Most employees are required to take security awareness training during their first week of work. Normally these courses outline company policies, talk about the importance of online security, and share examples of scams so that employees can detect and report them in the future. And yet, how many times do employees, and even leadership, fall for email phishing tests?
The answer is probably far too high. No matter how much education you provide, a compelling phishing scam can deceive even the most savvy of your employees. One employee’s misstep could expose sensitive personal information to a malicious party. This piece will help you understand the nuances of phishing and provide you useful tips to combat the shrewd techniques of scammers.
Phishing is a cyberattack in which a target receives a fraudulent email or text designed to prompt them to share sensitive information such as banking details or login credentials. Attackers typically impersonate legitimate institutions like governments or large corporations to convince individuals to relinquish the data.
Many people have the perception that phishing scams are obvious and thus easily avoidable. Yet, phishing attacks occur successfully every day, multiple times per day. The FBI’s Internet Crime Complaint Center discovered that victims lost $57 million to phishing schemes in 2019 alone, and estimates that phishing costs United States businesses close to $5 billion per year.
The expression “phishing” was first used in the 1990s to describe attempts to gain access to AOL usernames and passwords. Users weren’t familiar with this kind of attack, and many fell prey to phishing even when AOL cautioned users about the danger phishing presented.
Since then, attackers have become even more sophisticated and prolific. In response, companies have adopted powerful gateway-level email security and phishing tools. But attackers have not backed off, creating new methods such as phishing websites that spoof popular domains to attempt to collect sensitive data.
The sheer number of phishing sites and the tight timeline security teams have to warn people about them, make phishing attacks extremely difficult problems to address.
Today, more than 1.5 million new phishing sites get created per month, and the sites only stay active for 4 to 8 hours on average. And, unfortunately, rule-based email security tools don’t have the visual anomalydetection features to uncover fake login pages in real-time.
The hallmarks of phishing are similar across each type of attack, but it’s beneficial to have a solid understanding of each type of phishing to be as vigilant as possible. Below, we define 4 types of phishing and provide examples to help you take precautionary measures against them.
If attackers cannot get full access to a business email account, they will create their own email address with very similar characteristics to those of the corporate network they are trying to scam.
For example, if company emails usually look like “firstname.lastname@example.org”, the hacker might create one like: “email@example.com”.
The most revealing thing about phishing scams is that they contain calls to action to click a button, open attachments, or reply with sensitive information.
But there are other telltale signs of phishing attacks as well.
Usually phishing attacks create an unreasonable sense of urgency, such as limited time offers or alleged account suspensions.
Phishing scams also have odd aesthetic features, like blurry or overstretched images, and copy with misspellings, odd capitalization, and/or other grammatical errors.
Look for things like listing an incorrect account number in a text, using an old or outdated company logo on a website, or addressing a subject by the wrong name in an email.
Everyday examples can solidify these concepts. The following screenshots exemplify everyday methods scammers use to entice victims, so we’ll highlight the clues attackers left behind.
Seems like an ordinary email, right? Wrong. “2021 Tax Return Receipt” makes it seem like a tax return is already on its way to the recipient’s bank account.
The email content itself may be an even bigger indicator that the message is fake. “Wilson” is in a different font and is much larger than the rest of the copy.
Oddly, the recipient’s name is not in the header either, starting with “Hi there,” instead. Plus, there is no way that the IRS would use a signoff so informal as “Enjoy!”
However, he/she doesn’t know how much money there is and might be confused, prompting him/her to click on the “View Document Now” button.
This email also appears to be sent from the IT Service department, but “firstname.lastname@example.org” isn’t an appropriate address for any IT team member.
The email doesn’t address the recipient by name, nor does it have a subject line, and the content of the email contains extra periods and unusual capitalization.
Notice that the email establishes a sense of urgency, asking the recipient to upgrade his mailbox or else he will not be able to send or receive emails.
Moreover, the link embedded in the email doesn’t contain “https” in the URL, and a message from IT wouldn’t need to cite copyright.
Phishing attacks compromise employee and customer data, and, ultimately, cost you money.
The good news is that there are ways to reduce your organization’s vulnerability to attacks. Here are a few:
With phishing getting more advanced by the day, businesses need a way to stay ahead of the attackers to avoid compromising their information security. Anti-phishing software can be an extremely valuable asset to aid in detecting and removing phishing attempts. IRONSCALES is a self-learning email security platform that provides all the tools necessary to keep a business safe from evolving phishing threats.
Try a free trial of IRONSCALES to see how you can keep your business safe from phishing.
The word is out: IRONSCALES is leading the pack in email security!