What is a Phishing Attack?
A phishing email is distinct from a spam email. It is usually sent as an attempt to trick recipients into divulging confidential information relating to financial data or any other personal information. A spam email, on the other hand, is mainly used as part of advertising campaigns.
What does it involve?
- First, the phishing email is sent to a number of target recipients through mass mailing applications.
- The phishing email is usually well crafted, through social engineering, to entice the victim to either click on a link included in the email, or to download an attachment.
- On clicking the link, the victim is likely to be redirected to a landing page that has been designed to resemble a legitimate web page of a known and trusted organization. Most fraudsters impersonate banks, online cash transfer services, and credit card companies. The victim uses popular, reputable brand names to make it more convincing for the victim, thereby increasing their probability of performing the desired action e.g. to download an attachment.
- Once the victim visits the fake site or downloads an email attachment, he or she will be exposed to malware or will install a Trojan that the attacker can use to capture sensitive information.
- The attacker then proceeds to use the stolen information, such as official username and login credentials, to gain user privileges, allowing him to commit fraud such as, to send checks and to approve illegal bank transfers.
How to recognize phishing emails?
Here are some common indicators that can help you distinguish between a phishing email address and a legitimate email:
- A message that requests for personal information
- An URL containing a deceptive domain name
- An email message containing a generic salutation (e.g. Dear Madam instead of Dear [your name])
- A message that contains poor spelling or grammar
- A message with an URL that is mismatched. You can hover your mouse over the top of the link, to verify if the hyperlinked address is the same as the address displayed on your browser’s bar.
- An email message with executable file attachments with the most common file types being exe, bat, com, msi, jar, and scr, including others
- If you didn’t initiate the action or if you receive unexpected email attachments that weren’t expected. If the sender is familiar, you can always verify with them.
- An email message from unknown sender
Phishing attacks are one of the biggest problems for most businesses in the United States these days, with the FBI devoting most of their time and effort to counter cybercrimes. Most common, are the business email compromise scams also known as BECs. In this phishing attacks, the scammers target businesses than wire money internationally, usually in large sums. A majority of these incidents leads to losses in terms of billions of dollars. Phishing attackers normally target real estate businesses but no business is immune from phishing.
Below are some tips published by the FBI to help businesses protect themselves from the menacing phishing attacks that are targeting businesses worldwide.
1. Domain hosted Email: Phishing scammers often target free web-based email accounts such as Yahoo, Gmail, and Hotmail including others. Spammers send out fraudulent emails to try to access your sensitive information, like credit card information, passwords, and social security numbers. To avoid falling victim to these scammers, establish a web domain for your business and host your email accounts, including your employees’, on that domain.
2. Update Software: it is essential to always make sure that your firewalls, virus software, and spam filters are potent and updated. The software companies often release new updates to improve their features and also to enhance their security. This helps to protect you against cybercrime such as phishing. A modern version of a web browser will have stronger anti-phishing protection which can detect a fraudulent site and block it.
Microsoft has a new security update for Internet Explorer to protect you from phishing scams. It eliminates vulnerabilities that scammers could use to falsify the location of a Web page. This patch is highly recommended if you have installed the Internet Explorer web browser.
3. Report and Delete: A phishing email can be recognized through a mismatched URL, a misleading domain name, grammar and spelling mistakes, unrealistic requests or threats and any other suspicious detail. If you receive a phishing scam email, immediately report and delete it.
4. Verify Legitimacy Of Known But Suspicious Contacts: Some scammers will use a legitimate contact to direct you to a spoofed website or to entice you to divulge private such as username, password or social security number, which they proceed to use to commit identity theft. If you receive an e-mail from a legitimate address but you are suspicious, you should “forward” it back to the sender without hitting “reply”. If the email address is authentic, it should appear on your established contacts list as you type the known e-mail address manually.
5. Think before you click: Phishing scammers often use social engineering to create panic and stress to trick you to act quickly without thinking. Check carefully before you click. Phishing fraudsters use crude means to induce panic in an attempt to trick you into clicking or responding immediately. For instance, an email from your bank claiming that your bank account has been suspended. Such a claim is a clear indication of a phishing as banks will rarely take such actions through email.
6. Two-factor authentication: Relying on passwords as the only means of securing access to your email makes you more vulnerable to phishing scams. Phishing is highly effective because the emails originate from known contacts, with related subjects and attachments. This easily entices the recipient into trusting the message from a familiar sender. This makes phishing easy and quick to propagate.
Apart from verifying the URL of a link before clicking on it, two-factor authentication is the most reliable defense that you can use against scammers. It involves combining your password with an additional security factor, making it much difficult for fraudsters, while giving users cybersecurity.
Two-factor authentication helps to prevent hacks that target users who use a similar password for multiple applications. It is therefore essential to embrace it for your business and employees’ emails, if it is technically possible, to reduce the scams.
1. Flag Spam Emails: You may receive emails from familiar addresses but are inconsistent in domain names or formatting. For instance, scammers may use “Alerts@Paypal.co.uk.” instead of the legitimate PayPal account;“Service@paypal.com. There are security features that are designed to configure automatic flagging for such Phishing scam emails. These special security features offer spam protection which sends all phishing emails directly to your spam folder. It also allows you to block emails from suspicious senders to avoid receiving emails from them.
2. Send encrypted emails: Email encryption helps to disguise the contents of your email and to keep your data safe from unintended recipients. Encrypting your email helps to protect sensitive information from hijackers who may gain unauthorized access to your account. It prevents hackers from accessing your email to reset your login credentials, and then log in to steal sensitive private information. Encrypting makes your email unreadable while in transit, so even if it is intercepted, the hacker can’t interpret the content.
The journey to improving your business’ digital security starts with you and your employees. Use the above security tips to avoid falling victim to phishing attacks.