An overwhelming number of applications allow employees and clients to communicate in new ways. However, no matter how many communication platforms they develop, email will likely dominate for years to come in organizations of all sizes.
It is virtually impossible to keep all security threats at bay. That is especially true for phishing, where criminals send malicious emails to deceive users into giving up sensitive information, such as a credit card number or an account login.
Most of us believe we’d be able to spot fake emails quickly. The truth is phishing has advanced far beyond the primitive Nigerian Prince messages into more elaborate and well-crafted schemes.
The Most Popular Types of Phishing
At its core, phishing entails an attacker tricking someone into doing something. That action may be opening a Word document that downloads malware onto the victim’s computer or tricks them into transferring funds or giving up personal or financial information. In any case, it does not bode well for the victim.
Although the different types of phishing emails are continually growing, there are three tried and true schemes that catch most users off guard.
1. Spear phishing
This type of phishing sends emails ostensibly from a known or trusted sender to one specific person or organization.
Assailants often thoroughly research their victim to gain the greatest advantage. For example, the email may reference a recently attended conference or event to spark their interest and catch users off guard.
2. Whaling
Whaling is a very targeted form of phishing in which executives get duped into sharing sensitive data. That scheme involves getting them to reveal personal or corporate data that can be sold or shared on the dark web or used for financial gain. Rather than focusing on lower-level employees, these scams go for the ‘big fish.’ The bigger the fish, the higher priority of the information they gain.
3. Business email compromise
These attacks impersonate executives authorized to make wire transfers and use their account to trick other employees into sharing personal or financial information. BEC is unique in that they often involve more than one victim. Typically, it starts with the attacker compromising a CEO or CFO’s email account either by leveraging an existing infected system or through spear phishing. The attacker monitors the compromised email to learn how to imitate their style of writing, find other targets and create messages that wouldn’t seem unusual to recipients. The final step involves asking for a transfer of funds using the corrupted email.
Uncovering a Phisher
There are often, but not always, tell-tale signs that an email message is not what it seems.
The first clue is an unusual email address. If you have never received a message from that person before, be suspicious.
The second clue is the use of bad grammar. Grammatical errors are not as obvious today as they were when cybercriminals first invested in phishing. These scams often originate from the far corners of the world ‒ where English spelling and grammatical errors are more common.
The most obvious sign of a possible phishing scam is the use of scare tactics. Messages about a compromised account or a virus on your computer may very well be phishing attempts.
What to Do When You Suspect Phishing
If you are ever unsure about the sender of an email or the message itself, play it safe!
Don’t open attachments and certainly don’t follow the links. If the message looks to be from a reputable source, go to the company’s website directly (not using the link) and log in directly.
Always be suspicious. If you didn’t enter any contest or don’t have an account with the alleged company that is contacting you, chances are good you’ve been phished.
If you receive warnings about your computer or the status of important accounts, contact the source through the normal channels before responding to a potentially corrupted email.
What will you do differently to protect yourselves and your employer?