According to KnowBe4, a leader in cybersecurity awareness training, 90% of data breaches are initiated by spear phishing attacks, and over 30% of phishing emails are opened by their recipient. Human error, more than any other factor, is the leading cause of data breaches. Great harm can be done to your business when considering the expense, exposure, and lost productivity resulting from a breach.
Threats come in a variety of forms. Phishing emails contain malicious links and/or attachments that can infect systems with malware, ransomware and adware. More specifically, spear phishing attacks are those that use information about a target to make attacks more personal. Spoof emails appear to come from a trusted source and use a sense of urgency to bait recipients into disclosing sensitive company or personal information.
Tips and Tricks
KnowBe4 offers the following suggestions to avoid falling victim to a phishing attack:
- Slow down. Carefully read each message. Think before you click.
- Hover your mouse over, but do not click, embedded links to reveal the actual website.
- Beware of poor spelling and grammar, along with incorrect and overused punctuation. These are a red flag that the email is probably a phishing attack.
- Look out for generic greetings, such as dear customer, sir or madam. Most legitimate entities will address you by your full name (or username), whereas phishing emails usually opt for generic greetings.
- Verify the email address and company logos. Scammers can change one single letter in an email address or slightly change a logo to make the email seem real.
- Never make assumptions and remain skeptical. Even if an email appears to be from your boss, co-workers or family members, it could still be a scam. Requests for sensitive information or money should immediately raise your suspicions. Offers for free vacations or money from a family member you have never met are likely phishing emails.
- Phishing emails often come with malware attached. Use extreme caution whenever you receive a random attachment. It is generally best to avoid downloading any attachments unless you are 100% sure they are trustworthy.
Examples
Check out the image below:
Here are a few things to notice:
- The email domain (@talawafostering.com) is not related to DropBox.
- The logo is not DropBox’s logo.
- The greeting is addressed to Dear Sir/Madam, not you.
- Hovering over the “View Document” link would reveal a site not related to DropBox.
Sometimes the signs are harder to notice. Look at this example and try to find some errors.
It might be hard to notice anything wrong at first glance. Always stop and think before clicking. Some things to think about:
- When was the last time you received a “fax / E1 Document” from Microsoft? The answer is likely never, since this is a phishing email.
- Do you recognize the sender of the email? If so, contact them via separate email or phone call to verify the legitimacy of the email in question.
Some errors we can see here are:
- Poor grammar: “If you’ve already review…”
- Hovering over the “View your fax” link would reveal a site not related to Microsoft.
Sometimes phishing emails that appear to come from the company’s IT department are actually from an unrecognized domain. Clicking on the cleverly devised option to “Keep Same Password” would likely result in downloading malware. In this example we can see that the bad actor is trying to implement scare tactics. Scare tactics try to make you click by using words like "urgent", "right now" or, in this case, "expires today" to get you flustered so that you act without thinking.
Spoofs
A spoof email is when the sender appears to be legitimate, but the generic Gmail address and the poor grammar reveal this is a phishing attempt. If the email is supposedly coming from someone in your company you know, try to find them in person to verify if they actually sent you an email.
Sometimes a spoof email with have a legitimate user’s name, but will be from an unrecognized domain (@st0rrk.com). In this attempt The hacker is trying to have payroll directed to their bank account.
This is a fake alert from a web browser that uses a sense of urgency to bait users into providing their credentials (username/password) to a hacker. Oftentimes people will fill in the information in a panic so that they can get back to their daily activities.
Employees are your first line of defense to avoid a cyber attack, but many times employees don't realize the role they play in avoiding ransomware attacks. It's important for them to know their responsibility and how they help keep the company safe. If you want to learn more about building the safe culture, contact the experts at Blackink IT – we're excited to learn about your company!