Who hasn’t received an email from their boss telling them to get a certain task done quickly? Chances are you have, and you probably completed the request without giving it a second thought. But what would happen if that message was actually from someone else, a fake? Would your boss forgive you for the financial loss, or would your clients forgive you for compromising their private information? Like most of you right now, I’m thinking the answer to that question is a resounding no. So, what is Phishing and how can you prevent it?
Brief History of Malicious Phishing
The notion of Phishing dates to the early 90’s but has evolved significantly over the years. Back then, an attacker would create an algorithm or code and target a weakness in an organization’s system to steal proprietary or financial information. The next iteration of Phishing focused more on end-users and was quite easy to recognize. For instance, we’ve all received that email from a foreign prince asking for money in return for an abundance of wealth. Although it was nice to think we had mysteriously hit the jackpot, we knew it was too good to be true.
Evolution of Attack Methodology
Now let’s fast forward to today and that urgent email you just received from your boss. These types of attacks are called Spear Phishing since they are directed at a specific user or group. Often the request will direct you to send money to a specific account or obtain gift cards and send the activated card numbers in a reply message. Another type of email attack, that targets C-suite and senior executives at an organization, is known as Whaling. Whaling relies heavily on social engineering of a target group to generate a convincing message to compel the victim to act.
Using Your URL to Convince Recipients
You may be wondering, how are these attackers so good at this? One technique they deploy is called Domain Spoofing. Attackers will often purchase online domain names that resemble your or another organization’s email domain. They create email addresses to impersonate someone else, for example, firstname.lastname@example.org. Another technique that can be used is called URL Spoofing. This is where the attacker will add fake website links into the body of the message urging you to click on the link, which will direct you to a fake website or could download malware onto your system. For example, you may have received an email from what looked like Microsoft stating that your email password was about to expire & you need to click the link to change it.
How to Identify a Phishing Attack
So, what can you do to prevent falling victim to some of these scams? For starters, always check who the message is coming from. You may have only glanced at the From address field in the email and missed the fact that your company email address does not end in @yourdomain.biz.com,as noted above. Also, were you expecting an email from this person or is the subject matter relevant to you? The most prudent thing you can do is use another medium to contact the sender and ask them if the message is legitimate. Contacting the sender is also the quickest way to verify if their organization has been compromised, since attackers sometimes hijack legitimate email servers to bypass spam filters.
Another telltale sign of a spoofed message is the amount of misspelled words or poor grammar. Business programs like Microsoft Office or Google G-Suites have built-in spell checkers and often auto-correct these common errors, so it would be highly suspect to receive a message riddled with them if it came from a legitimate source. Similarly, a link that is in the body of the message may not be authentic either. We all know the most common websites like www.google.com or www.yahoo.com, but what about www.0utlook.com.e/Gx385JCIQZ3hdl-url? You may not be able to tell, but that is a zero in Outlook, not a capital letter “O”, and .e is added before the forward slash. Another common one is the <ClickHere> link that you would most likely assume points to the title vendor’s authentic website. Although it may seem challenging to distinguish which links are authentic, the solution is quite simple. All you need to do is hover the mouse pointer over the link, without clicking on it, and within a few seconds, the actual website address will appear in a small window confirming where the link directs you.
Due Diligence Helps Protect Your Organization
There are many types of Phishing attacks and these are some examples to help you stay safe while conducting business. While enterprise-grade spam services are a great way to prevent email scams from hitting your mailbox, they are not foolproof and still require you to be vigilant. Phishing attacks can only succeed if the target victim acts. When in doubt, always use other mediums, like calling the sender or opening a new web browser and typing out the vendor’s known web address. With a little due diligence, you can help prevent significant breaches or losses to your organization.
For more information on the damage attackers can do if they can log into your email account, read our Avoiding O365 Business Email Compromise blog post.