We have noticed an increase over recent weeks of phishing emails across all our clients. Although you have the best protection with Office 365 for spam/phishing/malware and to stop it at source and backed up by Avast Antivirus for the ones that do get through we are still hearing of some users from other organizations of being duped into giving out personal information/credentials through phishing emails or scrupulous websites. Please can you remind all users within your organization to be extra vigilant with suspect emails/websites and to inform us immediately if they have disclosed email credentials so we can check their accounts and change passwords if necessary. The general rule is that you will never need to enter your email credentials into any website that is asking you to for you to then access documents etc. Below is information for what to look out for so please free to circulate this post to all users. As always, any emails that users are unsure of then we are more than happy to have a look at them by forwarding them to us to investigate.
Types of phishing
The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.
Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.
Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, or someone who has access to financial assets. CFO fraud is an example of whaling.
Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.
Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.
Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.
Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.
Search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.
There truly are a lot of phish in the sea.
So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks.
Something’s phishy if:
The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank. Treat any communication asking for your credentials with extra caution.
The URL shown on the email and the URL that displays when you hover over the link are different from one another.
The “From” address is an imitation of a legitimate address, especially from a business.
The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account will be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment.
The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals.