Wombat Security Technologies recently released their “State of the Phish 2018” report. This report found that 76% of companies surveyed experienced phishing attacks in 2017.
Phishing is an attempt to gather sensitive information, such as username and password, credit card information, social security numbers, etc., and use it for malicious purposes. These are often done via email, over the phone, through messenger applications or on social media.
The term “phishing” came about to describe the “bait and switch” style that phishing attacks emulate. They bait you with something that looks legitimate, an email from a friend, an alert from a trusted organization, etc., and then switch out the link with a malicious one, funneling you into phisher’s “net.”
The “Nigerian Prince” used to be the classic example of a phishing attack – you know the story. But phishing schemes have evolved significantly over the last 20 years. Webroot says there were 1.385 million new, unique phishing sites created each month in 2017, with a high of 2.3 million sites created in May. These sites are used to mimic popular websites that people trust such as social media platforms, bank websites, universities, and popular applications.
The target of the phishing attack receives an email that looks legitimate, mimicking the design, language and structure of typical emails from the copied organization. The link within the email then takes the target to the dummy site that also mimics the organization’s design in an attempt to gather login information to the legitimate portal.
For example, if you received an alert from your bank saying there was suspicious activity on your account and offers you a quick-access link to log-in and check it out, the link would take you to a site that looks exactly like your bank login screen. Except when you login you will be sent to a refreshed screen instead of your account and your account information will be compromised.
Here are some things to look for in your messages to help recognize a phishing email before you click on an infected link.
- Substituted or extra characters
Check the sender’s domain name – it may contain substituted or extra characters. For example, changing a capital “I” to a one (1) or adding an extra letter changing yoursite.com to yourrsite.com.
- Email messages from convincing sources
Be wary of email messages that appear to come from a source such as Microsoft claiming your password needs to be updated.
- Fake URLs
Hover over links to verify that the URLs are legitimate.
- Email messages from your CEO
If your CEO emails a request for confidential information, such as copies of W2s or requests a financial transaction be initiated, always verify by phone or in person.
- Unencrypted emails
Remember that email is not secure unless the email is encrypted.
- Email messages regarding your bank or credit card
If you receive a message from bank or credit card companies about money or credentials, call or login directly to the website instead.
Some other tactics to look out for:
- You may receive a fake LinkedIn request. Go directly to your LinkedIn account instead of clicking the link.
- If a phisher gains access to your Outlook, a common tactic is for them to create a rule that forwards your email messages to an email account they created so they learn your contacts and writing style. Check your rules!
If you suspect you have been the victim of a phishing threat, the first thing you should do is contact your IT support team immediately. Other important courses of action include changing your passwords, running a security scan on your device, and monitoring your computer for slowness or abnormal behavior.
If you have questions about your company’s security or you’re looking to take advantage of our end user security awareness and security training, contact us today online or by phone at 616.776.0400. We are happy to help you!