Email is one of the most common forms of communication in the world and it is extremely prevalent in B2B interactions. Considering this, it is natural that bad actors will attempt to use this widely used communication tool to cause damage or sabotage. Today, we discuss one of the most common forms of fraudulent techniques: phishing emails.
Let’s start by defining what phishing emails are and what their goal is
Phishing emails are usually disguised as legitimate emails from reputable companies or people within your organization, such as banks or credit card companies and upper leadership. The purpose of these emails (that look very much like official communications from the company/person in question) is to get people to supply sensitive information such as usernames, passwords, credit card numbers, social security numbers, and so on.
The goal of a phishing email is usually to collect sensitive information by targeting a large number of people, with the intent of stealing this information for profit, sabotage, or any other malicious intent.
Some Phishing email statistics you might want to consider
Phishing attacks assume many formats but about 96% of Phishing attempts are done through email and that number has been growing at a rate of about 7,5% since 2021.
This is a natural consequence of the increase in remote work, as companies continue to explore and advance into the remote space more security concerns come to light during this period of adaptiveness.
Generally, whenever a Phishing attack is successful it is usually due to human error, this is the case in 85% of these successful attacks. Phishing emails can, however, be easily avoided with basic cybersecurity training and by applying best practices when it comes to dealing with information.
Most companies are victims of attempted phishing emails, but anti-spam and other protection filters do most of the work, the members of the organization do the rest.
Common sense will take you a long way when it comes to dealing with phishing emails, don’t underestimate it!
Let’s look at some tips on how to identify a phishing email.
How to identify a phishing email?
There have been many phishing schemes perpetrated over the years. In many cases, the trick used by malicious actors is to use a very convincing email that looks very much like something from the company or person that the email is claiming to be from. Usually, a phishing email will contain a link to a website or an attachment, with the intent of getting you to click on the link or download an executable file.
The executable program will be normally disguised as a pdf file and promptly run malware on your device.
If you follow the link to the website the recipient is asked to supply sensitive information, under the pretense that the user will log in to the platform, unlock features or register for contests.
In both cases, sensitive information is leaked, which can cause severe monetary damage.
Here is a list of possible clues to identify a phishing email.
1. The sender’s email address is not from the company that the email claims to be from
Check the sender’s email and if you spot any discrepancies between the address you would usually expect communication from, you should treat the message with precaution.
2. The email does not contain a company logo
This is not always the case, but an email that is missing essential assets, such as the company logo, should normally be treated with suspicion.
3. The email looks like it was sent by a person
If you spot a message that looks very much like it was sent by a person (a person’s name, rather than a company name), the email should be treated with caution.
4. The email does not contain a valid contact number
If the email you received did not contain a valid contact number, it is likely that the email was sent by a person and not by the company.
5. The email contains a link that takes you to a website that is not trustworthy
A website that does not look like the company’s real website should be considered potentially dangerous.
6. The email is not well-written, contains poor grammar or bad spelling
An email that contains spelling mistakes, bad grammar or a badly-written message should not be trusted.
7. The email is addressed to a large number of people, but the email does not appear to be sent to a mailing list
If the email is delivered to an unusually large number of recipients, without being sent to a mailing list (and the email is not a template and/or test sent to a list of employees), then the message should be considered a phishing email.
8. The email has executable attachments
For example, the email might contain a zip file attachment that is disguised as a PDF file. The file might be disguised as anything, such as a picture or clip art. A common phishing scheme uses a picture of a check or a scanned copy of a check.
Types of phishing emails
1. CEO Fraud
When it comes to business emails, the most common occurrence of a phishing email is the one known as CEO fraud. In this case, someone will send an email to a low-level employee claiming to be the CEO of the company or some other high-level manager or executive, depending on the company structure. The email will ask the employee to perform a specific action or to reply with contact or access information.
2. Bank Phishing
In bank phishing schemes, a victim is sent an email from a fake bank account. The email requests the victim’s password for the bank account. If the victim supplies the requested information, the phishing scheme can use the information to access the victim’s real bank account.
3. Lottery Winner phishing schemes
In a lottery winner phishing scheme, a victim is sent an email from the “lottery commission.” They are told they’ve won a large sum of money. The only problem is that the victim has to send a “fee” to collect the money. The fee, of course, is for the “lottery commission” to collect.
4. Gift Card phishing schemes
In gift card phishing schemes, a victim is sent an email that appears to be from a retailer or bank. The email claims that the victim has won a gift card. The victim is informed that to receive the gift card, they must supply their credit card information. Once the victim supplies the information, the phishing scheme can use it to make unauthorized purchases.
5. Tech Support phishing schemes
In a tech support phishing scheme, a victim is sent an email claiming to be from a tech support department for a popular company. The email claims that the user has a virus on their computer and that the user needs to download and install a program that the “tech support” person claims will fix the problem. The email then provides a link for the user to download the program.
The problem is that the program is malware that will infect the user’s computer.
6. Check phishing schemes
In a check phishing scheme, a victim is sent an email that appears to be from a bank or other financial institution. The email informs the victim that they have a check waiting to be picked up at the bank or other financial institution. The email contains a link to a website that has a form that requests the victim’s personal information. Once the victim enters the information, they are asked to print the form and go to their bank or financial institution to pick up the check. But the check is fake, and the victim is out of the money that they sent to the schemers.
7. Phishing for passwords
In a phishing-for-passwords phishing scheme, a victim is sent an email from a trusted source, such as a bank or company. The email contains a link to a fake login page that imitates the website of the trusted source. The victim is then asked to enter their username and password into the login page. Once the victim enters the information, it is sent to the schemers.
These are just a few of the many types of phishing schemes that are prevalent on the internet.
Some phishing schemes will be more sophisticated than others, which is why some of them will work from time to time. Companies keeping up to date on their cybersecurity policies, tools, and employee training are the most important prevention forms to avoid phishing emails and schemes.
What kind of Data can be compromised?
You now understand how to recognize a phishing email and what kind of phishing emails there are.
However, we must ask, what kind of data are these bad actors after?
Phishing emails will try their best to acquire all the information they can from your organization. Personal or company information makes no difference to the attackers, whatever they can get is in one way or another valuable to them.
The most common information that these attackers will try to get from you through their phishing emails is credentials or sensitive inside information.
The most common consequence of being the victim of a phishing scheme is to lose valuable data, immediately followed by compromised accounts.
Having a healthy security etiquette of 2-factor authentications and clear standard security procedures on how to pass and treat information is essential when it comes to avoiding phishing emails and their consequences.
What can a Phishing email cost my company?
Imagine you fall victim to one of these phishing emails and they successfully collect your information.
How much can this cost you?
The true answer is: It depends - but it can become quite expensive.
Depending on the nature of the information you provide to the attackers, it could be as easy as changing a few passwords and reporting the incident to the appropriate authorities.
The average breach costs a company about $7,2 per minute - that can be very expensive depending on the response time.
This is something to keep in mind.
How to handle a phishing email once identified
In most cases, phishing emails are relatively easy to identify. However, it is important to note that not all phishing emails are easy to spot. That is why it is important to know what to do in case you receive a phishing email.
- Do not click on any links or attachments in that email.
- Do not reply to the sender or the email address that is shown in the email.
- Do not enter any sensitive information in the email or on websites linked in the email.
- Do not open any attachments in the email.
- Do not give the sender any information that is asked of you.
- Do not click on any links in the email.
If you receive a phishing email, do not respond to it, and do not click on the link.
Forward the email to the company that the email claims to be from. This can help the company act and the relevant authorities act as soon as possible, preventing further damages not only to you, the respective company, and anyone else who might fall victim to the phishing email attempt.
Let’s summarize today’s content regarding how to handle phishing emails
Always make sure to follow best practices when it comes to cybersecurity, take your time analyzing and vetting any email that might seem suspicious, and be distrustful of links and executable files on attachments.
Never, insert personal or company information outside of your companies’ well-defined platforms, and keep in mind to use dual authentication to further protect your data and accounts.
If you are the victim of a phishing email, immediately report the incident internally and to the appropriate authorities. Then, proceed to follow your company’s protocol regarding a breach of security.
We hope today’s blog entry has been informative and helpful on how to handle phishing emails and in keeping your personal and company information safe.