make this a veritable threat, even to companies who are tech-savvy and have up-to-date systems and procedures.
For one, the fast-paced mobile lifestyle isn’t helping.
24/7 access to the internet and email, along with the need for rapid response, have made organizations more vulnerable to these phishing scams because employees are taking less time to verify the source and substance of the emails in their inbox.
Reading on a 6-inch screen while walking through the airport or covertly responding to an email under the table during a meeting are not prime examples of employees “having their guard up” against fraudulent emails and websites.
And the scammers know that people in a rush are click-happy – all it takes is some really fresh bait to hook someone who’s half-paying attention, and before they can blink, they’ve been phished.
When the scammers aren’t looking for easy, distracted targets, their methods are becoming more sophisticated and increasingly more difficult to recognize.
They can mimic well-known websites with striking accuracy, send authoritative emails (seemingly) from trusted institutions, craft a malware download that looks like the average PDF, and much more.
They can paralyze your system, hold it hostage for a ransom, or simply steal private information to be used in another capacity.
These breaches aren’t an annoyance and they’re expensive.
On average a phishing scam for a mid-sized company can cost upwards of $1.5 million; over $16 billion was taken by identity thieves in 2017; the US government is spending 37x more on cyber security today than they did just 10 years ago.
Businesses that frequently send money internationally via wire transfer are especially vulnerable, and this segment of industry is estimated to lose about half a billion dollars each year to email phishing scams.
These email phishing scams are growing more costly, and between the breaches and protection efforts, 2018 might be the most expensive year yet.
So while phishing scams are not new, the combination of malevolent technical prowess and a less-than-thorough examination of inbox contents makes this security issue just as important in 2018 as it’s ever been.
And because email (with attachments) continues to be the number one method of delivering these scams, employees – more than networks or servers – remain the greatest vulnerability.
Therefore, the person responsible for a company’s IT systems also has the responsibility to keep their team up-to-date on recent scams and how to identify and react to phishing attempts.
Types of Email Phishing Scams
Phishing is an umbrella term defining any malicious activity that’s meant to deceive an individual or organization in an attempt to obtain sensitive information or distribute some form of malware.
Over the years, techies and security experts have come up with a myriad of names to describe and classify the different types of attacks.
Here’s a few of the most common types:
Spear Phishing is a targeted type of email phishing in which the attacker uses personalized information to trick individuals into believing the email has come from a legitimate and trusted source.
Picture the “postal service” sending an email saying your package is waiting for you and will be returned to sender unless you click here now and provide your SSN and address. Or a subscription service like Netflix emails you saying that your payment information was declined and you must update it now by clicking the link. Those are common examples of Spear Phishing.
Clone Phishing is another form of targeted attack that uses an exact or near-exact clone of a previously sent email from a trusted sender, but the attacker has substituted the original attachment or link with a malicious file or fraudulent website that infects a system or tries to obtain personal information.
For instance, if a scammer knows that you are in fact subscribed to Netflix, they may send you an exact replica of an email you’ve previously received, with an added remark such as “You are receiving this email again because you failed to confirm your details. This will be our last attempt to contact you. Click here now.” Don’t click there.
Whaling is applying similar techniques as Spear or Clone phishing, except the attack is executed on CEOs and other big fish (higher-ups) whose information will be incredibly more useful than lower level employees.
Often times, the content of these email are ultra-serious (think letters from the FBI or local police, the IRS, key accounts, indispensable vendors, or “other executives” within the company that need a password for some urgent reason). These emails often incite action through fear.
Link Manipulation is a method scammers use to insert a seemingly trustworthy link into an email, which actually directs to a replicated website where the user is instructed to input sensitive login or personal information.
The URL of the link might be slightly misspelled (mybank.com/member-login vs. mybanlk.com/member-login) or utilize subdomains for deception (mybank.com/member-login vs. my.banlk.com/member-login). Usually, the scammers simply use text like “Unsubscribe” or “Click Here” and the underlying link actually directs to a malicious website.
That’s why it’s important for employees to be paying attention to their inboxes.
For example, website forgery can be used to make it seem like you’re entering login info to access your bank account, but in reality the fraudulent website is capturing your information.
Hackers have replicated sites like Amazon to try to capture private information.
These types of forged websites could likely be the destination from the false links mentioned in the Spear and Clone Phishing and Whaling styles of phishing.
This is certainly not an exhaustive list of email phishing scams (and new ones are popping up monthly). Keep a cautious eye and stay up to date with the latest cyberthreats.
How To Identify Email Phishing Scams
The tactics used in these kinds of phishing scams do have some tell-tale signs of fraudulence and there are several preventative measure individuals and organizations can take.
When it’s not easily clear, take extra caution. For instance, the number one method of email phishing is through an alleged invoice attachment that actually contains malware. Those can be hard to identify.
Always double-check the details, and look out for these red flags:
- Poor spelling, grammar, or incorrectly used idioms. The attackers will often live in a different country from the one they’re attacking, and you can usually find examples of this in their writing.
- Check the salutation. Generic salutations are a red flag. Typically, professional businesses will address you by name (especially if the email is talking about your account or saying you need to take action).
- Undue sense of urgency -or- threats of account closures, removal of funds, discontinuation of service, etc. Be weary of an alarmist tone or threats of termination. More often, if something is a truly time-sensitive emergency for a business or individual, an email is replaced (or at least followed up) with a phone call.
- Easy money or a deal that’s too good to be true. It sounds unbelievable, but an uncomfortable about of attacks arise from an individual clicking on a link or attachment that promises money or perks. If an email sounds too good to be true or offers “free” money – Don’t Click It.
- Requesting charitable donations. Be weary of emails asking for charitable donations, especially after a natural disaster. Check the veracity of the charity by searching on Google, and always pay directly through the website (with an “https://” domain) if you choose to do so.
Altogether, paying extra attention to your inbox when you receive anything other than expected email will help keep you on your toes to spot these threats.
Fortunately, most signs are not difficult to detect once one knows what they’re looking for, and company-wide processes can be implemented to prevent attempts from becoming actual attacks.
Also, if you’re ever uncertain about an email, a quick Google search of the sender, subject line and some of the contents will quickly show you if others have received the same suspicious email.
What To Do If You Receive A Phishing Email
Now that you’re aware of different types of email phishing scams and how to identify them, you’re in a better position to deal with a fishy email should it arrive in your inbox.
Here are some best practices for what to do if you receive a suspicious email:
- Never Click a Link Without Checking: Any suspicious links can be verified by hovering your mouse over the text of the link, and checking the status message in the lower right corner of your browser. This will show the true destination of the link in question. If you don’t recognize the link, you can search for it in Google. (N.B. If you’re on mobile, you can’t check the link in this way; wait til you return to a desktop before going any further.)
- Be Cautious With Attachments: Any attachments in an email that’s read with less than 100% confidence should be taken with extreme caution. First, ensure you have a strong anti-virus software installed on your devices. Don’t hesitate to call the sender to double check the veracity of the email – they won’t fault you, and will be glad you’re aware.
- Keep Your Systems Updated: Be sure to keep your operating systems, browsers, email software, and apps updated with the latest versions. Many times these updates contain fixes of vulnerabilities. Yes, they might be annoying, but they’re there to help.
- Use the Tools Available: Email services like Microsoft offer advanced email threat protection: use tools like these to stay as secure as possible.
- Go Directly to the Source: If you receive an email that’s allegedly from the technical support team of a service you use (like Microsoft, Adobe, or other online software), do not give them credentials or allow them access to your system. Instead, get on the phone and call the source directly.
- Create a Secure Method for Processing Wire Transfers: If your organization utilizes wire transfers, make sure there is a company-approved process for using this method. You can add a step where the processor requires a verification code that only your company knows and if the code is not provided, no transfer is issued.
- Manage and Check Email Servers: Work with your email provider to set up proper SPF (Sender Policy Framework) records. These are records that tell the Internet what email servers are allowed to send emails on behalf of your domain name. When you’re on the receiving end, ensure your email servers are configured to check that the email was sent from an approved email server.
- Report Suspicious Emails: Report them to your company and your IT service (you might not be the only one receiving the email); report them to your email software (Microsoft Outlook, Gmail, the FTC, and others have functions that allow you to report suspicious emails and provide details of the email.)
And it goes without saying – do not reply. Delete the email and flag the sender.
It was mentioned above but it warrants repeating: report suspicious emails to the IT managers and other staff members of the company.
More than 7 out of 10 Organizations Reported a Phishing Attempt Last Year
It doesn’t look like these kinds of attacks will go away soon, and it seems as if no industry is immune to these attempts.
By informing your team, keeping your systems up to date, and working with experienced IT professionals who can help arm your company against these threats, you can mitigate the risk of a cyberattack in 2018.
January 30, 2018
There are many ways that a hacker can enter a network and there are new entry points showing up constantly. Typically, a hacker exploits a vulnerability, the vulnerability is reported and then… Read more