Phishing emails can steal sensitive data and cost companies’ reputation. However, protecting a company from these scammers doesn’t need to be difficult.
Phishing emails are a social engineering attack used to steal your personal information like passwords or credit card numbers. The victim receives an email appearing to be from a trusted company but which is actually from an imposter.
Phishing is when an attacker mimics a trusted person or brand in an attempt to steal sensitive information, or gain a foothold inside a company network. While phishing emails are by far the most popular, these attacks can also be sent through text message, social media, and even phone calls.
These malicious messages are crafted with the goal of the recipient clicking on a link or email attachment that contains malware. Phishing links often redirect to fake login pages that look very similar to legitimate websites. If the victim enters their real login information into the site, the attacker will have a copy of those credentials for themselves.
Email attachments work in a similar fashion, but install malware directly on the PC that tried to open the file. This malware can silently collect data and keystrokes and then send this information back to the attacker. This presents an even more dangerous situation where now the attacker can attempt to move further into the network, or create backdoor access to reinfect the network later.
Not all phishing attempts are created equal. While most fraudulent messages are sent indiscriminately, some are carefully crafted to look as real as possible. Let’s take a few phishing email examples.
General email phishing is the most common type of attack you’ll see. It’s estimated that nearly three billion phishing messages are sent every day, with a majority of those messages being sent in massive waves to thousands of recipients.
These attacks often impersonate well-known brands, and disguise themselves as shipping updates, password reset requests, and overdue invoice notices from fictitious companies.
Spear phishing emails use a much more targeted approach to trick their victims by using company specific information to make their messages even more believable. Information such as phone numbers, email signatures, and staff names are used in these attacks to appear as legitimate as possible. Attackers spend time collecting this information on websites, and sometimes stealing it from other email addresses that have been compromised.
Another common technique is for the attacker to use a cousin domain to send their messages from. For example, if the attacker was targeting Microsoft.com, they would register “Micosoft.com” and send their emails from that domain. When combined with other targeted information spear phishing emails can be tough to spot.
Whaling phishing is very similar to spear phishing, but goes an extra step further by targeting specific high level staff within an organization. The goal of whaling is to impersonate a C-level executive and use that authority to pressure staff members into sending sensitive information.
Phishing attacks that use this strategy often target other high level members within a company, putting sensitive information that most staff members don’t have access to at risk. Scams commonly ask for tax information, financial documents, or even wire transfers during whaling attacks.
Business Email Compromise (BEC) is a targeted attack that focuses on companies who frequently conduct wire transfers and have global partnerships. Attackers use keyloggers, spoofed domains, and phishing attacks with the primary goals of tricking the victim into wiring money into the attackers account.
Fraudulent emails can be tough to spot, but if you know where to look, identifying them gets a lot easier. While it’s better to prevent phishing in the first place, here’s what to look for when trying to identify a phishing email.
Many email scams originate from countries where English is not the native language, this leaves scammers relying on translation apps that don’t always work as intended. Watch out for multiple misspellings, especially in emails that claim they are from a well known brand.
Fraudulent messages may also contain words that are grammatically correct, but used in the wrong context. While misspellings don’t prove an email is a phishing scam, they should raise a red flag and signal to the reader that more time should be spent studying the legitimacy of the message.
As mentioned earlier, some attackers will attempt to register domains that look very similar to legitimate companies. Always study the sender and their domain when the validity of an email is in question.
Watch out for misspellings in the domain, or deception in the “From” field of the message. For example, attackers will send a phishing email from the sender “ABC Bank Alert”, so the message ends up looking like it’s from ABCBankAlert@automatedbankalerts.com.
Email fraud is designed to get victims to click links that compromise their machines, or steal their credentials as fast as possible. Attackers use urgency to compel victims into taking action quickly so their scam won’t be discovered until it’s too late.
If an email is threatening legal action, stating you’ve been hacked, or saying you owe significant fees, don’t take action too quickly. Study the email closely to verify the sender, and when in doubt contact the person directly using a verified phone number if you think it may be real.
Even seemingly innocuous attachments can contain a malicious payload hidden inside. Links inside of emails can contain redirects, which immediately send you to another site when the link is clicked. This makes taking a proactive approach to stopping these attacks the most effective way to keep a staff inboxes safe. Only click on links or download attachments from trusted senders that you’re familiar with, and are certain are the person you think they are.
The best way to avoid clicking on a phishing email is to prevent it in the first place. Unlike virus protection, you cannot simply install one program that stops attacks from getting through. To prevent phishing effectively, a series of protections must be put in place.
Having a phishing response plan can prevent attacks, and streamline the remediation process if an attack does occur. Agari Phishing Response automatically prioritizes incidents, and automates triage as soon as an attack is detected.
DMARC combined the power of SPF and DKIM to stop domain spoof attacks and reduce spam. Together these three records help defend against spam as well as attacks that attempt to utilize spoofed addresses.
As joint founders of DMARC, Agari uses DMARC records combined with AI-powered phishing detection to completely prevent spoof attacks, and pivot our protection methods based on new threat data.
Email training can help drastically reduce the number of fraudulent emails opened, and work to consistently reduce exposure to email-based threats. Outside of standard educational content, organizations can test their staff with internal phishing campaigns that measure email open rates, link clicks, and responses.
Two factor authentication (2FA) provides an extra layer of protection that goes beyond login credentials. Even if credentials are stolen, 2FA prevents that information from being used to access systems without the owners consent.
If you believe you have been phished, change your password immediately from a secure machine. If you believe your credit card information or bank details are at risk, contact your provider immediately to prevent further compromise. If your identity or social security information was stolen, contact the Social Security Administration.
If you’ve fallen victim to an email scam, or have been sent a phishing email, there are a few simple steps you can take to report phishing emails.
If you’ve received a malicious email, you can forward it directly to the FTC at email@example.com. If the message was a text message you can forward it to SPAM (7726).
You can then report the attack by visiting http://ftc.gov/complaint.
Agari offers a turnkey solution to combat email threats, stopping phishing attempts before they ever reach the inbox. The system utilizes DMARC as well as behavioral analysis to stop both malicious files, and phishing attempts at the same time.
Predictive analytics identifies new threat trends as they emerge by proactively scanning trillions of messages. As new threat patterns are identified, they are automatically applied to your threat database, ensuring even the newest types of attacks are thwarted.
No matter where your email is hosted, Agari offers a wide variety of integrations into platforms like Office 365, Microsoft Exchange, and Gmail. Setup is simple, and doesn’t require any downtime, meaning no missed emails during setup.