Ever received an email that just did not look right, it could have been a phishing email! Phishing is when a hacker deceives a user via email, SMS, social media, etc., into revealing sensitive information. Analysis of more than 55 million emails reveals that one in every 99 emails is a phishing attack. Attackers use all manner of social engineering methods to trick you into clicking a malicious link or opening a malicious attachment which may expose personal or company information, enable the attacker to remotely gain access to your system or even take ownership of personal/corporate data.
As professionals in any industry, there are times where we receive hundreds of emails per week. We could check it first thing in the morning before our morning coffee or after back-to-back meetings, hackers’ prey on these moments where you aren’t too alert to click on the wrong link. Every organisation is one click away from an experiencing a phishing attack.
There are a few red flags to look out for in a phishing email. Firstly, and most importantly, companies will not send you an email asking for passwords, credit card info, credit scores, etc. or even provide a link where you can submit this information. And your HR team, or Finance department won’t all that often either. Whilst businesses have controls to block phishing attempts such as e-mail protection services that filter most phishing emails before they hit your inbox, some inevitably do end up waiting for your attention, and from an attackers perspective, they hope there's a lack of attention. Hackers love to make their communication appear to be sent from a credible source, and create a sense of urgency to get you to panic or act quickly, so there’s less time to think more logically. For instance, “Your account is temporarily locked, you have 24 hours to begin the account verification process, please click here.” Most legit companies have their own domain. For example, Reply is known to have the domain @reply.com. It is good practice to always double check the domain the email is coming from. You can do this by hovering over the domain and ensuring it matches. Most times in phishing emails, the attacker will show you @reply.com but once you hover over any link provided it’s a different domain like @gotchu.com and you will be redirected to a malicious site.
Another clue to look out for is that phishing emails typically use generic salutations such as “Dear Valued Member” or “Dear Account Holder”, while companies your subscribed with tend to use your name, and many have started to use a unique code you’ve specified to prove the email can be trusted. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files with from their own website. Some attachment file types that are high-risk are .exe, .scr and .zip. Annoyingly for businesses however, other risky attachments typically use applications such as Excel. Adversaries use these file types by including macro’s which when enabled, which then activates malicious code. These are particularly difficult for security and end users alike because they are in constant use for normal business. Some hackers create a more targeted approach by including your name and something relevant you are waiting on. This type of phishing is known as spear phishing.
The above red flags aren’t fool proof, but they help keep users more alert and aware on what to look for. If you do get a suspicious email and are hesitant to click the link, you can go directly to the website from your browser. This method ensures you are using the legit website and not a fake on a hacker created to trick you. 47% of phishing attacks are due to distractions. Don’t forget to look for the following red flags in an email:
Anyone can fall victim to a phishing email, even IT professionals, it is important to slow down and think rationally when opening your emails. Ask yourself, would this person normally send me an email like this? Can I confirm this through a different channel?
Training employees to learn how to spot phishing emails is a necessity for every organisation. The increase in remote working due to Covid has shown an increase of 600% reported phishing attacks. So why does it matter if one PC is infected or if one set of credentials are exposed? In both scenarios, it creates an origin point for a much more significant breach and the sizeable impact from a phishing attack can be huge. Look at WannaCry, the successful attack on the NHS, which created loss in millions and hundreds of patients with loss of medical care. As WannaCry was a ransomware attack being exploited by a Windows vulnerability, it did indeed proliferate through phishing emails. Nowadays, hackers are taking full advantage of recent remote working initiatives as staff are more exposed in contrast with working from internal networks like business offices. Unfortunately, reading this blog and the few signs pointed out does not make you an expert in spotting phishing attempts. Being a security professional myself, I still need regular reinforcement to remain alert of these types of threats. Technology is always evolving, and attackers are always one step ahead with new techniques to try and hack us. Does your company provide security training? Is it the boring computer-based learning where you stare at a screen and just click “Next”? For a better understanding of what a security awareness program, please