The prevalence and sophistication of phishing attacks is consistently on the rise. These scams that frequently target both businesses and consumers are an attempt to gain access to personal information and steal data and/or money. Phishing Attacks are often leveled at the most vulnerable among our population – elderly people. They also frequently succeed when they take advantage of individuals who are busy, distracted or lacking in cybersecurity education.
Phishing emails are carefully researched and contrived to target specific recipients. Hackers will scour social media profiles and conduct online research to identify future victims’ personal details (family connections, old employers/colleagues, hobbies) – anything they can use to tempt you into falling for their scheme.
The only way to strengthen your defenses against such attacks is through cybersecurity awareness and education (which is why annual security awareness training should be a critical component of your risk management program!). With a keen eye and understanding of common warning signs, employees can act as a key first line of defense in your business’ cybersecurity strategy.
Cyberattackers will use phishing to achieve specific goals. Knowing what a cyberattacker could be attempting to gain from or do to you will help you detect and deter the threat. There are two common goals that cyberattackers attempt to achieve as a first step toward compromising your information or money:
Login credentials: Usernames, passwords and other authentication information that would provide access to sensitive data
Malware infection: Infection with software that steals information or otherwise disrupts information technology devices and systems
Common Phishing Red Flags: Is That Email a Scam?
Is that email genuine or an attempt by a hacker to get your private information? There are usually multiple red flags that help you spot phishing emails and let you know that a message isn’t safe.
Here are some of the most common signs that an email or message may be a scam:
Unfamiliar Greeting: The sender spells your name wrong, or uses a first and last name, or calls you by your full name when you usually go by a nickname. Something might seem “off” with the tone of the greeting.
Grammar and Spelling Errors: Messages originating from a professional source should be free of spelling and grammar errors. Be sure to double check the sender email address carefully – often just a single letter is misplaced or missing.
Inconsistent Email Addresses, Links & Domain Names: If a link is embedded in the email, hover over the link to verify the destination URL. If the email is allegedly from Website A, but the domain of the link does not include “websiteA.com,” that’s a huge red flag. If the domain names don’t match, don’t click. Corporate employees may want to pass these suspicious emails on to their IT departments (or outsourced MSPs) to investigate further.
A Sense of Urgency: Hackers may use threats or a sense of urgency to fluster users into opening and taking action on fraudulent messages.
Suspicious Attachments: When a recipient receives an email with an attached file from unfamiliar sender, or if the recipient did not request or expect to receive a file from the sender, the attachment should NOT be opened. A good rule of thumb is to send a separate message to the supposed sender and ask them to verify what/if they sent you something.
Generic Greetings: In some cases, instead of personalizing their attacks, hackers will use generic and impersonal greetings such as ‘Dear Customer’ or ‘Valued Employee’ to save time and maximize their number of potential victims. Regardless of the greeting, be sure to verify the sender email, domain & other information before taking any actions.
Unusual Requests: No one should ever ask you for your personal information via email. Do not send any personal information, login info, passwords, social security numbers, or money, before confirming that request with the sender. This is one of the most glaring red flags within a phishing email. Likewise, if a message asks you to install or patch something on your computer, forward that message to your IT team.
You’re a Prize Winner: Hackers will often use bribery to tempt you to open a fraudulent email. If you get a message telling you that you will benefit from a discount or win a prize by clicking on a link or opening an attachment – do not open and report it to your IT team.
Vague Message: Be on the lookout for vague messages such as ‘here’s what you requested’ or an attachment titled ‘additional information’. Hackers often rely on vague messaging to persuade recipients into clicking on malicious attachments or links.
Request for Credentials, Payment Information or Other Personal Details: One of the most sophisticated types of phishing schemes is when an attacker creates a fake landing page that directs recipients to click on a link in an official -looking email. The fake landing page will have a login box or request that a payment is made to resolve an outstanding issue. Again, this should raise a red flag. Do not enter any sensitive or financial information without prior verification from the sender.
Get to Know the Latest Phishing Scam Trends
The red flags indicating a possible phishing attempt can appear in numerous channels and take many forms. Cyberattackers often adjust the ways they send and disguise their phishing attempts to try to snare the unwary. Many of the latest phishing emails follow these trends:
Quick response (QR) codes: Cyberattackers can mask harmful websites behind QR codes and place them in emails. The message may contain language asking the reader to authenticate their account information or download an attachment using the site behind the QR code.
Google Translate links: Cyberattackers sometimes use Google Translate to bypass tools that detect phishing scams. By running a malicious website through Google Translate, a fake log-in page can receive a legitimate Google domain. The fake log-in page will appear with a Google Translate banner informing the reader that the page has undergone translation.
Image attachments: A cyberattacker, posing as a legitimate source, may send an image containing a link to a malicious site. Many phishing scam detectors scan for text, so imaged-based attempts can circumvent blockades.
Phishing Scams Outside of Emails
Some phishing scams use other channels to attack victims. Short message services (SMS) and Voice over Internet Protocol (VoIP) services have risen as targets:
SMS phishing scams: Cyberattackers use many of the same phishing tactics on text messaging and direct messaging platforms.
VoIP phishing scams: Cyberattackers forge caller identification details, luring victims to provide sensitive information to someone they believe they can trust.
Benefits of Phishing Awareness Training
Your organization can stop phishing in its tracks by empowering your employees and educating them about how to spot a phishing email. Most importantly, phishing awareness training teaches your employees what to do when they receive a suspicious email. Some of the benefits of awareness training include:
Employees learn how to spot phishing attacks: Employees need to know what to look for and how to spot a phishing attempt before they can take action. Training programs highlight the common features phishing emails have and put your employees on alert.
It’s an opportunity to remind employees of existing policies: Even when they know what to look for, employees can let their guards down, which puts your company at risk. Phishing awareness training puts the issue front and center and reminds everyone of the importance of being on their guard.
Detection of risky and at-risk employees: Some employees may struggle to identify phishing emails or be targeted by hackers more than others. Training helps you determine which employees are at risk or who may have difficulty reacting appropriately.
Training satisfies compliance standards: Phishing awareness training should be part of your organization’s basic security training. If you’re applying for or renewing cyber liability coverage, it may be required before your insurer will approve your coverage.
It helps organizations foster a strong security culture: Security awareness is a muscle that gets stronger with exercise and practice. Providing phishing awareness training enhances your organization’s security and helps your employees feel more confident about the safety of their information.
How Does Omega Systems Prevent Targeted Phishing Attacks?
Omega System’s Cyber Awareness Training empowers your employees, turning them into your first line of defense against phishing attacks. Part of our training program includes managed phishing simulations. You can send phishing awareness tests to employees to see if they spot the red flags and respond appropriately.
Our program also lets employees report suspicious emails. We’ll respond to genuine phishing attacks, applying forensic knowledge across your network.
Learn More About Cyber Awareness Training
Phishing awareness training and testing reduces the likelihood that an employee in your organization will compromise the security of your data. We strongly advise that businesses incorporate managed phishing tests into their annual training regiments to help further educate employees on the dangers of phishing scams. Contact us today to learn more about our training programs.