How To Spot a Phishing Email [2019 Update]
[Updated January 21, 2019]
2019 will be an even more eventful year for cyber attacks. It’s too late now to think that only major corporations or government institutions have a need for cybersecurity – Cybersecurity is for Every Company.
Email phishing will continue to be the main source of penetration for cyber criminals – many of whom are now backed by AI systems that can automate the processes, making these fake emails more sophisticated and harder to recognize.
- In a survey of over 1,300 IT decision makers, 56% of organizations identified targeted phishing attacks as their biggest current cybersecurity threat. (CyberArk)
- 76% of businesses reported being a victim of a phishing attack in the last year. (Wombat Security)
- Verizon reports that users in the U.S open 30 percent of phishing all emails, with 12 percent of those targeted by these emails clicking on the infected links or attachments. (Verizon)
- Kaspersky’s Anti-Phishing system was triggered 246,231,645 times in 2017, which is something close to 91 million more than the previous year. (Kaspersky)
Take 3 Minutes to Assess Your Company’s Cybersecurity Preparedness.
How To Spot a Phishing Email
The tactics used in these kinds of phishing scams do have some tell-tale signs of fraudulence and there are several preventative measure individuals and organizations can take.
When it’s not easily clear, take extra caution. For instance, the number one method of email phishing is through an alleged invoice attachment that actually contains malware. Those can be hard to identify.
Always double-check the details, and look out for these red flags:
- Poor spelling, grammar, or incorrectly used idioms. The attackers will often live in a different country from the one they’re attacking, and you can usually find examples of this in their writing.
- Check the salutation. Generic salutations are a red flag. Typically, professional businesses will address you by name (especially if the email is talking about your account or saying you need to take action).
- Undue sense of urgency -or- threats of account closures, removal of funds, discontinuation of service, etc. Be weary of an alarmist tone or threats of termination. More often, if something is a truly time-sensitive emergency for a business or individual, an email is replaced (or at least followed up) with a phone call.
- Easy money or a deal that’s too good to be true. It sounds unbelievable, but an uncomfortable about of attacks arise from an individual clicking on a link or attachment that promises money or perks. If an email sounds too good to be true or offers “free” money – Don’t Click It.
- Requesting charitable donations. Be weary of emails asking for charitable donations, especially after a natural disaster. Check the veracity of the charity by searching on Google, and always pay directly through the website (with an “https://” domain) if you choose to do so.
Altogether, paying extra attention to your inbox when you receive anything other than expected email will help keep you on your toes to spot these threats.
Fortunately, most signs are not difficult to detect once one knows what they’re looking for, and company-wide processes can be implemented to prevent attempts from becoming actual attacks.
Also, if you’re ever uncertain about an email, a quick Google search of the sender, subject line and some of the contents will quickly show you if others have received the same suspicious email.
Types of Email Phishing Scams
Phishing is an umbrella term defining any malicious activity that’s meant to deceive an individual or organization in an attempt to obtain sensitive information or distribute some form of malware.
Over the years, techies and security experts have come up with a myriad of names to describe and classify the different types of attacks.
Here’s a few of the most common types:
Spear Phishing is a targeted type of email phishing in which the attacker uses personalized information to trick individuals into believing the email has come from a legitimate and trusted source.
Picture the “postal service” sending an email saying your package is waiting for you and will be returned to sender unless you click here now and provide your SSN and address. Or a subscription service like Netflix emails you saying that your payment information was declined and you must update it now by clicking the link. Those are common examples of Spear Phishing.
Common Examples of Spear Phishing
Examples of spear phishing take different forms. Some try to get you to click on a link which might lead to a website that downloads malware, a fake website that requests a password, or a site that contains advertisements or trackers. Other phishing attempts might ask you to provide sensitive personal information like a social security number, credit card details or banking information, or simply send some money.
Attacks on individuals
On a personal level, scammers might pose as a business you trust, for example, a bank or a store you’ve shopped at, online or in person. Think of an email looking like it comes from Netflix or Amazon: they could offer great deals, tell you you owe money or that an account is about to be frozen. They might even pretend to be someone you know, directly or indirectly. For example, posing as someone who went to your old school or is a member of your religious group could get you to open up.
A huge targeted attack occurred in 2015 when up to 100 million emails were pushed out to Amazon customers who had recently placed an order. The emails looked real, with a title of “Your Amazon.com order has dispatched,” followed by an order code. But instead of a message, the email only included an attachment. Opening the attachment ultimately led some recipients to install Locky ransomware, which involved a bitcoin ransom.
Attacks on businesses
Spear phishing is a very common form of attack on businesses too. Because it is so targeted, spear phishing is arguably the most dangerous type of phishing attack. A 2017 report by IRONSCALES revealed that spear phishing is increasingly laser designated, with 77% of emails targeting ten mailboxes or fewer. What’s more, their study found that one-third of attacks targeted just one mailbox.
Security firm RSA was targeted in a successful spear phishing attempt in early 2011. Two groups within the company were sent spear phishing emails simply titled “2011 Recruitment Plan.” Although the emails were marked as junk mail, one employee opened an email attachment that ultimately led to a form of malware being installed on the computer. The malware gave the attacker remote access and the ability to steal sensitive data.
The Chinese army has been accused of multiple spear phishing attempts aimed at stealing trade secrets from US companies. One of these was reported to target aluminum company Alcoa. In 2008, it’s suspected that hackers contacted 19 senior Alcoa employees via email, impersonating a board member of the company. Once opened, the mail installed malware on the recipients’ computers, resulting in the theft of almost 3,000 emails and more than 800 attachments.
Other types of Phishing Emails
Clone Phishing is another form of targeted attack that uses an exact or near-exact clone of a previously sent email from a trusted sender, but the attacker has substituted the original attachment or link with a malicious file or fraudulent website that infects a system or tries to obtain personal information.
For instance, if a scammer knows that you are in fact subscribed to Netflix, they may send you an exact replica of an email you’ve previously received, with an added remark such as “You are receiving this email again because you failed to confirm your details. This will be our last attempt to contact you. Click here now.” Don’t click there.
Whaling is applying similar techniques as Spear or Clone phishing, except the attack is executed on CEOs and other big fish (higher-ups) whose information will be incredibly more useful than lower level employees.
Often times, the content of these email are ultra-serious (think letters from the FBI or local police, the IRS, key accounts, indispensable vendors, or “other executives” within the company that need a password for some urgent reason). These emails often incite action through fear.
Link Manipulation is a method scammers use to insert a seemingly trustworthy link into an email, which actually directs to a replicated website where the user is instructed to input sensitive login or personal information.
The URL of the link might be slightly misspelled (mybank.com/member-login vs. mybanlk.com/member-login) or utilize subdomains for deception (mybank.com/member-login vs. my.banlk.com/member-login). Usually, the scammers simply use text like “Unsubscribe” or “Click Here” and the underlying link actually directs to a malicious website.
That’s why it’s important for employees to be paying attention to their inboxes.
For example, website forgery can be used to make it seem like you’re entering login info to access your bank account, but in reality the fraudulent website is capturing your information.
Hackers have replicated sites like Amazon to try to capture private information.
These types of forged websites could likely be the destination from the false links mentioned in the Spear and Clone Phishing and Whaling styles of phishing.
This is certainly not an exhaustive list of email phishing attacks (and new ones are popping up monthly). Keep a cautious eye and stay up to date with the latest cyberthreats.
It was mentioned above but it warrants repeating: report suspicious emails to the IT managers and other staff members of the company.
What To Do If You Receive A Phishing Email
Now that you’re aware of different types of email phishing scams and how to identify them, you’re in a better position to deal with a fishy email should it arrive in your inbox.
Here are some best practices for what to do if you receive a suspicious email:
- Never Click a Link Without Checking: Any suspicious links can be verified by hovering your mouse over the text of the link, and checking the status message in the lower right corner of your browser. This will show the true destination of the link in question. If you don’t recognize the link, you can search for it in Google. (N.B. If you’re on mobile, you can’t check the link in this way; wait til you return to a desktop before going any further.)
- Be Cautious With Attachments: Any attachments in an email that’s read with less than 100% confidence should be taken with extreme caution. First, ensure you have a strong anti-virus software installed on your devices. Don’t hesitate to call the sender to double check the veracity of the email – they won’t fault you, and will be glad you’re aware.
- Keep Your Systems Updated: Be sure to keep your operating systems, browsers, email software, and apps updated with the latest versions. Many times these updates contain fixes of vulnerabilities. Yes, they might be annoying, but they’re there to help.
- Use the Tools Available: Email services like Microsoft offer advanced email threat protection: use tools like these to stay as secure as possible.
- Go Directly to the Source: If you receive an email that’s allegedly from the technical support team of a service you use (like Microsoft, Adobe, or other online software), do not give them credentials or allow them access to your system. Instead, get on the phone and call the source directly.
- Create a Secure Method for Processing Wire Transfers: If your organization utilizes wire transfers, make sure there is a company-approved process for using this method. You can add a step where the processor requires a verification code that only your company knows and if the code is not provided, no transfer is issued.
- Manage and Check Email Servers: Work with your email provider to set up proper SPF (Sender Policy Framework) records. These are records that tell the Internet what email servers are allowed to send emails on behalf of your domain name. When you’re on the receiving end, ensure your email servers are configured to check that the email was sent from an approved email server.
- Report Suspicious Emails: Report them to your company and your IT service (you might not be the only one receiving the email); report them to your email software (Microsoft Outlook, Gmail, the FTC, and others have functions that allow you to report suspicious emails and provide details of the email.)
And it goes without saying – do not reply. Delete the email and flag the sender.
Why Protecting Your Company Against Email Phishing Attacks Matters Now More Than Ever
Even though email phishing scams have been around since the dawn of the World Wide Web, a frightening combination of factors continues to make this a veritable threat, even to companies who are tech-savvy and have up-to-date systems and procedures.
For one, the fast-paced mobile lifestyle isn’t helping.
24/7 access to the internet and email, along with the need for rapid response, have made organizations more vulnerable to these phishing scams because employees are taking less time to verify the source and substance of the emails in their inbox.
Reading on a 6-inch screen while walking through the airport or covertly responding to an email under the table during a meeting are not prime examples of employees “having their guard up” against fraudulent emails and websites.
And the scammers know that people in a rush are click-happy – all it takes is some really fresh bait to hook someone who’s half-paying attention, and before they can blink, they’ve been phished.
When the scammers aren’t looking for easy, distracted targets, their methods are becoming more sophisticated and increasingly more difficult to recognize.
They can mimic well-known websites with striking accuracy, send authoritative emails (seemingly) from trusted institutions, craft a malware download that looks like the average PDF, and much more.
They can paralyze your system, hold it hostage for a ransom, or simply steal private information to be used in another capacity.
These breaches are an annoyance and they’re expensive.
On average a phishing scam for a mid-sized company can cost upwards of $1.5 million; over $16 billion was taken by identity thieves in 2017; the US government is spending 37x more on cyber security today than they did just 10 years ago.
That’s Not All. Read these Cybersecurity Facts from 2018
Businesses that frequently send money internationally via wire transfer are especially vulnerable, and this segment of industry is estimated to lose about half a billion dollars each year to email phishing scams.
These email phishing attacks are growing more costly, and between the breaches and protection efforts, 2018 might be the most expensive year yet.
So while phishing scams are not new, the combination of malevolent technical prowess and a less-than-thorough examination of inbox contents makes this security issue just as important in 2018 as it’s ever been.
And because email (with attachments) continues to be the number one method of delivering these scams, employees – more than networks or servers – remain the greatest vulnerability.
Therefore, the person responsible for a company’s IT systems also has the responsibility to keep their team up-to-date on recent scams and how to identify and react to phishing attempts.
More than 7 out of 10 Organizations Reported a Phishing Attempt Last Year
It doesn’t look like these kinds of attacks will go away soon, and it seems as if no industry is immune to these attempts.
By informing your team, keeping your systems up to date, and working with experienced IT professionals who can help arm your company against these threats, you can mitigate the risk of a cyberattack in 2018.
July 17, 2018
Cybersecurity is for every company. Cybersecurity isn’t reserved for major corporations that collect huge sets of credit data and personal information. Every company that relies on the internet must be aware of… Read more