Phishing is a cybercrime in which a target is contacted by email, telephone, or text message by someone posing as a reputable institution or a trusted individual.
The attacker uses that veil of reputation and trust to trick the victim into doing something that they shouldn't.
People behind these phishing attacks want personally identifiable information--banking or credit card details, social security numbers; they might want to trick the victim into launching malware or transferring money. The attacker might want to lead the victim into sharing passwords that protect email or software applications.
Phishing is extremely common! Hundreds of millions of phishing emails are sent every day--billions every month! You've probably received a phishing attempt this week.
Spam filtering keeps many of these attempts out of your inbox, so you might not have noticed all of them, but your business is being bombarded. And the number of phishing attacks is on the rise.
Phishing is the top crime type reported to the FBI Internet Crime Complaint Center. Source: FBI Internet Crime Report 2021.
Phishing is widespread because it's inexpensive. It has low overhead, and it sometimes works. If adversaries make billions of phishing attempts that "sometimes" adds up to a lot of successful attacks.
According to the Verizon 2021 Data Breach Investigations Report, 36% of breaches in 2021 involved phishing. It's widespread because it's successful.
Typically, the victim receives an email that entices them to click on a link, open an attachment, or fill out a form and then reveal sensitive information.
The sensitive information could be your email address and username and passwords, but it could also be credit card information, banking details, trade secrets, other information that your business wants to keep confidential.
Typically, a successful phishing attack ends in financial loss.
Additionally, if you work in a highly regulated industry, like healthcare, defense, financial services... you may be required to report and publicly disclose the breach, depending on what information has been leaked.
So, the financial loss is not just from the attack, but it also includes the consequential damages to your business's reputation and your ability to continue operating in a highly-regulated industry.
So how can you spot these things and what should you be looking for?
Well some cyber security experts recommend keeping the S.L.A.M. acronym in mind.
It stands for: "Sender Links Attachment and Message."
The sender is likely to be someone you weren't expecting to hear from. If you look closely, there may be clues in the sender's email address.
Look very carefully! What looks like a special font may actually be a special character from another alphabet. For example, this email address is made up largely of characters from the Cyrillic alphabet.
Instead of replying directly to a suspicious sender, use another channel of communication. Go to the organization's website. Call their main number and ask to be transferred to the department that emailed you. Then validate the legitimacy of the message.
Be very cautious about clicking links in suspicious email.
Hovering over hypertext links without clicking will reveal where they lead.
Oftentimes, the attacker will try to disguise the URL. You can see here that the actual domain that this link directs to is "ameri-serve.com." They've tried to make it look like paypal.com with the first part of the address, but it really isn't PayPal.
Again, if something looks suspicious, do not click the link. Use another channel to validate the legitimacy of the message.
Phishing attempts often include attachments that are in a format that's common to your job description.
For example, sales reps might get Excel spreadsheets with titles like "2022CommissionStructure.xlsx." Accounts payable personnel might get malicious attachments made to look like invoices or wire transfer instructions.
The key point here is to be very, very cautious when opening attachments. A phishing attempt may appear to come from a trusted source. It might pass the sender test but still contain a malicious attachment.
When in doubt, again, use another channel to verify the legitimacy or contact your IT department and have them investigate.
Phishing attacks are NOT highly personalized. There's a different classification for highly personalized email attacks.
Remember there are hundreds of millions of phishing attacks every day. These are mass emails that are sent to thousands of people at a time. The people behind these attacks might use some form of automated personalization--the message might go to a broad database of accounts payable personnel, or it could include the recipient's name in the salutation--but it's not going to include anything that can't be automated on a large scale.
So, a lack of personalization is a clue that you might be looking at a phishing attempt.
Another common attribute of a phishing email is that they try to establish some kind of urgency in the message.
In fact, many different cyberattacks ratchet up the tension in order to manipulate the victim.
In a phishing attack, they want you to take action, so they play on your fear that something very bad will happen if you don't respond right away. "Act NOW to avoid account suspension!" "Deadline is TODAY!"
This sort of time sensitivity is very common in phishing attacks.
There may be a ruse involved in the attack. The attacker might say, "I have all of your browsing history and compromising photos of you, and we'll send this to all of your contacts today if you don't follow these instructions..." This sort of pressure encourages the victim (you) to behave irrationally to act before you think.
There are other clues in the message that help you identify a phishing attack. They're getting better these days, but spelling and grammatical errors are not uncommon in phishing emails. The sender may not be a fluent English speaker or may not be familiar with American vernacular or colloquialisms.
Phishing emails may contain obvious errors. If you see a typo, a grammatical or spelling error in an email that's supposed to be from a large institution, like a Fortune500 corporation or your local utility, that should be a giant red flag for you.
Keep in mind, large corporations have armies of copy writers and editors. It's extremely unlikely that a spelling error would get past those experts. You're not going to see a legitimate email from Netflix that's full of misspelled words, bad grammar, and poorly applied figures of speech.
So here's an actual example: And we have "activer" which doesn't really mean anything in English, and that's the button they want you to press. And then again, if you hover your mouse over a link, it's going to show you the real address, or the real URL, where that link will take you.
The key takeaway here is: be cautious! Be skeptical of any emails that you weren't expecting.
Check the SENDER's email domain. Validate and verify the source of suspicious messages.
Hover your mouse over LINKs to identify where they really lead. Use other channels of communication to verify the legitimacy of a message that you might receive.
Do not click suspicious ATTACHMENTs.
Look for clues in the MESSAGE that might indicate you are being attacked.
Most importantly: slow down!
If you have any doubt about an email message, don't click it; don't open an attachment; don't respond. Ask! Ask your IT department for help or use an alternate channel to contact the purported sender to check on the message's legitimacy.
This video and transcription are an excerpt from the Security Awareness Training course at EXP Academy.
EXP Academy is a free technology training resource created for business leaders and computer users across the Pacific Northwest.
Every course at EXP Academy is available at no charge. There is no paid premium content. No upsell. No in-product advertising.
Our goal at EXP Technical is Serving People Through Technology. Providing free training to enhance security and improve efficiency of businesses here in the Greater Seattle Area is one way that we can serve people in our community.
Security Awareness Training at EXP Academy has been approved by the Washington State Bar Association for one hour of continuing legal education (CLE). Security Awareness Training at EXP Academy meets the requirements established by the Washington State Board of Accountancy for one hour of continuing professional education (CPE).
February 23, 2023
January 24, 2023
December 29, 2022