We talk a lot about how to keep yourself safe online, but sometimes we don’t focus enough on what you are supposed to be keeping yourself safe from. Last week I received an email about a specific type of phishing scam that’s been happening recently, and after doing some initial research on it, I realized that we should talk about the most common types of phishing scams and arm you with information on how to spot them.
What is phishing?
Phishing is a cybercrime in which a target is contacted via phone/email/ or text by someone posing as a legitimate contact, company, or vendor to lure individuals into providing sensitive data (phishing.org) These cyber criminals are looking for any type of personally identifiable information, bank/credit card information, account details, and passwords.
Types of phishing
Phishing is really a broad term that encompases quite a few differentiated attacks, all with the ultimate goal of gaining access to sensitive information. These are the top 4 most common types of phishing we see.
This is the most common types of phishing scam. It takes the form of a mass email sent out to unknown numbers of individuals pretending to be from someone, or a company, the recipient trusts. A common example of this kind of attack involves a recipient opening an email that appears to be from their bank notifying them that something is wrong, that they must login to address the issue, and provides them with a link to a login page. This login page is a fake page designed to look like their bank’s page with a place for the individual to enter their credentials, once the credentials are put in, the cyber criminal now has your bank information.
This phishing attempt is especially important for those in business, or high-profile industries, to be aware of. This is when a cyber criminal takes the time to craft an attack email targeted at one specific person. In a spear phishing attack, like with a mass phishing attack, the email will seem to come from a trusted source. If you’re in business it may look like it’s coming from someone of authority in your company, or a vendor that you work closely with. These types of attacks are generally more successful because of the level of personalization within the email. According to Wombat Security, “Emails personalized with a first name had click rates 19% higher than those with no personalization.” For an example of spear phishing see how Group 74 targeted cyber security professionals in an attempt to install malware on their machines.
This is similar to spear phishing in that the attacks are directed at a specific group of professionals or a single employee within a firm, but instead of looking like they come from someone of authority, they are targeting those in positions of authority. Whaling attempts are directed at companies top executives to obtain their login credentials, under the assumption that their credentials will give them full access to anything within the business. These emails will be highly customized and are less likely to be filtered as spam.
This is different than the above attacks because in this phishing attempt the recipient gets an SMS/text message instead of an email. This can be especially dangerous as people are generally less alert when it comes to links in a text vs. links in an email. Many of these attempts come through pretending to be a confirmation text from a service you signed up for (that you most likely haven’t) and give you a link to follow to deactivate the subscription. USA Today gives a couple good examples of Smishing attempts and how to avoid them, but in general it’s important to remember not to click links from numbers you don’t know.
Identifying a phishing scam
Check sender email
Even if the name on the email is someone you know, always check the email address. Make sure the name and the domain are correct. If you see an email coming from your bank but the domain isn’t the same as your bank’s, that’s a red flag. This applies to individuals within your company as well. For example, I know all of our company emails end in “@itfreedom.com”, so if I receive one ending in “@it-freedom.com” I would be suspicious.
Hover over links
If there are links throughout the email, hover over each link. This will give you a preview of the actual URL you would be sent to. If it’s supposed to be sending you to your bank’s website but the URL isn’t sending you to your bank’s domain, don’t click the link.
Check through the email closely. If there are spelling or grammar issues in an email from a well known business, or brand, be cautious. Sometimes spelling mistakes happen, but in general companies are pretty serious when it comes to their emails, and an abundance of misspellings and grammatical errors can be a big warning sign.
Trying to invoke fear or a sense of urgency is common in phishing attempts. If you see something like “Unauthorized login attempt” or “Urgent action required” this should trigger a red flag for you. With most companies, if something is really that urgent they will try to contact you in another way and not just via email or text.
What to do if you’re unsure
Contact the sender
If you’re unsure about an email or text, and know who it’s supposedly coming from, get in contact with them in another way to verify. Send them a separate email, message or give them a call. It never hurts to be extra cautious.
Go to the website directly
If you receive an email from a company or brand asking you to click a link and log-in, especially if it’s using threatening/urgent language, don’t click the link in the email. Instead, head straight to the company’s website and login there. This will keep your information secure and you will know for sure if the email was a phishing attempt.
Phishing scams are just one way hackers/cyber criminals will attempt to gain access to your machines and personal information. That’s why it’s so important to do everything you can to keep your machine safe and stay safe online.
This includes things like:
- Regular machine backups
- Installing updates and patches
- Staying up to date on the latest attacks
- Using different and strong passwords
- Staying alert at all times
For similar posts check out our master list of Cyber Security blogs.