The vast majority of cyber-attacks start with either a phishing email and/or a social engineering attack.
You might think you know the initial “tell-tale” signs of phishing emails and what to look for if a suspicious email lands in your inbox:
- Poor spelling
- Incomplete or incorrect logos
- Links with long URL addresses
- Asking for personal and or sensitive information.
But that’s only part of a much bigger and rapidly changing picture. Attackers prey on our basic instincts. This includes greed where monetary incentives are offered, or our desire to help others – “Would you like to contribute to the latest natural disaster recovery programme? Please complete the attached donation form’ or “I’ve been having issues fixing the network and I need to reset all accounts. Please provide your username and password”.
So if an email doesn’t have any of these then it can’t be a phishing email, right? Wrong!
Recently a friend forwarded me an email and asked: “is this a phishing email”? Another friend copied into the email said categorically that it wasn’t because the link contained in the original email worked when clicked. Oops…
Attackers have wised up to these “tell-tale” signs and phishing emails are becoming increasingly hard to spot. The spelling is perfect, the logos look great, URLs - if you see them at all - look fine and if you click on the link, and you shouldn’t, the chances are it will probably work.
Firewalls, software and ‘anti-phishing services’ used to prevent these emails arriving in our inboxes sadly won’t stop every single one; some will slip through and if we can’t spot them we are putting our employers, their clients and our own information at risk.
The result of a successful attack can be wide-ranging and sometimes catastrophic – ranging from losing client information, identity theft, fraud and the targeting and loss of your organization's commercially-sensitive information or IP. Organizations are seeking ways to test employees’ awareness of phishing emails.This is sometimes achieved by sending a ‘spoof’ phishing email to their users, and seeing who’s taken in by it and clicks the links. This approach clearly has merit; it’s easy, for example, to measure progress when the exercise is later repeated. But one of the major drawbacks is that users become accustomed to looking for emails similar to the one in the test. This can result in them missing other types of phishing emails, leaving the company open to attack. It’s better to build awareness about the various types of phishing emails and educate your employees to remain vigilant.
One effective technique is similar to that developed as part of the RESILIA® Awareness learning portfolio. It’s a game that allows people to play the part of attacker who, to be successful, is tasked to create phishing emails that look personalised and convincing. Such an approach helps create awareness about what attackers look for, where the weak points are and how to stop them.
How to spot a phishing email
Here are a few ways you can spot phishing emails now:
- Your great, great long-lost Aunt who you never knew about probably didn’t leave you £10m in inheritance. If it seems too good to be true then it probably is.
- If a bank is asking you to verify or share account details then be aware:
- No bank will ever ask you to verify or pass on any account information online via email or over the phone.
- And of course, if you don’t bank with that particular bank then it’s more than likely a phishing email!
- If an organization that you have an account with is asking to verify information call them on a legitimate number to check whether they sent the email. Don’t use the number contained in the email.
- If you receive something unexpected which includes a link don’t click the link or open attachments.
What to do if you receive a phishing email
Once educated on how to spot phishing emails, users need to be provided with an easy and fast way to report them. Often within organizations, reporting takes the form of emailing IT security but this assumes the user can or will be able to find the address. An alternative that many organizations are using is to have a simple “report it” button to click on in their email application when a suspicious email is identified. This removes emails from the system where they can be analyzed safely by the security team.
People play a vital part in preventing a successful phishing email wreaking havoc. Awareness of what phishing emails look like and what they can do to an organization or an individual alongside a reporting system is the way organizations need to go.
In the simplest of terms, if you believe you have received a phishing email or, as I was, sent one by a friend while at work or at home, do not forward it to other people. Simply delete it or, if at work, report it.
For more information on AXELOS' cyber resilience best practice, please see our RESILIA™ section.
Do you have any tips on how to avoid falling prey to phishing scams? Please share your thoughts in the comments box below.
More AXELOS Blog Posts by Mark Logsdon
Hands up who doesn't understand cyber risk?
Building cyber education for all
The War on Cyber: Protecting Ourselves Against Weaponization
Cyber resilience: protecting the network or the data?
The perils of cyber-attack – and the new solution
Have you heard the one about the three judges...? A Cyber story to be aware of
Preventing cyber attacks - it's a people thing as much as IT