KEY POINTS
- A 2021 study by Proofpoint identified that 74% of US organizations fell victim to a successful phishing attack last year.
- Interestingly enough, Verizon quantified that 43% of cyber attacks in 2020 leveraged phishing or pre-texting as an attack vector.
- Humans are still the best line of defense against phishing attacks. In fact, a phishing attack which targeted a major healthcare company was thwarted in 19 minutes due to users reporting that they received suspicious emails.
For many years, phishing emails have been an immutable problem for businesses and consumers alike. Admittedly, some of the largest and most damaging data breaches started as a result of a phishing attack. While email filtering tools have advanced considerably over the last several years, humans are still the optimal defense against phishing attacks. Thus, appropriate anti-phishing training is indispensable for organizations and anyone who conducts business via email.
During the second week of Cybersecurity Awareness Month, we will identify the red flags associated with phishing emails, examine several phishing attack offshoots, and provide you with tips to protect yourself from becoming a victim of phishing attacks.
- The Red Flags
Phishing emails have become more elaborate and complex over the past few years. Some phishers have mastered the art of creating appealing and/or professional quality emails that resemble emails drafted by a world-renowned PR team. Others phishers, however, have not…
When attempting to identify the legitimacy of an email, you should pay particular attention to things such as awkward or unusual formatting, the use of phrases that invoke a sense of urgency, such as – “time sensitive mater, act now,” or, if the sender urges you to click on a link or open an attachment. - Vishing and Other Phishing Offshoots
So all we have to worry about is phishing, right? Not so fast. Unfortunately, many scammers have diversified their attack portfolios, resulting in numerous attacks that leverage the basic phishing playbook. Some of these attacks include:
Vishing (voice phishing) – This is where the bad guys/girls call you on the telephone and try to con you out of your hard-earned money or sensitive information. I am sure that, at some point, everyone has received a phone call from “scam likely,” or a voice message indicating that your “extended car warranty” has expired. You may have even received a call/message that the police are planning to arrest you for social security fraud and the only way to prevent this from happening is to pay a onetime fee of $$$$$$… These are just a few common examples of popular Vishing scams.
Smishing (SMS phishing) – Smishing is, essentially, phishing via text messaging. Some of the more common Smishing messages include scams like, “your credit card or banking information has been compromised, click on this link to reset your account information.” “Your Amazon package is late, click on this link to see the updated status;” or, “someone attempted to log into your (insert social media platform) account. Click this link to reset your password”. The goal of Smishing, just like Phishing, is to get you to divulge sensitive information to the attacker.
Spear phishing – Spear phishing is a more targeted version of Phishing. With Spear Phishing attacks, the attacker will typically personalize an email with information that includes, your name, place of employment, job title, and even your address, in an attempt to legitimize their request. Most of the information included in the email was obtained via a data breach or public information sources. However, the scammer is relying on the psychological effects associated with the inclusion of such personal information in an email to scare you and short circuit your decision-making process. - Verify the Source
While phishing attacks, and their associated offshoots, can come at you in a variety of ways, the majority of attacks While phishing attacks and their associated offshoots can threaten you in a variety of ways, the majority of attackers, characteristically, try to impersonate someone that you may know. That is because we, humans, are more likely to divulge information to people we know, or authority figures, compared to total strangers.
Colleagues, friends, family, and government agencies are all fair game when it comes to impersonation attempts. Therefore, trust your gut if you sense that something is not right and be sure to verify that the message is authentic. As a general best practice, always verify the sender’s email address and confirm that the sender is legitimate, via a telephone call or in person. Finally, avoid clicking on attachments unless you are certain that the email is valid.
Phishing is one of the oldest tricks in the book, but it is still effective. While phishing emails are getting craftier, exercising caution, and looking for red flags are still effective ways to spot a scammer.
If you have any questions regarding phishing emails, social engineering, or information security best practices in general? Contact us and we will be glad to assist you with your security needs! Make sure to subscribe to our mailing list to stay up to date with our latest security tips and tricks.
Additional Resources