Do You Know How to Spot Phishing Attacks?
One of the mainstays in a hacker’s arsenal is the phishing attack. Phishing is defined as a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM, text or other communication channels.
Hackers are using these attacks to steal personal information or money from as many people as possible, which is why you need to know how to spot phishing attacks and keep your business network safe.
The one piece of good news with these scams is that ultimately you get to decide whether or not to participate – by simply hanging up the phone, or not clicking on a shady email attachment or website link, you make it impossible for the hackers to do their jobs.
But hackers using phishing are digital con artists, and they are very good and very persuasive when it comes to leading you away from common sense. They use age-old (and effective) scare tactics, add a modern twist and pressure people to make an important decision on the spot.
A common thread with all of these schemes is that they follow the news and the money. Using hidden malware and a convincing pretense (for more on this, see our overview on social engineering tactics they succeed in conning people into handing over their personal information or their money every single day.
So how can you learn to spot phishing attacks and then avoid them? Education, good judgment, and a very healthy dose of skepticism are the best defenses against becoming a victim.
Examples of Phishing Attacks
You do not have to look hard to find examples of phishing attacks because unfortunately they are everywhere. Some are widespread, spoofing major brands (PayPal, Bank of America, Anthem), while another subset of this practice known as whale phishing targets very specific companies by spoofing emails from a high-level individual within that same organization.
In 2015, the Federal Trade Commission (FTC) received 3 million complaints; this was up from 2.5 million the prior year. And that is just what actually gets reported.
In March 2015, a major phishing attack targeting Bank of America customers came to light. As part of the attack, hackers directed unsuspecting users to a fake Bank of America website. The website told them that they had to reactivate their accounts. It then directed them to a web page containing a reactivation form. This form asked them to hand over many personal details, including their names, birthdates, email addresses, online account IDs, passwords, and Social Security numbers.
An even more high-profile case occurred in February 2015. After U.S. health insurer Anthem Inc. revealed it had a data breach, the company announced it would be contacting customers to offer them free credit monitoring. Hackers took this opportunity to launch a phishing campaign by sending out an email message that claimed to be from Anthem. The message invited the recipients to sign up for free credit monitoring by clicking a link. This link was part of a plan to steal their personal information.
These scams are sophisticated and they do follow current events and make use of all forms of technology. During busy online shopping seasons, hackers typically disguise their fraudulent email messages as compelling offers from major retailers, enticing consumers to click NOW so as not to miss that too-good-to-be-true deal. For example, the email service provider AppRiver noted that in November 2014 it quarantined hundreds of thousands of malicious email messages that claimed to be from Amazon.
These scams are no longer limited to just emails either. They can come via social media and text as well, providing a link that will take the user to an infected or compromised site, or allowing access to all of the data on a smartphone. So it’s just as important to be on the lookout for fraudulent texts and suspicious messages on social media accounts like Facebook or LinkedIn.
How to Spot Phishing Attacks
Phishing attacks have several key characteristics. First and foremost, they use spoofed email or text messages that appear to be from large, well-known organizations OR from known entities within your own organization or an affiliate The essence of it is that they appear to be from a trusted source – either local or on a national or even international scale.
Hackers will often make their messages look like an email from a bank or financial institution, a government agency, or from a colleague. Emails that look like they are from universities or major online organizations such as PayPal or eBay are also common.
Another tactic is to include a link to a website controlled by the hacker. The hacker then uses the website to spread malware, steal information, or hold that machine or the files on the machine hostage, demanding money in exchange (ransomware).
It can be very difficult to spot a spoofed website or email because it will use authentic logos and links. In some cases, hackers have figured out how to direct a user to the authentic website, but then display a pop-up window for the collection of your personal data. This pop-up is actually a shadow site run by them.
All of this is making it much more difficult to spot some phishing attempts. But there are some common characteristics of phishing attempts that you can be on the lookout for. They are:
- Fake email messages often have spelling and grammatical errors.
- Phishing employs scare tactics, meaning these message will almost always include an indirect threat. For instance, a message might state that if you do not reactivate your account, it will be terminated.
- If it sounds too good to be true, then it is. Period. Companies aren’t going to give you something for nothing, but hackers bank on the fact that we just can’t resist checking out that amazing deal.
How to Defend Against Phishing Attacks
Conducting phishing training and educating your staff is the most important step in learning how to spot phishing attacks and then avoid falling victim to them.
In particular, employees should learn how to recognize a fraudulent email or text message. Besides watching for spelling and grammatical errors, employees should pay close attention to the sender’s email address.
Hackers frequently use email addresses that look like the addresses of legitimate organizations, but are one letter or number off. As an example, a hacker might send out an email message using the address email@example.com instead of the real @amazon.com address. Deceptive email addresses increase the chance of someone falling for the scam, if they don’t know to check it carefully.
Your employees should also check the authenticity of links in their email messages. If employees are in doubt about a link, they can hover their mouse cursor over it to see the address of the website that it will actually go to (try it with one of the links in this blog post – you will that where we have linked to other blog posts on malware and social engineering, the URL matches our corsicatech.com site). If the website address seems suspicious, the link is likely part of a phishing campaign.
Employees can perform an online search in a separate browser window to see if the website is associated with any cybercriminals. If in doubt, another option is to open up the website in another window and search for the information that way. For example, if you didn’t quite trust one of our internal links here, you could certainly open up www.corsicatech.com in a new window, browse to our Blog and then scroll down and locate the post about Malware on your own.
Another red flag that employees need to watch for is requests for personal or financial information. Banks and other legitimate organizations will never ask their customers for this type of information in an email. As a result, any email message that asks for it should be considered very suspicious and possibly malicious.
Furthermore, legitimate organizations will not threaten their customers in a heavy-handed way or even issue a veiled threat. If a message or request for information is written in a tone of extreme urgency and includes threats like immediate account deactivation, it is most likely a phishing attempt. Educating your staff to red-flag any messages with that carry this extreme sense of urgency will go a long way towards protecting your network.
When there is even the slightest bit of doubt about the authenticity of a request, the best fail-safe is to contact by phone the person who supposedly sent it and verify the details with them directly. A recommended best practice would be to have a multi-layer authentication procedure in place for ANY financial request received via email, given that phishing attempts are more sophisticated and increasingly difficult to spot. Taking that extra time can save your business thousands of dollars and much more in potential downtime should you fall victim to a ransomware scam.
Quick Tips for Avoiding a Phishing Scam:
- As a rule, be suspicious of any email with urgent requests for personal financial information – particularly if you weren’t already expecting it. The request will likely include upsetting or exciting (but false) statements, because the intent is to get you to react immediately based on that emotion. It will ask for information such as usernames, passwords, credit card numbers, social security numbers, etc.
- Think before you link. Don’t use the links in an unsolicited or untrustworthy email to get to any web page. Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.
- Be suspicious of invoices sent via email, as these have been known to be infected with malware. If you don’t generally receive invoices via email from that sender or you weren’t expecting an invoice, do not open it.
- If you need to update your information online, use the process you’ve used before, or open a new browser window and type in the website address of the legitimate company’s account maintenance page.
- If a website address is unfamiliar, be suspicious because it’s probably not real. Only use the address that you have used before, or start at your normal homepage.
- Avoid filling out forms in email messages that ask for personal financial information. It should be noted that banks, credit card companies and government agencies have all stated that they would not contact you asking you to provide that information in an email, as they already have it.
- Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser. Look for the lock at the bottom of your browser and “https” in front of the website address.
- Pay attention to the header address on the website. Most legit sites will have a relatively short URL and generally it will depicts the business name followed by “.com,” or possibly “.org.” Spoofed sites are more likely to have an excessively long string of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all.
- Regularly log into your online accounts.
- Regularly check your bank, credit and debit card statements to make sure that there are no non-authorized transactions. If anything looks suspicious, contact your bank and all card issuers.
- Ensure that your browser is up-to-date and that all security patches have been applied.
- Always report fraudulent or suspicious emails. Reporting instances of spoofed websites will aid in getting them shut down before they can do any more harm.
- If you have ANY doubts about an email or website, contact the legitimate company directly. Make a copy of the questionable website’s URL address and, send it to the legitimate business to ask if the request is legitimate.
Is Your Business Network Secure?
Thwarting phishing attacks is important if you want to keep your company’s data safe. But there are many other types of online attacks, so you need to develop a strong overall cyber-security strategy.
As a full-service managed IT provider, we deploy the latest in network security, including patching management, intrusion prevention, anti-virus and server-level data backups as part of our managed IT service plans. We also provide regular alerts about specific cyber-threats and can help you to train and educate your staff in how to spot phishing attacks and avoid them.
Corsica’s experts can provide a full security assessment and help you identify – and resolve – any vulnerabilities within your network.