We are seeing a large spike in email phishing attacks across the board, both targeting our clients as well as their customers. These types of attacks are not new, but remain effective because the attackers are relying on a set of human behaviors that are predictable and exploitable. Gone are the days when scam emails were laughably obvious with their broken English and strange phrasing. The most successful attempts are now exploiting already-compromised email accounts, social media content and other publicly available information to make the phishing emails indistinguishable from genuine emails by using phrasings, nicknames and familiar work tasks or project language in the body of the email. This becomes even more effective when the potential victim is rushed, distracted, tired or too trusting. Up until recently, this level of effort was reserved for “whales” – principals of large companies, government officials and other, traditional “high-value” targets, but now we are seeing sophisticated phishing emails aimed at all levels of professionals.
What does this mean for you?
At the moment, there is no hardware, software or “silver bullet” that you can employ to combat this level of trickery except being constantly vigilant and knowing what to watch out for. To that end, I’ll try to highlight some of the common features of phishing emails which will help you spot them as long as you keep your guard up.
All phishing emails will typically have one of these goals:
- Get a password from you
- Get you to send money to an account
- Get you to reveal sensitive information that can be used to get to #1 or #2.
- Get you to install malware on your device
To that end, these emails typically follow a small handful of scenarios. They will likely contain:
- Links to requested information that require you to “authenticate” using your login and password
- Attachments that need a login and password to be viewed
- Requests for you to reply via email with a pin or secret word to verify your identity
- Links to install this app to view your requested files/information
Seeing as some of these tasks are also common in legitimate transactions, you’ll need to look for the second indicator that the email is not real: in most cases, phishing emails will not actually be from the sender they purport to be.
- Check the actual senders address. How to check the actual sender’s address varies based on the device and platform, but you should absolutely know how to do this on whatever device, app or program you use to read your email. In Outlook, the actual senders address is typically easy to see, but on mobile devices this may not be the case, so don’t just assume the sender is legit unless you can 100% verify it. It is trivially easy to spoof a sender’s email address, and in most programs just as easy to spot as long as you are paying attention.
- Does the sender’s address match the content of the email? This week several of my clients received emails notifying them that their Office 365 passwords needed to be reset, but the emails were sent from addresses that were clearly not Office 365 (in this example, “webex.com”). This is a dead giveaway as long as you know what the actual sender’s address should be. Check other known-good emails from the customer or platform in question, look at a recent bill or invoice, or check Google – but make sure you verify – don’t just trust the top search result blindly.
- The email address looks legit. What now? This is easy – pick up the phone and verify that the sender actually sent that email. If this is a customer and they did, they shouldn’t be annoyed that you were being cautious. If they didn’t, you just gave them a heads up that their account may be compromised. If the email appears to come from a large company, you will want to verify by going to the website by manually typing in the website address or by calling the phone number that appears on your official bill. Do NOT rely on any information in an email to be genuine if you are at all suspicious, regardless of how authentic it looks.
Though it may feel like you need to have the observational skills of Sherlock Holmes and the paranoid vigilance of Mad-Eye Moody, there are a few simple, but critically foundational practices that anyone can adopt to safeguard and insulate yourself from attacks like this:
- Use unique, hard-to-guess passwords for all important accounts, and pay attention when using them. Every. Single. Time.
- Don’t store your passwords in an unsecured document on your computer, or in a single physical place (little black book) that could be lost or destroyed.
- Make sure your malware protection is active and you understand how to check its status.
- Have recent backups of all your important data stored in the cloud.
- Pay close attention to everything you do on your device screens. The criminals only need you to be careless once.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net