Phishing email scams are on the rise and attackers are getting more creative in the ways they are attempting to steal data. We take a look at the different types of phishing attacks and the best ways to protect yourself and your company.
What are phishing and spoof emails?
Phishing emails are carefully crafted emails that are sent from an attacker in such a way that makes them look legitimate, to fool the target into taking some sort of action in good faith.
Email phishing can be broadly broken down into the following types:
Phishing
In this type of attack, an attacker impersonates a real company to obtain your login credentials. You may receive an email asking you to verify your account details with a link that takes you to an imposter login screen that delivers your information directly to the attackers.
Spear Phishing
Spear phishing is a more sophisticated attack that includes customised information that makes the attacker seem like a legitimate source. They may use your name and phone number and refer to your company in the email to trick you into thinking they have a connection to you, making you more likely to click a link or attachment.
Whaling
This attack has become more popular recently, with attackers very specifically targeting key business employees to get them to transfer money or send sensitive information by impersonating a real company executive. Using a fake domain that appears similar to the victim’s company, or in combination with Spoofing (see below), the attacker sends an email that looks like a message from a high-level colleague at the company, typically the CEO or CFO, and asks for sensitive information (including usernames and passwords). A common example of whaling is to ask the victim to take financial actions under pressure (“quickly transfer money to a bank account so the business doesn’t lose a large contact”).
Shared Document Phishing
You may receive an email that appears to come from a shared document platform (such as SharePoint or Google Drive) that alerts you that a document has been shared with you. The link provided in these emails will take you to a fake login page that mimics the real login page and will steal your account credentials if you enter them.
Spoof Emails
A spoof email is where an attacker sends an email posing as a different sender. This is often used in combination with the above attacks to increase your confidence in the email you received, lowering your guard.
What should you look out for?
Most email platforms will filter out a lot of malicious emails however some will inevitably get through, especially to people who hold senior positions or have their contact details more publicly advertised. That’s why you should always be on guard when opening any email you receive. We have put together a few obvious warning signs that you should look out for when opening any email…
Obvious warnings
Unverified Sender Warnings
You might find emails in your inbox that say ‘Unverified’ or similar next to the sender. This is your email provider trying to warn you that the sender may be suspicious.
Subject Line and Email Body Warnings
In email platforms like Office 365, admins are able to set up custom policies that prepend the subject of an email with either [WARNING] or [CAUTION] when emails coming from an unrecognised sender are received. When this is the case, the body of the email is also preceded with a warning or caution message like the below.
Abnormal Requests
Phishing emails will request that you take some sort of action, so if you receive a request for any of the following it should be treated as suspicious;
1. Click on an embedded link that takes you to a website
2. Reply to the email proving sensitive information such as username, password, or personally identifiable information
3. Make financial actions such as bank transfers or provide banking or credit card details
Time Urgency
Phishing emails often create a sense of urgency such as “you must do this in the next 1 hour so you don’t lose access” or “can you make the bank transfer today so we don’t miss out on critical business”. If the request is genuine and is truly urgent, often email isn’t the best form of communication and this should raise suspicion.
Poor Spelling/Grammar
Phishing emails also often use poor or incorrect spelling as well as poor grammar. If the tone of the email doesn’t seem to match up with the person appearing to send the email, you should always try to verify the request either face-to-face, or via a video/audio call so you can be sure you are speaking to the right person.
Subtle warnings
Sometimes the signs are a little less obvious but with some basic checks it’s possible to pick up on phishing emails. Below is an example of an email from someone spoofing as PayPal. At first glance the email looks legitimate, but with some quick checks we can identify it as a phishing email.
1. If we look at the senders email address in the example, it is appears to be from ‘service@intl.paypal.com’ but on further inspection you will see it is actually from ‘service.epaiypal@outlook.com’
2. The email contains a log in link which leads to an unscrupulous site. You can check where the link on any email will take you by hovering over the URL which will then show he address that it leads to so you can inspect it before actually clicking it. This is usually displayed in one of the bottom corners or sometimes on your cursor.
Dos and don'ts
This all may sound a little complicated but in general, if you follow the dos and don’ts below, you give yourself a very good chance of catching any phishing emails.
- DO Look out for the signs above.
- DO try to verify the sender via a different method of communication if you are unsure
- DO NOT Transmit sensitive or personally identifiable information via email where possible, especially when from a blind or external request.
- DO NOT Take financial or IT administration actions without verifying via another method of communication.
- DO NOT Click on Links in emails without checking where the URL leads first.
- DO NOT Open attachments from suspicious or unknown senders.
- DO NOT Share you login credentials with anyone under any circumstance.
