By Ronnie Mize, Chief Security Officer, Etech
Phishing attacks could be compared to actual fishing. The scammer creates an email that includes an enticement, essentially baiting the hook. Their next step is to send the email out to thousands of individuals, casting the line. Finally, they wait for an unsuspecting person to take the bait and reel them in, attempting to collect some form of protected information or possibly even payment. This modus operandi or method has been around for a long time as it continues to prove highly successful for the malicious actor. Prior to computers, phishing scams were accomplished through phone calls, direct mail, or even face-to-face contact. However, over the last couple of decades, digital scams
have allowed for casting of a much wider net as well as improved anonymity, which means the criminals are harder to catch. Therefore, it falls on the end user to be vigilant regarding their online activity and email usage.
Many internet users in both business and home settings overestimate the ability of their cybersecurity to circumvent the threat of malicious actors. While it is true that internet security can minimize the risk of phishing attacks, it cannot account for human error, which is precisely what scammers will try and exploit. To limit your exposure to these scams, you should follow six simple tips to spot and avoid attacks.
1. Always Be Cautious of Embedded Links
While there are many signs of potential email scams, message links may be one of the most prominent. Many fraudulent emails will have numerous links within the body of the message, attempting to entice readers to click at least one. This will usually redirect the system to malicious site/content or simply download malware to exploit the computer system and set it up for potential attack.
2. Be Wary of “Suspicious Activity” Emails
- Mismatched URLs
Phishing emails will often have mismatched URLs, meaning that the web address that is spelled out in the text does not match the URL that appears when you hover your cursor over it. If you notice that the target address is different from the stated address do not trust the message.
There may be times where the URLs in the email match the stated links, but when you click on the link, you are redirected through other addresses and sites. If you are redirected to a strange website, then there is a good chance that the email was a scam, and you should scan your system for potential viruses immediately.
A common tactic of phishing is to claim that there has been suspicious activity or unauthorized changes to one of your accounts. Clicking on the provided link may even direct you to a site that looks completely legitimate. This is a major tactic for the malicious actor to trick you into entering your credentials. They can then seize control of your account and gain access to whatever information and/or funds are available. They may use the same credentials to gain access to other accounts and systems you have access to. Don’t be tempted to click on links, read or open attachments from these emails, instead flag questionable emails
and let your cybersecurity team worry about the details. Never click on an embedded link to enter your credentials. Exit the email and go to the site through the proper URL.
3. Be Leary of “Urgency to Act” Claims
Also, while winning a million dollars or inheriting some foreign prince’s estate would be a dream come true for many people, the odds are not in your favor. You have a better chance of being hit by lighting each day for the next two weeks. Many scams try to entice recipients with promises of lavish prizes and trips. However, they often have a ridiculous time constraint to try and force you into irrational decisions. Don’t think this scam still work? Recently, there have been reports of individuals approaching people in the parking lot of a bank they are entering convincing them to take out large sums of cash promising exponential returns on the funds. Of course, the malicious actors disappear with the cash never to be seen or heard from by that person again. If someone falls for the scam under these circumstances, think about how easy it would be to cast a wide net over the internet to git a nibble.
4. Don’t Fret Over “Severe Consequences”
Similar to the suspicious activity phishing attack, many scammers will take an even blunter approach by demanding action through the threat of lawsuits or arrests. The IRS has recently warned
of phishing attempts that threatened huge fines. These scams are coercive and despicable. Take solace in knowing that there is no truth to them. The IRS does not communicate this type of information through email or phone calls. If you are being audited or owe money, the IRS will send you a letter via the U.S. Postal Service. These attacks seek to prey on an individual’s fear of jail time or huge fines. Do not give them the satisfaction of falling for these types of attacks.
5. Watch for Grammatical Errors
Another common factor of fraudulent emails is grammatical errors. These aren't typical typos and are usually overwhelmingly apparent because they are syntax errors, meaning that words are arranged in strange ways. Many scammers are not native English speakers and may struggle with recognizing syntax mistakes. Most reputable companies will have proofreading teams capable of editing spelling and grammar errors. Therefore, emails plagued with bad grammar should likewise be avoided.
6. Don’t Underestimate Minimalism
Phishing does not have to consist of a complex, persuasive strategy. Some offenders try to scam unsuspecting individuals by posing as friends or colleagues, sending an innocuous email with a blank body and single attachment
. These types of emails should be immediately discarded unless you are acutely aware of the sender and their intentions. Email addresses can be spoofed and appear to come from a friend or coworker when they are actually coming from someone attempting to exploit you or hack your system. One tactic for checking is by clicking “Reply” and see if the reply address is in fact the person who the email was supposedly sent from.
Individual Awareness is the most powerful tool in the Cyber Security arsenal. The digital world is a realm that is difficult to regulate, and therefore perpetrators continue to scam in perpetuity. The skills of computer savvy criminals are continually evolving at a rate equal to or higher than security systems and designs. Therefore, the responsibility for protection still rests significantly on the end user. While phishing may not be the most sophisticated attack, it is useful because cyber criminals play on the fears and emotions of the unsuspecting user. While not a cybersecurity firm, Etech is dedicated to helping you understand your technological needs and presenting you with solutions. Cybersecurity is an essential aspect of your business; however, understanding the role of technology in your organization is a tremendous step toward a secure workplace.