Email is critical to an organization. Phishing provides a way for cyber criminals to use email as a disguise to try to sneak by and steal business data.
There are only so many ways to break into a bank. You can march through the door. You can climb through a window. You can tunnel through the floor.
There is the service entrance, the employee entrance, and access on the roof.
Criminals who want to rob a bank will probably use an open route – such as a side door. It’s easier than breaking down a wall.
Cyber criminals who want to break into your computer network face a similar challenge. They need to enter. They can look for a weakness in your network – maybe a vulnerability in your server – but it’s easier for them to use an open route. Email is one of their favorites.
Email is a door into your computer network. Data passes through it every day. If criminals want to break in, some will throw on a disguise and try to sneak by.
By pretending to be someone else, such as someone you respect, they will try to earn enough of your trust to steal from you.
This is called phishing.
What Is Phishing?
Phishing is the practice of pretending to be a trusted entity with the goal of stealing someone’s information.
The most common type is email phishing, and that is the focus of this report.
Email phishing works like this:
- A criminal sends an email to a potential victim.
The email appears to come from a trusted sender – such as a bank or one of the victim’s contacts.
- The email urges the person to download an attachment, click a link, or reply to the message with sensitive information.
- The person either disregards the email or takes the action requested by the sender. If the action is taken, then the person is one step closer to becoming a victim.
Many phishing emails are the beginning of a larger attack, such as the theft of a customer database. For example, by successfully phishing a victim’s administrative credentials, an attacker may identify several servers and databases on the network, breach them, and export the data.
Note: This report defines phishing emails as a sub-type of malicious email that are designed to extract information from a target. Other reports use a broader definition that includes other types of malicious email, such as messages that infect victims
Since these types do not have a primary goal of extracting information from users, we consider them outside the scope of this report. However, many of the suggestions we provide can apply to all types of malicious email.
Small Businesses Are A Phishing Pond
Data breaches at huge corporations make great headlines, but they obscure an important fact: small and medium businesses (SMBs) are major targets for spear phishing attacks.
Spear phishing is nearly identical to standard email phishing – except it is more targeted. Rather than sending the same message to millions of addresses,
the attackers focus on a specific person or group.
Targets of spear phishing can be as broad as “all accountants at businesses with 100 or fewer employees.” Or it can be as narrow as “Jennifer Johnson the CPA at Acme Inc.” By researching the target and tailoring their emails and tactics, the attackers greatly improve their success rate. (More about spear phishing in the next section)
The proportion of spear phishing attacks against SMBs has grown steadily with about 55.9 percent of all spear phishing attacks targeting companies with fewer than 250 employees, according to the chart below from the Symantec 2019 Internet Security Threat Report (ISTR) [https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf].
For example, according to the Symantec report, in 2018, employees of small organizations were more likely to be hit by email threats—including spam, phishing, and email malware — than those in large organizations.
In addition, as attackers refocused on using malicious email attachments as a primary infection vector, the use of malicious URLs in emails has continued to increase.
To compound things further, Microsoft Office users have become the most at risk of falling victim to email-based malware, with Office files accounting for 48 percent of malicious email attachments.
Small businesses may not make headlines when they are hit by a phishing attack, but the results can be devastating nonetheless. Data theft, financial loss, and tarnished reputations are just the beginning of a long road that victims can be forced to march.
Phishing And Email Security Tips
1. Stop and think
Email is one of the most common ways for a cyber attack to begin. Do not open your emails on autopilot. Stay aware
Three actions that can get you in trouble with a phishing email:
- Clicking on it – Clicking on links or images in a phishing email will take you to a website that will either try to force malware onto your computer or it will try to trick you into sharing important information (like passwords). Always be careful before you click.
- Downloading the attachment – Attackers often send malware as an email attachment. It might look like a harmless file, such as one from Microsoft Word or Excel, but they are dangerous. Do not click these files.
If you accidentally download one, delete it immediately.
- Responding – Some phishing emails will ask you to respond by calling a phone number or by replying to the email. Do not respond to suspicious emails. If you want to reach the alleged sender, then manually type the company’s web address into a browser. Do not click a link in the email.
If your suspicions are raised even slightly, do not open or click the email. Forward it to your IT expert or a phishing alerting system.
2. Inspect links before clicking
In emails, hover your mouse over links before clicking them. This will show the destination URL. Does the address make sense for the link?
For example, if the email is from UPS, does the link show a UPS address? Or is it for another website? If the destination URL does not match your expectations, then do not click the link.
3. Never send private information via email
Legitimate companies will never ask you to send passwords, credit card numbers, social security numbers, or any other important information via email. Any emails that request this information should be considered highly suspicious.
4. Judge the email’s content
Be very suspicious of any email that includes the following:
- Poor spelling – Some attackers are from overseas and their grasp of the English language is not perfect.
Look for misspelled words and incorrect grammar.
- Threats – People who are under pressure do not make good decisions. Attackers know this and will threaten to close your account, charge you a fine, or take something from you. These are threats, and any email that threatens you is suspicious.
- Urgency – Similar to threats, this tactic is designed to make you feel pressured into acting before you have a chance to think. Messages that demand an immediate response are suspicious. For any email that demands an immediate action, take a deep breath and ask yourself – is this a scam?
- Unsolicited – A seemingly random email from a business with which you have no recent dealings is suspicious.
For example, if you receive an invoice for an order, even one from a familiar vendor, be very suspicious if you cannot remember the reason it was sent.
- Attachments – Never open attachments from senders you do not recognize. Also do not open attachments that you were not expecting, even if they arrive from addresses you recognize.
- Common themes – Attackers have thousands of tricks. A common approach is to ask you to reset, update, or confirm account information. Never click an email that asks you to supply account details. If you think it might be legitimate, then contact the sender directly via telephone or by typing the company’s URL directly into your browser.Also consider using plain-text to view all of your emails. This makes it harder for the attackers to hide content and will reveal the true destination URL for all links in the message.Remember: clicking is the number-one way to get into trouble. If you are unsure or suspicious, then never click on the email or attachment.
5. Judge the webpage
Some phishing emails will lead to a spoofed webpage, i.e. one that has been made to look legitimate but is actually controlled by the attacker. These pages typically try to get you to enter information – such as passwords or banking info. They may also try to infect you with malware.
6. Judge the URL
This applies to both email addresses and webpage addresses. Attackers will try to fake legitimate web addresses by disguising their own.
If you see any of the following, be very suspicious:
- Similar characters – Some addresses will look almost like the real address, but not quite. For example, www.google.com might be faked as www.goog1e.com.
- Subdomains – When you look at an address, always read it from left to right. The last domain in the address is the true domain. Anything that comes before it is irrelevant.For example, www.paypal.totallysafesite[.]net and www.paypal.jkiuoiondfa.889zxx0.totallysafesite[.]net have nothing to do with PayPal. Instead, they are from tottallysafesite[.]net. The site just created a subdomain called “paypal”, which any site owner can create.
How To Spot Phishing Webpages
Here are some ways to spot phishing webpages. If you land on one, close your browser immediately and alert the IT administrator, if your organization has one.
- Pop ups – Never enter information into a pop-up screen, even one from a legitimate website. Some attackers will penetrate honest websites and inject a popup form to steal information from visitors.
- Overlays – On some webpages, the attackers will block the web address by putting an image over the address bar. If something does not look right about the address bar, or if you see an image load over it, do not proceed.
- Poor spelling – As mentioned above, some attackers are not fluent in English and will make spelling mistakes in a page’s content. Although less common than in the past, this remains a dead-giveaway.
- Check the certificate – Websites that ask you for important information – such as banking credentials and personal info – should be secure (i.e. encrypted).
Check the browser bar for the green pad lock icon, and check that the web address starts with “https” instead of “http”.
If you are suspicious, also click on the green padlock icon in the browser bar. One or two more clicks will reveal the site’s encryption certificate which you can confirm is real.
In all cases – whether for an email, website, or link – use your instincts. If something does not feel right, then do not click or respond. It’s better to be safe than sorry.
How Tech Prognosis Can Help
We can help make your computer network tough on hackers while improving employee productivity.
Small businesses and organizations who want a safer, faster computer network choose our Unified Threat Management firewall.
This allows them to:
- Stop spam, spyware, and hacker automatically.
- Fix bandwidth problems.
- Block websites that distract employees.
- Rest easy knowing that their computer network s fast and secure.
If you need help securing your computer network against phishing attack in Round Rock and surrounding cities, contact us today at (512) 814-8044 or use this form to request a complimentary computer network assessment.