You've just gotten a high-priority email. The system administrator for your organization says that you need to open an attachment concerning an urgent security matter. But while everything might look good, opening that attachment could cost your company a fortune when it leads to a security breach.
Unfortunately, this sort of situation happens every day. You've just been made a victim of phishing.
The "lowly" phishing email is responsible for a jaw-dropping 35% of security breaches. It might seem like an obvious scam to some, yet people fall for it time and time again. If your employees don't hesitate when following through with that email, you could be in a lot of trouble.
October is National Cybersecurity Month and To celebration, we're going back to cybersecurity 101 basics. In this article, we'll discuss everything you need to know about phishing.
What Is Phishing?
Pronounced like "fishing," phishing is a type of social engineering attack. Hackers pretend to be a trusted authority and trick people out of valuable information. They do so through a convincing email designed to look like official correspondence from this authority.
This phishing email urges the victim to do one or all of the following:
- Divulge information, such as personal details or credentials
- Download a suspicious attachment
- Visit an unknown link
- Call an unknown number for further action
Phishing emails are generic. Their intention is not to target specific individuals. Instead, they wait for someone who makes the mistake of complying with the email's demands.
As such, the content of phishing emails tends to be generic. Most people who receive it will brush it off. But after sending it to thousands or even millions of individuals, hackers always find at least one person who falls for it.
|Related Reading: IT Admin's Guide to Protecting Against Phishing Attacks|
Why "Phishing" and Not Fishing?
The history of phishing goes back to the '90s. Early hackers, known as phreakers, would hack telephone lines to get free calls. As the internet became widespread, these hackers turned to new avenues: emails.
As the name implies, these hackers are "fishing" for gullible victims. They're waiting for anyone who will bite the hook before they reel it in. To distinguish this process, the name "phishing" (phreakers + fishing) quickly caught on.
Why Phishing Problems Are Such a Threat to Organizations
Phishing is one of the greatest threats an organization faces. These emails can slip through even the most sophisticated filters. All it takes is one oblivious employee for it to be successful.
The main issue with phishing is that it often involves stealing precious credentials. An employee may believe that they're corresponding with a security official for their organization. Rather than contact that individual for confirmation, they send their credentials to a bad actor.
With those credentials, a hacker has the chance to compromise your network. If you think this is only a threat to small or mid-sized organizations, think again. JP Morgan Chase suffered a breach in 2014 as a result of a phishing attack.
That attack compromised the data of over 83 million accounts. Even if a phishing email doesn't steal employee credentials, it could inject malware into your network. Whatever the case, phishing is a threat that should be on your radar.
Phishing and Spearphishing
Even worse than phishing is spearphishing. This is when a hacker targets a specific person. Rather than send a mass email, they send the email to an employee that matters. These emails are personalized and researched to appear genuine.
As mentioned earlier, a phishing email is very generic. The majority might ignore it or report it, but a select few ignorant users will comply.
Hackers craft a spearphishing email with greater care. They use the names of actual people and mimic previous correspondence. The email has all the tells of being official, but will still have red flags that employees ought to recognize.
Other Types of Phishing: Smishing and Vishing
Not all phishing happens through emails. Smishing and vishing are when hackers send fake SMS messages or make phone calls to steal information.
The SMS message might come in the form of a work alert. Companies often send SMS messages to off-hours employees about overtime and similar advisories. These can be harder to spot than phishing emails since they come from 4- or 8-digit phone numbers.
Vishing is a more sophisticated type of social engineering. A hacker calls an employee pretending to be IT or a system admin. Not to be confused with a run-of-the-mill scam call, they use coercive methods to obtain credentials.
In short, there are a lot of ways to catch a "phish." Employees should be on alert for anything suspicious. They should double- and triple-check with their organization before giving away valuable info.
How to Recognize a Phishing Email
Now that we've established what a phishing email is, let's talk about how to identify them. Fortunately, phishing emails tend to have a lot of red flags. A phishing email will stand out from other official correspondence, and with the proper training, they are very easy to spot.
While this article focuses on a phishing email, these principles apply across the board.
1. It Creates a False Sense of Urgency
The number one thing to look for in a phishing email is extreme urgency. Whatever the email is telling you to do, it tells you to do it right now.
To do this, a phishing email will often tell you that you need to resolve a problem. If you don't act now, there could be repercussions. You might see any of the following:
- A problem with your account that needs immediate action
- An accidental invoice or charge in your name, giving you a short window to refund it
- A once-in-a-lifetime offer that you need to claim before someone else does
- Some information that you need to update or confirm, particularly personal details like a social security number
The possibilities are endless. Whatever the reason, the hacker will make you regret your failure to respond immediately.
2. It Asks for Information That Organizations Don’t Ask For
There are some types of information that no company on this planet will ever ask for via email. If they need this information, they'll ask you to update it through official channels, such as their website. They will not, under any circumstances, request this information elsewhere:
- Your login credentials (email, password, etc.)
- Your name and date of birth
- Your address
- Your Social Security number or bank account number
- Any sensitive information that is valuable or risky to reveal
This is a clear sign of a phishing email. If you are concerned that it might be legitimate, then don't click on any links inside the body of the email. Enter the organization's URL by hand and then check your account settings there.
3. It Arrives from an Unusual Email Address
Since it would be very difficult for a hacker to spoof your organization's email, they have to use another. The biggest tell that you're looking at a phishing email is that it uses consumer domain names like Gmail or Yahoo.
Check the email address against your organization's email address. As long as the domain after the @ matches up, it's likely legitimate.
Pay close attention to misspellings or the absence (or inclusion) of one letter or character. "email@example.com" is not the same as "firstname.lastname@example.org".
4. It Includes Suspicious Links or Attachments
Links are risky because they can take you to dangerous websites. These websites can send malicious instructions to your computer without your input. You should never click on a suspicious link under any circumstances.
For starters, make sure the link is what it claims to be. If you hover your mouse over a hyperlink or normal link, the pop-up box will show the real link. If the links don't match, that's a big red flag.
Likewise, check the spelling. Some links can use special characters to make the link seem legitimate. Pay close attention to the top-level domain (the name before .com/.net/.gov).
Many email clients, like Outlook, will flag suspicious URLs. They may even scan it for you. If you really want to get to the bottom of things, then use a URL scanner.
A typical phishing method is to send a false password reset link. If a company asks you to reset your password at random, go directly to their site. Enter the URL by hand and see if you still need to change your password.
Under no circumstances should you download the attachment on a suspicious email. The attachment will contain malware that could infect your computer. As a general rule, only download attachments from trustworthy sources.
5. Poor Grammar and Incorrect Spelling
This is one of the most obvious tells. If an email seems to be lacking basic proofreading, don't touch it. It's a sign that a foreign hacker used a machine translator.
Further, grammar mistakes and incorrect spelling help an email to get past the filters. Companies use impeccable grammar in all official correspondence.
How to Handle and Prevent Phishing Emails
It doesn't take much education to identify a phishing email. But once you do, what do you do with it? Let's go over some cybersecurity tips for handling a phishing scam.
1. Report the Email to Your Email Provider and Security Admin
First things first, do not click on anything within the body of the email. Do not follow links or download attachments. Clicking on a link or attachment gives the hacker exactly what they want.
Report the phishing email to your email provider, such as Microsoft Outlook. This helps to improve the filters that sort out phishing emails. Once security officials confirm that this is a phishing email, they can prevent others from receiving it.
Reporting emails is important because only the best phishing emails make it past the filters. If you've received a phishing email, that means a skilled hacker has found out how to subvert firewalls and filters. Your report helps to make things safer for everyone.
Second, report the phishing email to your system's administrator. If a hacker is targeting your staff with spear phishing emails, your SOC team ought to be aware of it.
2. Educate Your Staff
Phishing attacks are so successful due to a lack of education. Many people don't think twice when encountering one, including your employees. Beat hackers to the punch by educating your workers.
Use real-world examples of successful phishing emails. Go step by step, pointing out all the red flags a phishing email contains. Teach employees how to react to a phishing email, and how to report it to the proper authorities.
Some organizations will send out test phishing emails. These emails look just like the real thing but serve to determine which employees have been paying attention. Employees that fail to pass the test then need some additional education.
3. Improve Your Security
There's no way to be 100% certain your employees will identify a phishing email. At the end of the day, one of them is bound to click on a malicious link or download a questionable attachment. It's best to prepare for the worst.
A great way to do this is with XDR (extended detection and response) security. XDR security goes beyond simple endpoint filtering and reactive cybersecurity services. Instead, XDR uses AI automation and a broad gamut of IT tools to stop threats at the source.
Breaches can take months to identify. An unwitting employee who has given their credentials to a hacker might not realize the damage they've done. XDR helps to recognize when a potential breach is in the words and mitigate any damage.
Hackers can fool filters because filters are on the lookout for the signs of previous, successful attacks. A sneaky phishing email can deliver a zero-day attack right to your doorstep if you're not careful. XDR helps to prevent this or remediate the damage at blistering speed.
Strengthen Your Organization's Defenses With XDR Security
Phishing is one of the greatest threats to companies the world over. A seemingly innocuous email that appears official can lead to the biggest breaches of our time. Fortunately, once you know the tells of a phishing email, they're easy to spot and report.
Phishing problems are only the beginning of the threats to your organization. Hackers have a wide variety of vulnerabilities at their disposal. The solution is a comprehensive, tailored security solution.
BitLyft has all you need in a single package. Build your own custom security solution today and keep your organization airtight.