Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a trusted person or company brand with a link that sends you to a malicious website or file. Without proper training, a user will not easily recognize the email as a phishing attempt.
Content That Includes Enticing or Threatening Language
A false promise, a quick reward, or a threat that you will lose something can create a sense of panic, urgency, or curiosity.
Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should immediately be considered a potential scam. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.
Email Addresses Can Be Spoofed
Never trust an email-based simply by the sender email address. Hackers have many ways to disguise emails and “spoof” the “from” sender. A common type of spoofing uses a visible alias and cousin domains.
Visible alias spoofing, known as “display name spoofing,” is where the phisher uses a legitimate company name as the email sender, such as email@example.com, but the email underneath is a random address like firstname.lastname@example.org. This is especially effective on a mobile device because the sender’s email address is hidden.
A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an Apple.com email, the hacker might use Apple.co. In other cases, hackers will use confusing extended domains, such as email@example.com.
Links Aren’t Always What They Seem
Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Reset Your Google Password,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.
It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org.
Phishing Links Can Be Sent via Attachment
All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.
Hackers Use Real Brand Images and Logos in Phishing Emails
Brand logos and trademarks are no guarantee that an email is real. Brand images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source. While most email filters can spot a known phishing URL, they cannot spot a counterfeit image unless they have machine learning and computer vision capabilities.
Attacks Are Becoming More Personal
Spear-phishing attacks can be very personalized from purported colleagues and are designed to evoke fear of consequences at work. A classic example is an urgent email from your manager requesting gift cards or a wire transfer. Receiving such a request from a higher level executive puts pressure on the employee to act quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an employee into changing direct deposit information.
An Employee Received a Phishing Email—Now What?
Deleting the offending email is not the solution—Information Security (IS) needs to know that you are being targeted. Please contact the Information Security department immediately and forward your suspicious email to firstname.lastname@example.org so that the Information Security department can take appropriate action.