Don't be a phish
There you are, sitting in your office diligently working, and up pops an email from Google. It is reminding you about an appointment but the details are sparse. Trying to remember what the appointment was, you click the link to see more information. You quickly enter your user credentials, but rather than seeing your event within Google, you are greeted with an error screen.
Sadly, you have just become one of the millions of unsuspecting victims of a phishing attack. According to a recent study [https://goo.gl/2r2T4s] by Anti-Phishing Working Group, the total number of phishing attacks was over 1.2 million in 2016, a 65% increase over the previous year.
What is phishing
Phishing is an email tactic used to convince an unsuspecting user to take action or reveal information of a personal or sensitive nature. Phishing emails attempt to lure users to reply by email, click on a web link, or to trick the user into revealing personal details such as credit card information, usernames, passwords, etc. These emails will have the look and feel of emails sent by legitimate companies, including the company logo, legal disclaimers, and even warnings stating that company “x” will never ask for login details. They often employ a pressure tactic, warning that immediate action is required, such as signing in within 24 hours to avoid your account being disabled.
The cost of phishing attacks
Organizations large and small are vulnerable to phishing attacks. Attackers use psychological tactics to get the user to “open the door” for them, often without the user being aware of the danger. Phishing attacks are becoming more widespread. If the attacker sends out a few hundred emails and only one or two recipients take the bait, there is low investment, low risk, and a high reward. It only takes one successful attack to generate big returns for the attacker
Tips to help spot the ‘lure’ of a phishing attack
If you were fishing and the fish recognized the lure was a ‘hook’, you would not catch any fish! In the same manner, if you are able to spot ‘red flags’ that indicate a phishing attack, you improve your chances of not falling victim to the scheme. Attackers are becoming more sophisticated and phishing attempts are becoming harder to recognize.
Here are a few tips to help you spot a ‘lure’.
Grammatical errors: Many attackers use templates to generate multiple emails. If you notice the email is littered with grammatical errors, this is a signal that something may be amiss. This may be as minor as ‘their’ and ‘there’ being used incorrectly or it can be as blatant as incomplete sentences or statements that do not seem to belong together.
Generic introduction: While many legitimate companies take advantage of auto mailers or autoresponders, many still try to create a personal connection with an email recipient by using their name. Phishing email will often not include the name of the recipient within the introduction. It may be addressed more generically, such as Dear Valued Customer, or Attention Account Holder.
Check the sender's email address: Sophisticated programs can ‘spoof’ the sender's email address, so checking the actual email address has never been more important. Attackers will try to match the email address as closely as possible to that of the company they are trying to impersonate. They will use tricks such as putting a reputable sounding name toward the front of the domain (i.e. to the left side of the @). Another ploy is substituting characters or leaving off characters within a legitimate email address in the hopes that the user is not paying close attention and will just continue. Check the validity of an email address by searching the company's FAQ page. Often, the email address for customer service will be listed on the page. Compare it to the email address you received in your inbox. Does it match?
Vague or incomplete message details: Use the context of the email to see if the message makes sense. For example, if you receive an email from FedEx stating that your package has been shipped, did you order something recently? Were you expecting it to be shipped via FedEx? Remember, the attacker is trying to be as vague as possible to get people to respond. Their goal is to be specific enough to make you to think it is legitimate, but not provide so many details that you disregard the email. For the home user, if you receive an email from someone, were you expecting it? If the email is promoting an offer that sounds too good to be true, chances are it is.
Compare messages with those previously received: If you have received valid emails from this source before, compare the messages. Are the messages being sent from the same address? Do they include similar details? Are they in a like format? Many times a company will use a template and fill in the specific details of the person or company they are attempting to contact. When you compare the two messages if the email you just received does not look like a previous known valid message this is a big red flag.
Go to the source: If you are still unsure, open up a new browser window, and navigate to the site without using the link or information provided in the email. For example, if you receive an email stating that your bank account has been suspended, verify this by opening a new browser window and going directly to the bank website. Sign in and verify the information.
How to combat phishing
As with many things in life, there are no ‘silver bullets’. Taking basic system precautions such as spam filters is a good start. However, training and educating users is the best defense against phishing attacks. Technology-based interventions can only do so much and cannot prevent an individual from clicking on a malicious link or entering personal information.
Companies must make it a priority to educate users .Important topics include making sure users know how administrators will contact them and what procedures the user will be asked to follow. According to Wombat Security, [https://goo.gl/xTsYPg] 50% of participants surveyed stated that they answered or checked personal emails from work computers. Furthermore, 49% stated that they checked work email on a personal device
You do not need to become an expert in email phishing attempts, or hold a Ph.D in information security. Knowing some of the most common tactics and remaining aware of what you are doing and clicking on can greatly increase your chances of not becoming a victim.
A special thank you to Tech Titanz contributing editor Valerie Depina.