By Dennis Shelly

What is a Phishing attack and what are Phishing Emails?

The name “phishing” is a variation on the word “fishing,” as criminals dangle a fake “lure” (a legitimate-looking email, website, or ad) in the hopes that consumers will “bite” and provide the details the criminals seek – such as credit card numbers, account numbers, passwords, usernames, or other sensitive information. The term was introduced in the mid-1990s by hackers attempting to dupe AOL users into divulging their login credentials. The “ph” was presumably inspired by the word “phreaking,” short for “phone phreaking,” an early method of hacking that involved playing sound tones into telephone handsets to get free phone calls.

It is one of the common forms of cybercrime in which your sensitive and personal information can be stolen. Phishing scammers pose themselves as major corporations or other trustworthy entities to trick you into voluntarily providing information such as your website logins and credit card numbers. The majority of phishing scammers can contact you via text or email.

Advertisement

A phishing email is a fake or fraudulent email message that appears to be sent by a legitimate source, for example: your bank, the IRS, and Social Security, just to name a few. These emails include messages that request sensitive personal information in a variety of ways. You may not be able to tell the difference between a legitimate email and a phishing email if you don’t look closely at the emails you receive. Scammers work hard to make phishing emails look as authentic as possible, and that’s why you should be cautious when opening such suspicious emails and clicking links contained inside these emails.

Few phishing scams have been effective enough to make headlines but here are a few that did:

  • In 2016, hackers succeeded in persuading Hillary Clinton campaign chair John Podesta to hand over his Gmail password, with what was perhaps one of the most significant phishing attacks in history.
  • The “fappening” attack, in which private photographs of a variety of celebrities were made public, was initially believed to be the result of a security flaw on Apple’s iCloud servers, but it was instead the result of a series of successful phishing attempts.
  • Employees at the University of Kansas fell for a phishing email in 2016, handing over passwords to their paycheck deposit records and missing pay.

According to the 2019 Verizon Data Breach Investigations Report, phishing was involved in about a third of all attacks in the previous year. This figure rises to 78 percent when it comes to cyber-espionage attacks. The bad news for 2019 is that its perpetrators get a lot better with the well-produced, off-shelf software and frameworks. The frequency of phishing scams has risen substantially in recent months, with businesses undergoing average attacks of 1,185 per month, according to the latest data from the report. In addition, 38% of respondents said they have seen a coworker being attacked in the last year. As a result, 15% of companies are already spending one to four days investigating malicious threats during what is still a precarious and frustrating era for many.

The 2020 Phishing Attack Landscape Study, commissioned by GreatHorn and conducted by Cybersecurity Insiders, polled 317 experts from the cybersecurity sector, ranging from executives to IT protection specialists, for their personal encounters during the COVID-19 pandemic. The study detailed how businesses fared in the face of phishing attacks throughout the pandemic, as well as how time and resources budgeted for cybersecurity activities changed over time, and asked participants to rate their  level of sensitivity and proficiency in detecting and preventing phishing emails. The findings revealed a significant rise in the number of targeted phishing attacks, as well as a significant increase in the amount of time spent on threat mitigation, removal, and additional incident response, highlighting the risks that businesses that do not emphasise employee cybersecurity awareness.

How to Spot Phishing Emails?

Scammers keep on changing their tactics all the time, but certain signs can help you spot phishing emails.

Check the Sender’s email address first. Mismatches in the sender’s address, a suspicious path between sender and recipient, and the use of an unusual email client are all possible signs of a phishing email.

Check the email’s header. Mail headers contain a lot of information that can be used to spot possible phishing emails. Some of these are easy to read and understand, such as the DKIM and SPF sections can state that verification was successful or not. Other headers need some understanding of their use to be helpful in the email analysis.

Be alert when you receive Emails demanding urgent actions. Phishing emails often threaten a negative outcome or a loss of opportunity unless immediate action is taken. Attackers often use this technique to induce recipients to act before they have had a chance to examine the email for flaws or discrepancies. In 2019, this tactic is believed to be responsible for at least half of all cybercrime-related business losses.

Beware of suspicious attachments. Collaboration tools like SharePoint, OneDrive, and Dropbox are also used for the majority of work-related file sharing. As a result, internal emails with attachments should be treated with caution – particularly if the extension is unfamiliar or the one usually associated with malware (.zip, .exe, .scr, etc.).

Requests for login credentials, payment information, or sensitive information via email. Emails requesting login credentials, payment information, or other sensitive data from an unexpected or unfamiliar sender should always be handled with caution. Spear phishers create fake login pages that resemble the real thing and send an email with a link that takes the recipient to the fake page. If a recipient is redirected to a login page or informed that a payment is due, they should not enter any information until they are confident the email is authentic.

Most of the Attacks are carried out automatically. Scammers don’t have to monitor inboxes or send tailored responses when they use phishing attacks. They just send out thousands of carefully crafted messages to unsuspecting recipients. As a result, there’s no need to filter out potential respondents, as doing so decreases the pool of prospective victims while also assisting those who did not fall victim to alert others to the scam.

How to identify real and fake companies’ emails?

Recognize real vs. fake companies’ emails. You can identify phishing emails from the companies that appear illegitimate because:

  • Legitimate company emails: do not ask for sensitive information via email.
  • Legitimate company emails: normally address you by your name.
  • Legitimate company emails: have email IDs with domain names.
  • Legitimate company emails: know how to spell.
  • Legitimate company emails: do not force you to visit their website.
  • Legitimate company emails: would not give you unsolicited attachments.
  • Legitimate company emails: links match legitimate URLs.

What to do if you suspect an email is a phising attempt?

Don’t open it. Just delete it. Sometimes just opening the message may execute harmful files. So if not sure just toss it!

Mark it as SPAM. Whether you access your email online or via an email client installed on your computer, almost all email client’s have an option to mark an email as spam, this deletes the email and permanentally removes it from your inbox.

Never click links. It’s highly likely these phising emails and embedded links are malicious and are designed to cause you, your collegues, and the organization harm. These links usually direct you to fraudulent websites and ask you for your login information and Personally Identifiable Information (PII).

EggHead IT is here to help. We understand there is no “one fits all” solution to phishing scams and prevent phising attacks, we provide consultations and support that’s custom-tailored to you. We are the team can help prevent such exposure and offer education and defenses to keep you safe.

Have a suggestion for our next article or have questions regarding e-mail security?  Please contact us by calling (760) 205-0105 or emailing us at tech@eggheadit.com and our Eggsperts are happy to help you with your questions or suggestions.

IT | Networks | Security | Phones | A/V | Integration