Email phishing scams are flooding the Internet: How not to get lured in.
Nearly 85 percent of American and British organizations have been victims of phishing attacks, most delivered by email (other popular vehicles include mobile devices, social media, and phone calls).
Financial loss, productivity slowdown, and reputation damage are just some of the consequences companies like Seagate, Snapchat, and (ironically) the web-security company KnowBe4 have suffered after a strike.
Schools are juicy prey, too. And all it takes is one—just one—unsuspecting person to click a malicious link or open an infected attachment, and your entire system can be poisoned.
You can and should have a strong spam- and web-filtering system in place. These weed out much of the rubbish. But they’re not foolproof. Eliminating malicious mail is no longer as simple as blocking or trashing that ridiculous message from a Nigerian prince.
Scammers have gotten crafty, spoofing people with legitimate-looking emails and websites from “real” organizations, like banks, credit-card companies, shipping companies, and social-media outlets. Add to that a sense of urgency—“You’ve been locked out of your account!”—and people can get nervous and click-happy.
Here’s a quick primer on the types of email phishing expeditions out there and how you (and your staff) can avoid taking the bait.
One Phish, Two Phish (and a Whale)
Be on the lookout for three types of phishing attacks:
1. Traditional Phishing
The “granddaddies” of phishing, these scams have been around for years and are pretty easy to spot. Generally sent to a broad audience and rarely personalized, they may inform you of your recent lottery win or inheritance from a great aunt in Ireland. All they need (wink, wink) is your bank-account info to deposit the funds.
Messages are often poorly written and rife with spelling and grammatical errors. The claims may be outrageous.
Others appear to come from legitimate companies, such as “FedEx” and “PayPal.”
The idea, of course, is that the reader will click on the attachment, which will release some sort of malware and give the crook access to private info.
2. Spear Phishing
Targeting individuals or small groups of individuals, spear-phishing emails are socially engineered to look trustworthy. They’re likely personalized.
The cybercriminal may have done research on websites or social media to customize the message to the recipients’ recent activities or purchases. Or it may appear to come from your IT department (“Important to download the attached software update now”) or a colleague.
The message may urgently request sensitive information (login credentials, account information, credit card numbers, Social Security numbers) or direct you to open an attachment.
The logo and branding will probably look genuine. If you click on a link, the website you’re led to won’t raise eyebrows—it appears real.
Looking to hook the big fish, whaling scammers target C-suite bigwigs. CEO fraud, as it’s known, is on the rise. These emails are sophisticated and business focused—often in the form of legal subpoenas, customer complaints, or executive orders. They generally prompt a department head or CEO to take swift action (log in, open attachment, click link).
Protect Your School from Attack: Educate!
While your Internet filter and anti-virus software are doing their part, you have to do yours: Educate your staff and students on how to identify and deal with phishing scams. They should err on the side of suspicion and look out for the following:
Bogus “From” Addresses
Criminals can easily procure free email accounts, like YourBank@yahoo.com. Official email comes from a real domain: info@YourBank.com. Hit delete.
Many scammers won’t take the time to personalize their phish mail, so the salutation will be something like, “Dear Customer,” “Dear Member,” or “Dear Friend.” That’s a red flag.
A common scare tactic is telling people their account has been compromised or their credit card will be revoked unless they act immediately (by “act,” we mean provide sensitive information).
If in doubt, advise users to call the company or go to the website in a separate window (never click on a link in the email) to verify or discredit the claim. If something were awry, a legitimate company would never ask for personal credentials in an unsolicited email.
Any email requesting personal information like passwords, Social Security number, bank account or credit card numbers should not be trusted.
Does the signature provide ample contact information? Phish often scrimp on these important details, whereas a real company displays comprehensive how-to-get-in-touch info.
Embedded URLs may not be what they seem. To verify that the actual address matches the given URL, hover your mouse over the address (do not click!)—if it’s different, the email is probably a sham.
Misleading Domain Names
Do your users know how the DNS-naming system works? Cybercriminals count on their ignorance. The last part of the domain name is the key: For example, the domain name info.K12USA.com is a child domain of K12USA.com, because K12USA.com is at the end—on the right. Compare that to: K12USA.com.info.com, where the domain is on the left (and therefore an illegitimate site).
Some scary-sounding phishing emails appear to come from government agencies, like the IRS, the FBI, or law enforcement. These are another (often effective) way to intimidate readers into divulging personal info. However, government agencies typically don’t use email to initiate contact with people. If you’re worried you really do owe back taxes (or whatever the claim is), call your accountant or the IRS directly—do not open an attachment or click on a URL.
Spelling errors, grammar mistakes, and poor-quality graphics all signal a spurious email. Company names can even be misspelled, for example, substituting 0 (zero) for the letter “O,” i.e., Capital0ne.com instead of CapitalOne.com. Keep a keen eye out for these sinister tricks.
Users should be suspicious of any email containing attachments, which could unleash a nasty virus. Urge them to exercise extreme caution and never open an attachment from an unknown or untrustworthy source. If there’s any question, call the sender to verify.
Request for Money
Hooray, you won the lottery (says the email)! Now all you need to do is send a little money to cover expenses, taxes, or other fees. This has scam written on all over it.
Too Good to be True?
Emails offering big rewards for zero effort—like cash prizes, expensive vacations, or new cars—are phony.
Bottom line: Encourage users to trust their instincts. Phish scams often stink of fraud. Nowadays, emails must be viewed with a skeptical and discerning eye. This excellent infographic from Digital Guardian illustrates how to recognize and avoid phishing attacks. Share it with your endusers!
Have other tips for handling dirty, rotten phish? We’d love to hear in the comments section.