It’s the season of witches and warlocks, zombies, and ghosts, but there’s something even scarier lurking in the shadows—phishing emails. Okay, so phishing emails have nothing to do with Halloween, but October is also National Cybersecurity Month. And phishing emails are one of the most prevalent and threatening types of cyber attacks, so we thought it was appropriate to talk about them this month. Strap in because phishing attacks can hide in plain sight and might not be what you thought they were.
What is a Phishing Attack?
Phishing attacks are nothing new, and we’ve probably all run into one at some point. But just to jog your memory, a phishing attack is a malicious email sent with the intent to steal your data or infiltrate your network. These emails are disguised to look as if they come from trustworthy sources, tricking users into feeling safe, and clicking on the contents inside. When users click on a link, they are often taken to a website and asked to input their account information. This site is designed to imitate another website that many users actually visit.
For example, imagine a website that looks exactly like the Netflix website asking you to log in. However, when you input your account information, you’re actually handing it over to hackers. These criminals then try to use this information to log into other sites, like your banking account. The other common consequence when users click on a link or attachment in a phishing email is malware infiltration. Just the act of clicking on the email can introduce things like ransomware that will infect and encrypt your entire network.
So, How Can You Prevent Phishing Attacks?
Well, the truth is, you can’t entirely prevent them. You can set up filters that will block a few of them from making their way into your coworkers’ and employees’ inboxes, but it’s not going to stop all of them. Hackers have become extremely good at creating these types of attacks to get around common prevention methods. So, the most significant thing you can do to prevent the wrath of phishing attempts at your organization is actually education. Educate yourself on how to spot phishing emails so that you don’t risk your company with something as small and unexceptional as a single click. And then help educate others. Help those around you understand what to look for because their click could be your loss too. To help get you started, we’ve put together some helpful tips for sifting the good emails from the bad.
Spotting Phishing Attempts
Phishing attempts are not nearly as obvious as they once were. In recent years, key tokens that an email was a phishing attack were bad grammar, poor design, and weird language choices. However, cyber criminals have become increasingly sophisticated, and now phishing emails are often identical to their real counterparts, with only small, inconspicuous differences. So, here’s what to look for in 2020.
Emails About Suspicious Activity or Login Attempts
Many of us have probably received legitimate emails notifying us that someone unsuccessfully attempted to log into one of our online accounts. This email is meant to spur us into action to change our passwords and account settings to reduce the likelihood of fraudulent logins. Well, hackers have caught onto this originally well-intentioned trend and have started sending out their own imitations. Many phishing attempts originate from emails telling users that their account has been compromised and asking them to log in to check security. These emails are well-designed and get past many vigilant eyes. Because of the difficulty in determining the real from the fake, when you receive an email about suspicious online activity, it’s best just to avoid the email links altogether. It might be totally valid, but if you manually type in the company’s web address, you’ll avoid the risk that it was just a hacker pulling your leg.
Look at the Email Address Domain
As we said above, it’s getting nearly impossible to tell a real Netflix email apart from an imposter these days. Criminals will design emails and websites to imitate their source down to the tiniest of details, making phishing attempts really hard to pick out on look alone. But one thing you can look for is the email address domain. When you receive an email, whether you think it’s suspicious or not, it’s a good idea to look at the “from” field and see if there are any odd variations you wouldn’t expect. Now, this isn’t completely conspicuous because hackers are smart—they’ll try to imitate the email address just like they did the design. For instance, instead of @netflix.com, the address will be from [email protected] These little details can be hard to spot but are definitely worth looking for (and remember, when in doubt, don’t click anything!).
Look at the Actual Email Address
Have you noticed that an email sender’s actual email address will not show up unless you click on it in your email? This is called a display name. Anyone can set their display name, and hackers use this as another tool to trick you. They know that if you immediately see their actual email address, there’s a small chance it might tip you off that it’s not legitimate—think about seeing the [email protected] Hackers don’t want to take that chance. So they set their display name to “Netflix” so that you don’t have any qualms before opening the email. That’s where they hook you with the identical design that makes you feel safe to click on a link. So looking past the display name at the actual email address is another small but easy way to try and weed out phishing attempts from the rest of your inbox.
Phishing is definitely not a treat. Hackers use phishing emails to get your information and spread dangerous malware. It’s a problem that’s been around, and it’s not going away any time soon. That’s why we all need to be on the lookout for these phony emails to protect our personal finances, along with our company’s. The best way to do this is through education. We’ve offered three easy and helpful tips to help you get started, but you’re not done! The best way to spread phishing awareness is actually through testing your coworkers and employees. You can send out fake phishing emails (an imitation of an imitation…) and see who falls for it at your company. Then you can teach them where they went wrong and how to avoid phishing scams in the future. As a cybersecurity partner, we can help you set up these learning exercises on a regular basis, to ensure that your team is continuing to keep an eye out for any and all phishing attacks.