How Your Business Can Avoid Phishing Email Scams
October 6, 2017
The Department of Homeland Security (DHS) recognizes October as National Cybersecurity Awareness Month (NCSAM). Now in its 14th year, this month is designed to engage and educate businesses and consumers through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase everyone’s cyber resilience. Herjavec Group is proud to be a NCSAM Champion!
One of the most common ways hackers get access to a company’s network is via phishing email scams. In fact, the 2017 Phishing Trends & Intelligence Report states that there has been an increase of 33% in phishing emails across the five-most targeted industries: financial institutions, cloud storage/file hosting services, webmail/online industries, payment services, and e-commerce companies. According to the FBI, these malicious emails have cost businesses upwards of $2.3 billion between October 2013 and February 2016.
Due to their simplicity of use and high success rate, email scams are a popular method that hackers use to transmit malware through infected attachments or extracting sensitive account login information (e.g. social media logins, bank account logins, etc.) through link clicks. Hackers are getting increasingly better at recognizing which organizations are more likely to fall for phishing scams. Phishing emails that propagate ransomware are highly focused on targeting industries that are more likely to pay ransoms, such as healthcare, government, critical infrastructure, education, and small businesses (2017 Phishing Trends & Intelligence Report).
There are three types of phishing emails commonly used: mass-scale phishing, spear phishing, and whaling. In mass-scale phishing emails, hackers target anyone and everyone as the goal is to cast a wide net to get access to any sensitive data they can. Spear phishing emails, on the other hand, are personalized with the victim’s name or account username and therefore, they target specific individuals. Whaling emails are a specialized form of spear phishing that specifically targets executives within a company or other high-level employees.
As with ransomware, phishing scams are evolving too. Since more users are turning to social media for customer service support from bigger brands and banking corporations, hackers are exploiting these platforms to target users in a process known as angler phishing. In this scam, hackers set up fake social media profiles that mimic those of a brand’s customer support page using the same logo, branding, and style. When a user mistakenly leaves a comment or suggestion on a fake page, hackers provide them with a link to a phishing site and ask them to provide their login information to escalate the matter. If users follow their instructions, hackers now have access to their login information.
How To Spot A Phishing Email
An easy way to stop being exploited by phishing emails is to educate yourself and your employees on how to spot phishing emails. There are several common tricks hackers employ in these emails that should be examined closely, such as:
- Sender’s email address: Watch out for email addresses that you don’t recognize, even if recognize the sender’s name.
- “Reply to:” email address: Beware when this email is different from the sender’s email.
- Links: Always hover over a link to see if the destination is the same as how it’s displayed when typed out. If you don’t recognize the link destination, don’t click!
- Watch out for poor grammar and punctuation in the email body.
- Phishing emails often urge you to take action immediately to avoid grave consequences.
- Proceed with caution if you are asked to provide account information or log in to a fake site that is designed to mimic a real site.
- Be wary when there are attachments in an email that you must download to view very important information.
- Attachments: as a general rule, never open any attachment from email addresses you don’t recognize or companies you’re unfamiliar with.
The best way to mitigate the risks associated with phishing scams is to educate and train your employees on how to spot malicious emails. Some easy ways businesses can prevent falling victim to these scams are:
- Network administrators should block all attachments from being downloaded onto corporate devices.
- Whitelist acceptable file extensions as this list will be smaller and easier to manage.
- Beware of being emotionally exploited by hackers for natural disaster or terror attack relief funds as they take advantage of people's goodwill and use phishing emails to ask for ‘donations.
- Encourage employees to take part in the National Cyber Security Awareness Month, held during the month of October, and participate in discussions on how to be cyber aware online.
- Conduct random internal phishing tests for your employees to test how likely they are to fall for phishing scams.
To learn more about Herjavec Group’s Social Engineering Assessment services, please connect with a security specialist today.
Herjavec Group is proud to be a NCSAM Champion and we want to know: what steps are you taking to make sure you stay cyber safe?
Join in the discussion by using #cyberaware to engage with us on social media!