Think before you click
Almost five billion people use email every day to manage their daily affairs because it is an efficient and convenient means of communication. While email is a valuable communication tool, it also poses a number of threats and risks. Criminals use email for various phishing attacks to gain access to sensitive information, such as credit card numbers, or personal identification details, or to induce the victims to perform an action that compromises their security.
Understanding phishing emails
The definition of a phishing email is an email sent to a recipient with the intention of getting the recipient to perform a specific task. The attacker may use social engineering techniques to make the email appear genuine and may include a request to click on a link, open an attachment, or provide other sensitive information such as login details.
Socially engineered phishing emails are dangerous. They are structured to be relevant and often appear genuine to their targets. The recipient trusts the email more and carries out the task requested in the email. The results can be devastating. If the recipient clicks on a link to a malware-infected website, opens an attachment with a malicious payload or reveals their login details, an attacker can gain undetected access to the network. It’s actually quite frightening how much you can find out about a person on the internet without having to break into databases or trick someone into revealing confidential information.
The role of social media in phishing
Criminals can quickly gather personal information from social media sites, professional profiles, and other online publications to identify potential triggers that people respond to. It wouldn’t be too difficult to find information about an employee’s children, their school, and an event at the school to send an email to parents asking them to click on a link or open an attachment so their child can attend the event. Machine learning and artificial intelligence will enable scammers to gather this information much more quickly in the future.
How to identify phishing emails
According to University of British Columbia statistics, around 150 million phishing emails are sent out every day and around 80 000 people fall for a scam every day. This can result, for example, in stolen identities, financial loss, and credit card fraud. So how can we identify phishing emails and avoid falling for them?
Emails that threaten negative consequences or lost opportunities unless urgent action is taken are usually phishing emails. Attackers often use this approach to rush recipients into action before they have had a chance to examine the email for possible errors or inconsistencies. Another way to identify phishing emails is through poor grammar and spelling mistakes. Many companies use spell-check tools by default on outgoing emails to ensure that emails are grammatically correct. Those who use browser-based email clients use auto-correct or highlighting functions in their browsers.
Emails between colleagues usually contain an informal greeting. Those that begin with “Dear” or contain phrases not normally used in informal conversation, come from sources unfamiliar with your company’s office interaction style, should raise suspicion. Another way to identify phishing is to look for inconsistencies in email addresses, links, and domain names. Does the email come from an organisation with which you frequently exchange correspondence? If so, check the sender’s address and compare it with previous emails from the same organisation. Check if the link is legitimate by hovering your mouse over the link and seeing what it displays. If the email claims to be from Google, for example, but the domain name is something else, the email might be a phishing attack.
Suspicious attachments and requests, too good to be true
Most work-related file sharing today is done through well-known and widely used collaboration tools. Therefore, internal emails with attachments should always be treated with suspicion – especially if they contain an unknown file extension or one commonly associated with malware (.zip, .exe, .scr, etc.). Emails from an unexpected or unknown sender requesting login details, payment details, or other sensitive information should always be treated with caution. Spear phishers can spoof login pages to look like the real thing and send an email containing a link that directs the recipient to the spoofed page. When the recipient is redirected to the login page or told that payment is required, they should not enter any information unless they are 100% sure that the email is legitimate.
Emails that encourage the recipient to click on a link or open an attachment, claiming that they will receive some kind of reward, are too good to be true.
If you want to learn more about this topic, check these:
https://privacymatters.ubc.ca/phishing-emails
https://www.getcybersafe.gc.ca/en/resources
https://cofense.com/knowledge-center/how-to-spot-phishing
https://en.wikipedia.org/wiki/Phishing
https://www.statista.com/statistics/255080/number-of-e-mail-users-worldwide
