Scary New Email Phishing Scams and How to Avoid Them
Email phishing scams are getting more sophisticated, using familiar sender names and other information to lower their targets’ defenses and make them more likely to become victims.
You probably already know that email phishing is the attempt to obtain sensitive data such as usernames, passwords, or financial information by emailing someone while pretending to be a coworker, relative, friend, or business associate. Previously in our In the Know blog, we’ve warned you about how email phishing can pose a serious risk to small businesses.
A dangerous new wave of email scams falls under a specific type of phishing called spear phishing, in which criminals target specific individuals in an attempt to win their confidence and obtain information they can use to steal money.
Cyber criminals love spear phishing attacks because they are easy and cost-effective—no need to set up a fake website or coordinate a large scale hacking event, just email an unsuspecting staff member, pretend to be someone else, and make a simple request. According to the Symantec Internet Security Threat Report, spear phishing is by far the most popular method of attack, used in 71% of cases.
Increasingly, these spear phishing attacks are gaining in sophistication and becoming more difficult to detect and guard against. It's important to remember that these attacks usually target a specific individual, and they very often seem real.
A cyber criminal will have done some homework to prepare for an attack, including reviewing the target company's website to get the name and title of both the target and the sender they plan to impersonate, as well as other information to help make the email seem more authentic.
Here are a few real-life attacks we’ve seen recently, and how we knew they were phishing:
The attack: An employee in the payroll department received an email from “Mike,” another employee, saying he wanted to change his direct deposit information.
The giveaway: While the phishing email had the full name of the employee correct, the “from” email was wrong, and the person signed the email “Michael” when the actual employee only goes by “Mike.”
The attack: An employee received an email that appeared to be from his boss asking, “Are you available for a quick task?” We’ve seen these before, and because they do not ask for or refer to any sensitive or financial information, people tend to engage with the sender, which then leads to the scam.
The giveaway: When the email recipient responded, he received strangely worded instructions to obtain 10 $100 iTunes gift cards. The scammer asked the employee to scratch off the silver portion to reveal the PINs and send a picture of all the codes. If the red flags weren’t up before, that sent them all the way up the pole. However, when the employee asked what client they were for, the scammer provided the name of an actual client of the company.
The attack: An employee received an email supposedly from her boss asking if she was available to make a wire transfer.
The giveaway: Again, bad grammar helped the user spot the scam—the sender told the recipient that he needed her to "take care of some payment today." He also gave a five-figure amount, which was another red flag, since the company typically does not handle money transfers that large by wire transfer.
How to Guard Against Spear Phishing Attacks
- Check the “from” email: When you receive an email that looks like it’s from a person you know, always check the email address next to the name of the sender to verify that it’s correct. Email addresses can sometimes be spoofed, so to double check, click “reply” to see what email appears in the “To” field. Do not actually reply to the email.
- Use your knowledge of the person: If you receive an email that looks like it’s from someone you know, check it carefully to see if it matches what you know about the person. Does the phrasing, tone, or language seem strange or uncharacteristic? Do they use a name, greeting, or sign-off other than the one you’re used to seeing? Do they have the right signature file or graphic at the end of the email?
- Check for misspellings and awkward phrasing: In the iTunes email scam above, the phisher wanted to “advise the quantity and domination to procure.” Uh, you mean “denomination”? As the conversation continued, the scammer stopped using any sort of punctuation or sentence spacing, just long strings of run-together phrases. Of course there’s always a chance your colleague doesn’t know how to spell or write, but it’s still worth checking—phishing emails are notorious for being poorly written.
- Be suspicious: The X-Files had it right: Trust no one. If you have the slightest suspicion about the origin of an email you receive, call the person independently to confirm that they sent it, and never do anything involving money, business operations, or revealing sensitive information without verifying, in person if possible, that the person who appears to be emailing you actually wants you to perform the requested task. So many spear phishing attacks could be foiled by simply popping your head into someone’s office and saying, “Hey, do you really want me to do this?”
- Conduct security training: Cyber criminals are always looking for new ways to defraud people, and it can be difficult to keep track of all the warning signs you should be looking for. In addition, working in a busy office naturally makes people more susceptible to scams, because when you’re focused on trying to get things done, you tend to let down your guard. Companies like KnowBe4 and Cofense (formerly PhishMe) can hold security awareness training for your employees and can even set up automated fake phishing emails you can send to employees to increase their security awareness.