No one wants to believe they’d fall victim to phishing attacks. However, phishing attacks are on the rise and are more sophisticated than ever.
There’s a good reason phishing attacks are touted as one of the most common security challenges companies and individuals face – there are ample opportunities for cybercriminals to maximize profits. Companies lose billions every year from email scams, with losses climbing to $2.7 billion last year.
For organizations, it’s vital that they leverage advanced security technology such as user authentication, secure email gateway and email authentication defences. Unfortunately, phishing scams continue to make their way into email inboxes – with Verizon revealing that nearly 30% of the targeted recipients open phishing emails.
The incredible click-through rate shows why the scams are still popular – it works, and oftentimes, strikes gold. Despite hackers camouflaging their bait, there are ways to identify phishing emails. Here are 10 guidelines to keep yourself safe.
Gone are the days when phishing emails began with “Greetings from the son of the deposed prince of Zambia.” In an attempt to look legitimate, phishing emails are a lot more sophisticated today and may even contain links that may direct you to a website that looks exactly like the original one. Clicking on random links isn’t a smart move. Hover over it to see if they lead you to the right website. A better option would be to avoid the link altogether and directly access the website from a secure browser.
There have been instances where cybercriminals may pose as an employee requesting you to change or confirm your details by clicking on a link. Here’s an example of an email scam that hit RBC.
More often than not, phishing attacks are disguised as a document or an email someone was expecting – be it bank records, password change requests, emails that a user has subscribed to, or even ones that come from your company’s IT department.
Make sure you run a check before downloading any attachments, especially unsolicited emails – better yet, double-check the sender’s email address and keep an eye out for high-risk attachment files. VirusTotal is a free, handy tool that you use to scan for viruses in attachments. Sometimes, the sender’s email address may look similar to the company’s official email address and users may fail to catch this.
Cybercriminals are always looking to tailor the next scam as authentic and legitimate as possible. Without staying abreast on the latest techniques, you might fall prey to one. By keeping yourself informed, chances are you’ll find out about the scams as early as possible.
Cyber experts highlighted that spear phishing attacks are on the rise. While phishing scams often target a large audience, hoping one of them falls victim, spear phishing targets specific individuals or a small group. They are far more sophisticated than others and oftentimes, carry impersonation attacks.
The emails might look like they’re coming from a trusted company platform and also include highly-personalized context to trick the receiver.
How is this done? Spear phishing usually targets someone with access privileges to valuable data. Most often, companies that do not have a sender policy framework (SPF) – an email authentication system which detects and prevents spammers from sending emails from forged email addresses – fall victim to this attack.
By leveraging this blind spot, hackers craft context-driven emails – data that’s picked up from documents available online that traces the receiver’s details. This could include anything from the latest project that the person worked on, the team members that worked on this project and the software version that’s used to create the document.
If the hacker obtains these details, an email can be sent to the receiver covering this context. For example, it could read “Hi Andres, would you please take a look at the report Jane was working on? She mentioned you would give us some feedback” – sent from a legitimate-looking email account.
Once their computer has been compromised, the attacker can access the corporate network to expand the phishing attack. A quick search reveals that organizations like White House and the US Department of Defense have been compromised through similar attacks.
Never provide sensitive information over email, and chances are if you receive an email requesting you to provide credit card details, tax number, social security information or any other sensitive details, it’s a scam.
If the data is necessary, ensure you log in to the website directly over a secure network and submit the information.
Look out for the sender’s email address – if the email address does not seem to come from an authentic company-provided account or seems to be inconsistent with emails you’ve received previously from the company, it’s a potential red flag. Here’s a very convincing email, but if you look closely, the email domain is not a legitimate one.
One of the easiest ways to identify a scam email is through bad grammar. Hackers aren’t stupid – their aim is to target the less observant, oftentimes uneducated since they’re easier victims.
You might notice that some emails redirect you to a rogue website or a fake web page wherever you click – the whole email would be a gigantic hyperlink, which would auto-download spam attachments or open an insecure website if you click anywhere in the email.
Double-check URLs that are linked to the text. If it isn’t identical to the URL that’s displayed, it’s a sign you might be directed to a website you don’t want to visit. If the link does not match the email’s context, don’t trust it.
The presence of SSL doesn’t tell you anything about site legitimacy, the SSL/TLS certificates are to encrypt the connection between the browser and the server which avoids intrusion from hackers.
In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it.
Promises of instant riches or winning hundreds of millions in lottery are common tactics that most people are used to. Hackers seek to take advantage of your anxiety or concern by alerting you to a time-sensitive action pending from you, and eventually get you to provide sensitive information.
It’s not just banks or credit card providers that scammers use as cover for their phishing emails. They also resort to sending notifications that appear to be from the IRS or other government agencies to scare their targets into giving up their information.
Today, most browsers support anti-phishing toolbars that run quick checks on the websites that you visit and compare the data against a list of known phishing web pages. Accidentally, if you follow a link that opens a malicious website, the toolbar will be able to alert you.
Anti virus software are also great tools to detect harmful files. These softwares scan all files that are transferred through the internet onto your device. Anti-spyware and firewall settings can also provide an additional layer of security.
However, there’s no fool-proof way to avoid phishing scams or malicious attacks. Online scams continue to evolve. Make sure you tap into robust security solutions to reduce your risk of falling prey to phishing emails.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates