While we may envision hackers sitting in dark rooms hovering over computers with lines of code scrolling down their screens, the portrait of modern hackers is much more sinister. In fact, today’s hackers and cyber attackers are much more akin to the con artist or snake oil salesman of old.
Instead of using technical skill to infiltrate complex computer networks, most attackers use good old-fashioned deception and trickery to acquire information and money from their unsuspecting victims.
Yet despite more awareness about phishing than ever before, phishing attacks have increased exponentially in recent years, with 92,000 phishing attempts every month, a reported 5,753% increase since 2004.
The truth is, cybercriminals are getting better at their craft. While it was once a fairly simple matter to identify phishing emails designed to part you with your money or personal information, it’s more difficult than ever to separate legitimate emails from fraudulent ones.
But there are ways to protect yourself and your business from being victimized. The key is education. Knowing what to look for makes it easier to unmask the marauders before you become their next victim. Here are some tips to help you identify phishing attacks and keep your money and your personal information out of the hands of cybercriminals.
Emails Containing Threats or Time-Sensitive Requests
Phishing emails often have an urgent or threatening tone to them, requiring you to click a link or open an attachment to avert a problem or avoid an account shutdown. Cybercriminals use threats or a sense of urgency to scare you into acting quickly, without thinking.
These emails may ask you to verify your account information, log in to your account, or fill out a form to correct an urgent problem.
Many of these emails look totally legitimate, complete with the brand logos and links to legitimate companies. And thanks to the growing sophistication of hackers and the availability of data on the internet, many of these emails may also contain personal information, such as your name, email address, or even your password.
Any email that you receive that requires immediate action should send up a red flag. Don’t simply react. Take time to step back and evaluate the situation first.
Bad Grammar or Spelling Mistakes
While any email can contain a spelling error or two, most legitimate emails don’t contain gross writing errors.
Phishing emails are often sent from other countries, where English is not the primary language, so if you see ‘bad English’ it’s usually a good sign that an email is spam, if not an outright phishing attack.
Here’s a great example of a phishing email that is difficult to read due to its poor grammar:
Note that hackers do seem to be grasping the English language more effectively these days. You may have to read more carefully to uncover missing words, awkward language, or other common mistakes.
Phishing emails may contain a generic greeting like Dear PayPal Customer or Dear Account Holder instead of your name.
While this is often the case, we still urge you to be suspicious, even if your name is in an email. Cybercriminals often find your name or other personal details on social media websites.
Suspicious Header Information
The header of every email you receive contains these fields:
Phishing emails often contain suspicious or obviously incorrect information in the From: header like this:
Keep in mind that some perpetrators also purchase domain names that look like the real ones. For example, they might register out1ook.com, which looks a lot like outlook.com. Be sure to look at the email address carefully to notice any discrepancies.
Fake or Suspicious Links
Never click ANY links in an email you suspect could be fraudulent. While a link may look legitimate, there is often a suspicious link hiding underneath the link text. To see where the link will take you, simply hover over the link with your mouse (being careful not to actually click on it).
You can see the hover technique demonstrated in the example below:
Further inspection of this email also revealed suspicious links in the boilerplate text toward the bottom of the email that, at first glance, appear legitimate.
In fact, the text looks almost identical to the text at the bottom of legitimate emails from Chase, as seen in the screenshot below.
Notice there are only slight differences between the fake email above and the text in the legitimate email below. Can you spot the differences?
It’s not uncommon these days to receive an email that announces an unexpected refund from the IRS or an account credit at Amazon.com. These emails appear legitimate because they often contain company or government logos and even valid contact information.
It’s easy to fall prey to these emails because they appear to be a simple correction for an oversight or error.
The real motive behind these emails, though, is to get you to click the link to claim your refund and log in to what appears to be the company’s official website. After you type your login information, the scammer can access your legitimate account or sell that information for profit.
That’s why it’s so important to scrutinize links in any email carefully, even if it appears to come from a legitimate source. If you are ever in doubt, contact the company directly or visit the company website without clicking any of the links in the email.
Shipping Notifications/Tracking Codes
A popular scam that often flies under the radar is fake shipping notifications. These emails are designed to trick you into clicking a tracking number in order to install malicious software on your computer or gain access to your login information via a fake website.
Users are especially vulnerable to these emails around the holidays, when they often ship a lot more packages. It’s also easy to fall for these scams when you are waiting for a package.
Be sure to scrutinize any shipping notifications carefully BEFORE you click anything.
Any Email that Asks for Personal Information
It’s important to recognize that no legitimate business or government agency will ever contact you via email to obtain personal information such as credit card numbers, passwords, or other personal information. Any email you receive that requests details like this should be deleted immediately.
Also be aware that attackers will often set up sites that look so similar to the real thing it can be almost impossible to tell the difference. In these instances, an attacker will send an email asking you to verify personal information by clicking a link that leads to the faked website.
The object is to capture your login information so they can use it on the real website to compromise your account or gain additional information that can be used for further manipulation or sold to others.
As a general practice, avoid clicking links in emails, even if they appear to come from legitimate companies.
If you do click a link, be sure to verify that the site you have reached is the legitimate site by checking the web address in the address bar. Be on the lookout for missed letters or substitutions in the web address.
Better yet, type the real web address into your browser and visit the site that way instead.
Requests for Money/Wire Transfers/Sensitive Employee Data
One of the most disturbing new phishing trends targets companies and executives that frequently use wire transfers to send money to vendors overseas. Known as business email compromise or BEC, these schemes are designed to deceive corporate executives or employees into sending funds to fake contacts.
According to the FBI’s 2017 Internet Crime Report, there were over 15,000 victims of BEC crimes last year, costing companies over $676,000,000.
What makes many of these schemes so hard to spot is that they appear to originate from a legitimate email address, like the company CEO or accounting department. Many emails also employ informal language that may appear completely legitimate.
Take this email screenshot from a recent blog post on EDTS that appears to come from the company’s CFO:
Seeing an urgent message from the company CFO could understandably cause someone to act quickly, often without much thought, resulting in big losses for many businesses.
In order to avoid becoming a victim of BEC scams, it’s important to verify any request for money, wire transfers, or even employee W2’s with the person who allegedly sent the request. A 5-minute phone call could save your company thousands of dollars.
The FBI also advises:
- “Verify changes in vendor payment location and confirm requests for transfer of funds.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personal information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.”
Quick Tips to Avoid Becoming a Victim
- Never click a link or open an attachment in an email if you are unsure of its source.
- Be suspicious of any email you receive that asks you to reveal or verify personal information such as account numbers, passwords, social security numbers, credit card numbers, etc. Reputable companies will not ask for this information via email.
- If you’re concerned about an email you received, call the company. Don’t use any phone numbers or other information from the email, though. Look up the company’s website or find their phone number on a recent statement or in other legitimate correspondence.
- Assume any offer that’s too good to be true actually is. Avoid falling victim to emails that promise a big return for very little work.
- Be especially suspicious of donation requests to charitable organizations after a recent disaster. Many of these are phishing emails designed to take advantage of your compassion to capture your credit card information. If you want to help, seek out legitimate charitable organizations and visit their websites directly.
- Use anti-virus and anti-spam software and keep your web browser, email program and operating system software up-to-date by installing recommended updates. If you’re a business owner, make sure your IT company is handling these updates for you on a regular basis.
- Change your account passwords regularly and log-in to your accounts frequently to check for suspicious activity.
It’s clear that staying ahead of the bad guys is getting harder and harder every day. But being vigilant and taking the time to think before we act can help turn the tide in our favor and keep our valuable information and hard-earned money out of the hands of thieves and con artists.
Need help keeping your business safe from phishing and cyber-attacks? Is it time to evaluate the systems you have in place to protect your network and critical business data? Our expert team of IT consultants is ready to lend a hand!