Phishing emails are the most common threat to medium and small businesses, which is why we have created this special section.
People are generally friendly and often willing to help and extend the benefit of the doubt in unclear or ambiguous situations. From a hacker’s perspective, however, each one is a potential security vulnerability that can be exploited.
It’s no surprise then that the vast majority of data breaches include some element of “social engineering”—the practice of manipulating an employee into doing something that compromises security. When this happens through email, text messages, or social media, it’s called “phishing”.
A successful phish can deliver powerful ransomware, designed to lock down your business applications until you pay ransom money.
Ransomware is just the most recent of an ever growing variety of malware such as including viruses, worms, Trojan horses, spyware, adware, and scareware that generally are designed to destroy, hold to ransom, spy on, steal from or extort from your business.
Phishing can be automated, and therefore it happens at incredible scale and the average internet user now receives 16 phishing emails each month.
CrossKey believes the best defense against these kinds of attacks is to build a strong internal culture of security and that takes training and education.
What follows is a very high-level look at signs of phishing attacks, some examples of what these attacks look like and advice for how employees can protect themselves.
How phishing works
Phishing email messages are diverse, from crude, grammatical-error ridden spam to sophisticated “imposter” emails that a talented web designer spent hours making indistinguishable from the real thing.
The essence is that phishing messages attempt to trick you into thinking they’re coming from someone you trust, and they want you to do something, usually with some urgency.
“Spoofing” results in Phishing. Spoofing is a technique deployed by cyber criminals to modify a domain name, phone number, email address, or IP address, and use it for unlawful purposes. Email is by far the most widely used form of spoofing. The objective of spoofing emails is to trick a user into thinking the email they are receiving is from a legitimate source and coerce them into taking some form of action.
“Clone phishing” is where a legitimate and previously delivered email is used to create an identical email with malicious content. The cloned email will appear to come from the original sender but will be an updated version that contains malicious links or attachments
Two more phishing related terms that are useful: “Spear phishing” is where the phisher is deliberately attacking a specific person in your business and has crafted an email containing personal information to make them click.
“Whaling” is a specific type of spear phishing that targets a big phish, often a board member or a senior employee with access to some particularly valuable assets.
There are four main categories of things the phishing email will ask you to do:
- Enter your login credentials into a fake login form
- Go to a webpage where there is a script that exploits some weakness to get your machine to do something without your knowledge
- Download a file which contains a damaging “payload” of code or malware
- Take some action like wire money, reveal confidential information or give the attacker access to some resource
Whenever you get an email that wants you to do something like this, at least stop and think.
The scope of the problem
Recent studies give a sense of the scope of the phishing threat:
- 91% of all cyber attacks start with a phishing
- One in every 2,000 emails sent globally is a phishing email
- By one industry estimate, 97% of people around the globe are unable to identify a sophisticated phishing email
- Spoofing and phishing attempts have grown 65% in the last year
- 76% of businesses reported being a victim of a phishing attack in the last year
- 30% of spoofing messages get opened by targeted users and 12% of those users click on the malicious attachment or link
- 95% of all attacks on enterprise networks are the result of successful spear phishing
- 1.5 million new phishing sites are created each month
A Guide to Common Phishing Attacks
The following are examples of actual phishing emails gathered by security professionals in the field. Each is a representative of a different genre of common phishing attack, and highlights some features that are useful in spotting them.
Most phishing emails will try to create a sense of urgency for their request as a way of getting you to override your better judgment and comply with the request.
The deactivation threat is often one of the easiest ways to do this because the attacker doesn’t need to know anything about you or your organization other than that you use — or are likely to use — a common service, in this case Netflix. This is easy for an attacker to learn, but it’s usually a safe guess even if it can’t be determined.
Emails from your boss
We react quicker and second guess less when a request comes from someone that has authority, or someone we trust.
So it’s not surprising that impersonating someone’s boss is a very common way to disguise a phishing email. It’s trivial to find out who the CEO and executive leadership is for most companies, and in the age of LinkedIn determining reporting relationships is not much harder.
In this case, we also see a good example of a pretext for the an unusual request coupled with a very urgent framing. You might think it would be difficult to get someone to send money in this way, but authority and urgency are a powerful combination.
Also these emails can ask for other less dramatic things, like logins to critical business software — “I have forgotten the darn login….” — imagine giving entry to software managing executive board minutes, for example.
Internal IT or Software provider looking emails
At first glance, this email looks like it came from your IT department or possibly from Microsoft and it concerns your email account and an upgrade.
This email also illustrates some of the telling signs to look for that have been circled in red. There is often curious grammar or misspelling often caused by scammers trying to translate their native language into English.
Government/Law enforcement spoofing
Keeping with the theme of appeals to authority, emails from government and law enforcement agencies are another common phishing tactic.
Common agencies to spoof are the FBI and the IRS, especially around tax time. In some cases, these are threats—you’ve done something wrong and need to respond immediately with your personal information, or you’ll be in trouble.
But this style of email can play on hope as well as fear, as with this recent example where fraudsters dangled the possibility of restitution from earlier rip-offs, perhaps trusting that people who’d already been fooled once would likely be fooled again.
Spoofed File Sharing
Today we can’t share and collaborate enough in business and collaboration software is everywhere. When you share a file, a folder or access with someone on a cloud software, like Dropbox, Slack or Google Drive, it generates an email notification.
This is an excellent pretext for phishing, as it’s common for people to simply click through these notification emails without thinking about them too much.
When you get a file sharing email, it’s safer to navigate to the cloud provider directly and look for the file rather than clicking through from the email.
Fake invoices/Refunds/Payment confirmation
Source: C. Spike Trotman
Much like cloud storage, accounting and invoicing services generate emails that are easily spoofed by attackers. This genre of phishing attack often directly targets the accounting department, which can receive dozens of such emails each week and thus is unlikely to read all of them closely.
Desire for a quick payout or fear of being charged for missing a payment work to create a sense of urgency that ups the chances that this kind of attack will be successful.
Text message and social phishing
It’s still common to think of phishing in terms of email, but in a world where that’s no longer the most dominant form of digital communication, phishing on social media sites and through text messages is increasingly common.
Text message phishing, sometimes known is “smishing” for SMS phishing, can be especially problematic for a couple reasons. Software services do use them to reach their customers and most of us have signed up for text notifications from a service. And these text messages are stripped of a lot of the contextual information that makes it easy to spot a scam.
Texts don’t have any branding, and mobile sites often look different than their desktop counterparts, which can disguise some sloppiness on the part of the scammer when designing a fake login page.
As you can see from the previous examples, phishing scammers are resourceful and many of them are good at crafting convincing facsimiles of legitimate messages to cloak their activities. So it’s hard to spot these fakes with 100 percent accuracy.
That said, there are some commonalities here to be alert for that can tip you off that something is not right, and some simple practices you can adopt that will make you a harder target.
Look for the three signs
- There is an ask
- There is a reward for performing the ask and/or a risk for not performing it.
- There is a sense of urgency
If a message checks these three boxes, it’s much more likely to be phishing. Stop and think before you do anything when you get a message like this.
Phishing is most effective when people act impulsively, so even a brief pause to assess the situation is often enough.
Verify the sender
If you do suspect a message is phishing, a good first step to assess it is to verify the sender.
If it’s an email, check to see that the address is one the sender commonly uses, or that the email domain matches the normal domain used by their organization.
If the suspicious message comes via social media, take a moment to look at the profile it’s coming from. Does the Facebook page, Twitter username, LinkedIn profile, or other site come up on the first page when you Google the sender? How many followers does this page have, and do those followers seem legitimate?
If you’ve received a suspicious text from phone number, is it one that you know? If not, what comes up when you Google it? Known scam numbers tend to get flagged quickly on various sites, so this will often turn up useful information.
Hover on links before clicking
If you hover over a link, most email services will display the full address. On mobile, a long tap generally accomplishes the same thing. Again, look at the domain. Does it match what you’d expect?
If an email says it is linking to a file in Dropbox but the domain is something else, be wary. Don’t be too sure even if the URL seems legitimate, however. Clever attackers can take advantage of homographs to create legitimate looking urls for fake pages.
Never login through a linked page
Login pages should be seen as areas of danger, particularly if you land on them from a link in an email or other message. That said, sometimes you actually do need to log back into a service you use before you can view a legitimate message.
When this happens, the safe thing to do is to open a separate tab and navigate to the service directly rather than logging in from the linked page. If you can see that you are logged in but the link still confronts you with a login page, this is a red flag.
Check with the sender directly
If you get an unusual request from someone you know, it’s safer to follow up with them on another communication channel before you do anything to act on their message.
Keep your apps up-to-date
It’s common tactic to use phishing messages to drive traffic to pages loaded with malicious code that attempts to exploit flaws in your browser or OS to get malware onto your machine.
Many of the exploits you’ll encounter will have already been found and neutralized with a security patch, so you can maintain a decent protection baseline just by staying on top of your software updates. Something you need to anyway across the board.
How CrossKey can help
The most effective way to reduce the threat of becoming a victim of spoofing and phishing attacks is by implementing a phishing simulation tool and security awareness training.
A phishing simulation tool sends test phishing emails to your employees to see how vulnerable you are to spoofing and phishing attacks.
They are designed to keep us alert and simulates different environments at which an attack could happen. Over time, organizations have seen up to a 90% decrease in successful spoofing and phishing attacks.
CrossKey will also make recommendations about the need for other measures to provide layers of protection.