In the second in our series of blogs on the Fundamentals of Phishing we will explore how to identify fraudulent emails.
Not that long ago, phishing attempts were quite primitive and often full of errors, and it was easier for consumers to identify when something was amiss. In addition, consumers weren’t accessing their inboxes from multiple devices and mobiles, nor did they expect to receive highly personalized emails detailing their transaction history with a company.
A recent example of email phishing illustrates how sophisticated today’s cyber criminals are in using social engineering to plan and execute phishing attacks. A highly publicized phishing attack centered on the US Federal Government’s Office of Personnel Management (OPM) data breach. In the wake of the breach, OPM issued a statement saying that email would be its primary form of communication with users around the breach. However, almost immediately after these emails went out, cyber criminals started distributing almost identical phishing emails.
This example of phishing highlights some of the popular tactics used by cyber criminals. Taking advantage of the fact that OPM used a third-party domain, csid.com, fraudsters used something similar to convince users of email’s authenticity. In addition, since the OPM email address used was not secure, anyone could send emails claiming to be from it and recipients couldn’t tell the difference. Furthermore, OPM’s legitimate email included an “Enroll Now” button, prompting victims to sign-up for credit monitoring services. Savvy cyber criminals were able to include a similar feature that directed victims to a malicious website instead. The “Enroll Now” button could be used to obscure the link (which in OPM’s case was a long, questionable-looking URL) that meant receivers were unable to tell the difference between the real and phishing emails. In this particular example, the US Army flagged legitimate emails as a phishing attack.
As OPM’s experience shows, today’s cyber criminals are clearly highly sophisticated in the planning and execution of phishing attacks, leveraging social engineering tactics to get email receivers to do what they want, especially in times of crisis. To help consumers protect themselves from cyber attacks there are various organizations that are driven to educate the users on cyber safety. Stop.Think.Connect. is one such organization. It is a global awareness campaign that helps digital citizens around the world to practice safe practices online. The group encourages internet users to be more vigilant about their online habits.
The Stop.Think.Connect. message is perfect to keep in mind when checking your email:
You can also practice a few additional email safety tips to keep yourself secure:
While cyber security is a topic that should be at top of mind every month (and every day!), using the information and resources available during National Cybersecurity Awareness Month is a good idea to refresh your online behavior and make sure you’re keeping your sensitive information safe.
Watch out for the next installment of our Fundamentals of Phishing blog series next week. For more cybersecurity tips, news, and resources highlighting National Cyber Security Awareness Month follow the #CyberAware hashtag.