In 2022, the number of phishing attacks increases by ~2 thirds, and we are seeing the frequency of these attacks continue. The most important way to protect yourself and your systems is with training and prevention. This article provides an outline of the different types of attacks we're seeing and how to avoid falling for them.
But first, what is phishing? Phishing is an attempt to steal your money, identify, or personal information like your email password. Phishing attempts are often done by the criminal pretending to be your friend, colleague, or acquaintances with a fake message, and it may include a link to a phishing (fake) website.
Email Impersonation
When a phisher sends an email that looks like another person within your organization they usually pretend to be someone high up in the organization who may not be questioned for an odd - and urgent -request. Unfortunately the availability of our information on the internet on search engines and common websites like LinkedIn and provides easy access to first and last names as well as job titles. It is very it is very difficult to limit the access to this information, but fortunately these can be easily spotted.
If you receive an email from someone it seems unusual, it probably is. Usually phishing starts with a general email asking you to help with an urgent request, but don't specify what the request is. Once you respond the request we will be made, and it usually involves gift cards or other cash equivalents that can be transferred over the internet.
If it looks phishy start by checking the 'FROM' email address, not just the display name. You can also reach out to the person that it is supposed to be to confirm.
In the example below a phishing email was sent impersonating our General Manager. The follow flags were used to identify this:
- The email name and display name clearly do not relate to one another
- The External: flag was before the subject, this is enabled to help us reconignize phishing attempts
- The email signature is lacking other normal information like contact information and is different then normal, some sophisticated attempts may have a better email signature copy in their email to trick you.
Below is another example, the email was impersonating a senior member of a customers company, but the email address did not match. At the time the customer did not have the External rule in place, but have since added as a flag against spam.
Phishing (Fake) Websites
This type of attack is aimed at getting your to go to a webpage to enter more information. This may come in the form of a link within the email, or an attachment (.htm or .html files). These will open a website where you will be prompted to enter your credentials. The website will look real at first glance as phishers attempt to replicate the source site as well as they can to get you to trust it long enough to enter what they want.
In addition to reviewing the email as we did with impersonation attacks, you can spot these fake websites by looking at the url in your web browser, this will differ from the normal URL for the site. There may also be spelling mistakes across the site, and an overall unpolished feel. If you have any doubts, never enter your information. The best way to see if the site is real is to google the site in a separate tab to compare the URL of the real site to the linked site you were linked.
Phishers find success in making you doubt yourself, they disguise these attacks in emails that look to have real serious implications. For example, your utilities will be turned off if payment isn't received, or your website domain will be lost if you don't pay now. Don't let these tactics rush you, always vet out the site and information that you're looking at. Involve the correct parties to verify if an email about an invoice is real.
The example below demonstrates what a phish may look like with an attached file. The attached file is a .html file to direct the user to a fake invoice site where they hoped to collect money.
I fell for it! What do I do?
Our customers should also let us know as soon as possible so that we can advise and work with you. The below advice is a good starting place for what we may recommend if you do fall for a phishing attempt.
Q: I answered their email before I realized it was a phish, am I safe?
Answering a phishers email without providing any information will not harm you, though you should not do this regularly - even if it's fun to waste their time - as it may add you as a target to other groups. Block the email address and consider letting others know if you believe they may fall for it. If you provided information, assess what information is given to see what impact it may have. Involve the appropriate parties.
I entered my password into the phishing site
Your password is now compromised, you'll need to reset it as soon as possible. If you have multifactor authentication you have an additional layer of security, but still need to reset your password as soon as possible. Do not approve any sign in requests that you may receive.
I purchased gift cards and gave away the codes
Unfortunately these cannot be recovered. Assess if you gave any other personal information, you may need to take additional steps to protect your information.