10 Steps against an email phishing attack.
Phishing is the term for the fishing for personal information in order to commit fraud. This usually occurs through unsolicited emails (spam) or by telephone contact with criminals masquerading as a trustworthy entity / bank demand (login) codes or to send your debit card. This information is used for committed fraud with Internet banking, debit cards, credit cards or a person’s identity.
One of the most popular ways for cybercriminals to steal personal information is by using email phishing scams. Cybercriminals often use this method of attack to trick employees from large organisations into clicking onto malicious links so they can gain access to corporate networks that contain valuable data.
Why is phishing so successfull?
Although the success of phishing attempts varies based on the victim’s gullibility, their training, their organization’s security defenses and other factors, there are three important reasons that phishing is so successful today:
- Cybercriminals are getting better at their craft. Their use of logos, professionallycrafted messages, and personalization of content makes phishing attempts more believable, and so prospective victims are more likely to click on the links and attachments contained within them.
- Users are sharing an increasing amount of information through social media, thereby providing cybercriminals with the fodder they need to craft personalized and more believable messages.
- Some anti-phishing solutions are not supported with a sufficiently robust database of real-time messaging intelligence, and so can fall prey to the latest techniques used by phishers.
Phishing emails often masquerade as correspondence from a legitimate and trusted organisation, luring victims to click on links that will make them download malicious content or trick them into inputting sensitive information onto a fake website.
Recently, the Australian Communications and Media Authority (ACMA) warned Netflix users about a fake email that contained links to a phishing site that looks almost identical to the real Netflix page. Warning: Scammers Are Sending Fake Netflix Emails To Steal Your Log-In Details.
The fake email has the subject line “Netflix Membership On Hold” and contains a link to what appears to be the official Netflix sign-in page. However, the email and site are both fakes created to steal your Netflix credentials.
Here’s the full alert issued by ACMA:
Or a Dutch example using a creditcard company:
10 Steps to prevent being victim of an email phishing attack.
# 1 Don’t Trust The Display Name
A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Here’s how it works: If a fraudster wanted to impersonate the hypothetical brand “My Bank”, the email may look something like:
Since My Bank doesn’t own the domain “secure.com”, email authentication defenses will not block this email on My Bank’s behalf.
Once delivered, the email appears legitimate because most user inboxes and mobile phones will only present the display name. Always check the email address in the header from — if looks suspicious, flag the email. It’s important to note that email addresses can be faked so it’s not a fool-proof indicator.
# 2 Look But Don’t Click
Cybercriminals love to embed malicious links in legitimate-sounding copy. Hover your mouse over any links you find embedded in the body of your email. If the link address looks weird, don’t click on it. If you have any reservations about the link, send the email directly to your security team.
# 3 Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
# 4 Analyse The Salutation
Is the email addressed to a vague ‘Valued Customer?’ If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.
# 5 Don’t Give Up Personal Or Company Confidential Information
Most companies will never ask for personal credentials via email — especially banks. Likewise most companies will have policies in place preventing external communications of business IP. Stop yourself before revealing any confidential information over email
# 6 Beware Of Urgent Or Threatening Language In The Subject Line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or ask you to action an “urgent payment request.”
# 7 Review The Signature
Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them.
# 8 Don’t Click On Attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.
# 9 Don’t Trust The Header From Email Address
Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address, including the domain name. Keep in mind that just because the sender’s email address looks legitimate (e.g email@example.com), it may not be. A familiar name in your inbox isn’t always who you think it is.
# 10 Don’t Believe Everything You See
Phishers are extremely good at what they do. Many malicious emails include convincing brand logos, language, and a seemingly valid email address. Be skeptical when it comes to your email messages — if it looks even remotely suspicious, do not open it.
Know that phishing can also happen by phone.
You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more skeptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the “human “firewall” can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks.
Security Awareness Training
The fastest results to avoid phishing damage gives a security awareness training , this will help you to educate your employees to stop risky activities. If you have decided to set up a security awareness training for your organization, you may decide to put this in classroom sessions, or through an online e-learning program. A good alternative is to do this through a continuous learning method, such as by means of:
Through this kind of security awareness training, you turn each one of your employees into security sensors in your organization. So, there are actually people who can now spot a phishing campaign and can alert security so that they can react. This type of threat might have otherwise have flown under the radar of security.
Sources: Oosterman Research Inc., Proofpoint, Lifehacker.com, Fraud.org, Rapid7, ENISA, Consuwijzer.nl, veiliginternetten.nl, mediawijsheid.nl