October is Cybersecurity Awareness Month.
It’s our chance to sharpen our cybersecurity skills and learn ways to avoid security threats. Plus, we can have some fun while we’re at it!
This month, we’re taking an adventure into the Wild, Wild Net.
Each week, we’re going to track down the most notorious cyber bandits. And show you how to protect your business and employees against their deadly attacks.
For this week, our most wanted criminal is the Phisher.
Are you familiar with this outlaw?
Chances are that you’ve found a phishing email in your inbox before. They are becoming more common. And trickier to spot!
Today, we’re going to show you how to identify a phishing email. And what to do once that phishing email is in your inbox.
But first, let’s cover the basics of phishing attacks.
What is Phishing?
Fishing is the art of dangling bait to catch a meal.
Phishing is the art of dangling bait to catch a person. Phishers will impersonate friends, families, companies, or authorities. While under this disguise, they dangle offers or threats to attract attention.
Then, when someone takes that bait, the phisher harvests their information or money.
Thanks to the internet, phishing is very common today.
Phishers send emails to engage you, asking you to click on a link or download an attached document. Bait includes things like financial incentives, job offers, and missed payments.
A phisher’s goal is to steal money and data — or get you to download infectious malware.
How does Phishing Work?
Phishing starts with a deceitful email, where the attacker tries to lure a victim. A phishing message looks like it comes from a trusted sender, like a bank.
A phishing email often includes bad links.
Once the victim clicks on a phishing link, they are taken to the Phisher’s website. From there, the hacker will often capture the victim’s confidential information.
In other cases, the victim will open up a malicious email attachment. This attachment then downloads malware onto the target’s computer.
3 Common Types of Phishing Attacks
Deceptive phishing is most common type of phishing attack. This type is where an attacker steals confidential information from the victims. Using the stolen information, the attacker uses it to loot money or launch other attacks.
Spear phishing targets specific individuals instead of casting a wider net. Attackers often research their victims on social media. In turn, the attacker customizes their communications to appear more authentic.
Whaling is when an attacker goes after a high-profile target, such as a CEO. These attackers often spend considerable time profiling their target to steal login credentials. Whaling can be extremely dangerous for businesses because executives often have access to greater company data.
How to Identify a Phishing Email?
In the phisher-infested Wild, Wild Net, you can’t let anyone lead you on!
Plain old skepticism is your best defense against phishing. Phishers want you to act without questioning what they’re telling you. That’s because their stories usually can’t hold up to closer inspection.
Like a good detective, you must be hyper-aware. Don’t take things at face value. Instead, you should look over the email with a fine-tooth comb before replying or clicking a link.
Here are the telling signs that you are dealing with a phishing email:
Sender’s Email Address
The first question you should be asking yourself is: does the email address look fishy?
For example, let’s say you get an email saying it is from Your Bank, but the email address is strange. The address is YourBank@hotmail.com. That should be a red flag. The sender’s email, especially from a bank, should not be using a public account, like Hotmail, Gmail, Yahoo, etc.
Hackers use fake sites to steal your information. Before you click on an email’s URL, you need to make sure that the URL is taking you to a legitimate site.
How do you find that out? If you’re on a computer, hover your mouse over the link to see a preview of the link in the status bar. The status bar is at the bottom left-hand corner.
For example, let’s say you get an email from “Target”. The URL in the email should take you to Target.com. If you see something other than Target.com in the status bar, you should not follow that link.
Odd requests are huge red flags. Legitimate banks and other companies will never ask for personal credentials via email. You should be suspicious of all emails requesting your sensitive information.
Does the email in question use your name? Phishing emails will often address the receiver as a “valued customer” or something similar.
Also, if your name is misspelled proceed with caution. Remember, if this email is legitimate, then that company will have the correct info on file.
Real businesses are serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully, if something seems off, don’t click on anything.
Ask an expert
If you do not know whether an email is real or fake, ask an expert. If your company uses an IT service provider, call the help desk. And leave the guesswork to the experts.
3 Examples of Phishing Emails
Hopefully, by now, you understand how to spot a phishing email. But we’re going to hit that point home with the following examples.
Below are 3 common examples of phishing emails. And please, feel free to share this information with your colleagues. The more people in the know about phishing, the better off everyone will be in the Wild, Wild Net.
COVID-19 Related Attacks
COVID-19 phishing attacks are becoming increasingly common. And they show no signs of stopping.
Here is an example of a phishing CDC alert:
In this example, the phishing email looks like it is from the US Centers for Disease Control and Prevention. And it looks official, right?
But here’s the deal. That link does not go to the CDC government website.
Instead, it takes the end-user to a malicious website.
And if we go back to our “telling signs” of a phishing email. We know to check the URL before clicking by hovering over the link. This action shows us a preview of the URL status.
In this example, the status bar wouldn’t show www.cdc.gov. It would show something suspicious like the following:
And that is a red flag.
Tech Support Scams
Online retailers and services use email to communicate security updates to their customers. For example, they’ll message customers when they detect unusual activity.
Naturally, cyber criminals in the Wild, Wild Net are using this to their advantage.
Take this example of a Fake PayPal security notice in consideration:
The first Red Flag in this example is the sender’s email address. An official PayPal email would not come from an Outlook account. Instead, it would come from PayPal.com.
Second, the wording in this email seems off. Why does PayPal need YOUR help? Not to mention, the sentences are not grammatically correct.
Lastly, if you hover over the links, you’d likely catch that this is a phishing email. That’s because those links aren’t going to take you to PayPal.com.
Delivery Message Scams
With the holidays around the corner, you should prepare for more delivery scams in your inbox.
Delivery phishing emails often entice you by sharing your package is on its way. Or that package delivery was unsuccessful.
And it’s tricky to spot these emails because tracking emails are so common. We expect when we order an item to get a tracking email. It’s second nature.
So, can you spot what is off in this “UPS” email?
While the graphics seem legitimate, they don’t quite add up. The message is about tracking a parcel, but the header graphic says, “UPS Billing Center”. Those are two separate departments.
But the even more obvious red flag is the sender email. That email address is clearly not a UPS email account. Nice try, Phisher!
What to Do if You Received a Phishing email?
Let’s say in a few days, you received a phishing email. And you realized it is a phishing email almost immediately. Now what?
First, nothing infects your computer if you don’t click on any links or respond. So, make sure you don’t click on anything.
If your company uses a managed service provider for IT, give your support desk a call. Explain that you received a phishing email and follow their protocols for how to handle it.
If you received the phishing email on a personal email account, then the next step is to mark the sender as Junk or Spam.
You won’t want to get any more emails from the Phisher who sent this one. Mark it as spam or junk, and your email provider will block any further mail from that address.
Finally, you should delete the email. Usually, this sends it to the recycle bin or deleted items folder, so remove it from there as well. There’s no need to keep it after you report it.
And now you can breathe a sigh of relief because you avoided a cyberattack. Nice!
The Wild, Wild Net is filled with notorious cybercriminals. But if you continue your cybersecurity awareness training, you’ll be two steps ahead of them.
And when it comes to phishing attacks, user error is what they’re betting on.