This article is the start of a series of articles concerning “Common Cyber Threats” that affect organizations today. We’ll go over how these threats work, what types of threats there are, and some common ways to spot and mitigate damage from these threat types. Today we’ll start with Email Phishing.
When people think of cyberattacks, they often imagine complicated code, a flurry of green text streaming down a screen, and a nefarious masked individual with seemingly endless technological prowess. This, however, can be strikingly far from the truth.
Email phishing is aptly named as people are “fishing the web” for sensitive data they can exploit.
While there are certainly cases of cyberthreats being technologically complicated, the most common (and arguably the easiest) way cybercriminals gain access to secure enterprise networks is through sending seemingly legitimate emails to members of an organization containing some form of payload (a malware file, most commonly), nefarious link, or just plain text attempting to gain insider/confidential information. The most prominent way that malware was delivered in 2019 was through emails. Because of this reason, it’s more important than ever to recognize when there’s a cyber threat.
It’s worth noting that you should NEVER download a file from a suspected phishing email. Always verify and check, and if anything seems off, consult your company IT or possibly a more tech savvy individual you know (if you’re in a non-business climate)
Email Phishing has various types. The most common are: Regular Phishing, Spear-Phishing, and Whaling.
Regular phishing is common for most non-business-related email addresses (though it can still happen to business emails). It takes a “shotgun approach” sending out millions of emails at a time hoping to “phish” some personal data, credit card information, or the like. They’ll masquerade as legitimate business-like Apple, Microsoft, Paypal, and other popular (commonly tech) companies. It can be as general as “You won money! Click here to receive” or even be more specific. They’ll use information from previous information breaches to send out phishing emails to those who use those products, making it that more “legitimate” looking. It’s important to verify information in the email. We’ll get some ideas to keep in mind to identify these emails later.
Spear phishing is a more targeted approach to phishing. It usually involves an organizational attack. For example, they might try to send out emails to those with an “@example.com”. Usually this can suggest that they might have an idea about organizational structure, or other company information. Email security solutions and employee education of email phishing is important to prevent issues affecting normal operations. Malware/spear phishing attempts aim to spread, and thus it is important to not only keep in mind reason for the email, but sender personality/work needs as well.
Whaling is a bit more serious than the other attack types. It involves targeting those in upper management to try and either infect their computer or extract confidential organizational data. If a whaling attack is successful it can cause major organizational damage. This type of attack is important to prevent through email security solutions, and educational training for all of the “big wigs” in your company.
Things to keep in mind when looking through an email include:
While there’s hundreds of security measures to take against these types of attacks, a few quick ones to really nail down include:
Understand the security policies of the services you use.
It’s always worth repeating, and I’m sure you’ve read it multiple times: COMPANIES WILL NOT ASK YOU FOR YOUR PASSWORD. If they do, there’s some seriously “phishy” things happening. Any passwords for your accounts should be stored encrypted. It’s why you must “reset” your password when you forget it, not just request to view it.
Check the sender address, CAREFULLY.
As mentioned before, the senders of phishing emails are only pretending to be legitimate businesses. Checking the official website of a company through a search tool to verify the address is a quick way to ensure. It’s not always the case, as some companies use an alternate address for communications, but you shouldered back to their security policies. Other things to look out for is typo-squatting (having a slightly off URL), replacing like letters (I for l, for example) and extensions additions (having realcompany.fakecompany.com)
Hover your mouse over all links and check their target address.
It’s easy to hide link in html. For example, here’s a link to microsoft.com. If you were to hover over/click over that link, look at that! It’s actually a link to our website here at Ascension Global Technologies. An easy way to check this would be to hover over the link (you can try it now) and look at the bottom right corner to see the actual address for the link (though the area where this display can change, especially on mobile). Some browsers also show the link if you hover over it for a second or two.
Never accept/download a zip file with a password given in the email.
There’s absolutely no reason to send an encrypted ZIP file with the key to unlock. The only reason would be a way to get around any Anti-Virus you may have. Either that or the person sending it isn’t following common security principals, of which you should still ignore it until you can confirm its safety from multiple sources
Grammar, intent, and bears oh my!
It’s become more of a joke, recently. You know the “Nigerian prince” scams (which is an example of phishing), however, it’s not too far off. A lot of the time a professional environment relies on correct grammar, spelling, and communication principals. If you see a lapse in any of these in the email, it’s a great idea to double check the integrity of the email. In a corporate setting it could even indicate a compromised account/spear phishing campaign that is attempting to spread. Keep in mind usual intent from email senders (if they’re common), their wording, and other identifying factors if you suspect a email phishing attempt.