Those entering “what is phishing” into a search engine are usually looking for;
- A definition of what phishing is.
- Advice on how to avoid a phishing scam.
- Information on if the email or text they just got is phishing.
This article will teach you both so that you can protect yourself—as well as employees and coworkers—from this serious IT security risk.
Here’s what I’m covering in this article:
I recommend taking the quiz after reading this article to see if you’d get hooked by a phishing scam. Share the quiz around the office and protect your entire office from phishing as well.
What is phishing?
Phishing is a cybercrime where an attacker pretends to be someone (a bank, Netflix, your boss) they are not to trick a victim into giving them data that the attacker can exploit. Phishing scammers are typically after:
- Log in details
- Credit card numbers
- Banking information
- Money (fraudulent invoices, buying and sending gift cards)
Phishing is often done over email, but SMS, messaging apps, telephone calls, and voicemail are also popular. Email is the most often used because it is very easy to fake an email address and trick people into clicking links, downloading malicious apps, or replying to emails which look legitimate but are not.
Here is an actual phishing email I received in my email. The attacker pretended to be my CEO by using his name:
Yes, I was 99% sure it was a phishing attack by the time I finished reading it (one clue was no one calls me “Matt” except my mom). This will be covered deeper later on, but once I ascertained this was phishing I did the following steps:
- NOT replying to the email. Not even for LOLz.
- Contacted the CEO by a trusted communications platform: our company’s chat app.
- He confirmed that the email did not originate from him.
- I forwarded the email’s header and content along to the IT team.
- An image of the email was shared on the company’s general group chat.
The steps I followed here are exactly the same as what you should follow when you suspect a phishing attack. Keep reading to learn more about how to deal with phishing attacks below.
Phishing emails exploit trust
Attackers create their emails to look like people or companies that the victim trusts or does business with. There are many ways scammers try to make emails look legit:
- Faking the “from” in the email header to look like it’s coming from the right person. This was used by the scammer in my example.
- Slightly changing a legit email address from a trusted sender.
- Copying real emails from companies or people, but changing key parts like where links go when you click them.
The message seems to come from your boss, except if you look closely the actual email address is wrong. Or the email looks like an email from your bank with a link to check for fraud—except the link goes to a fake copy of your bank’s website.
These tricks are classic examples of social engineering—the manipulation of human psychology—that hackers often use to ensnare people. Social engineering exploits our biases and experiences against us. For example, people try to get into access controlled buildings by coming up to the door with an armload of boxes. A simple “Oh, let me get the door for you…” is all someone needs to get into the most secure buildings.
Examples of people and institutions spoofed include:
- Credit card companies
- Social media websites
- IT department personnel
All of these are people and organizations someone will instinctively trust if they see what looks like a legitimate email. That instinctive trust is exploited to get people to click on links to malicious websites asking for login information or to download malware.
How does a phishing attack work?
You might think it takes some advanced hacking to spoof an email, but it’s dreadfully simple and uses freely available tools. Specialty tools found on the dark web for phishing can be purchased for about $20. For the new hacker who doesn’t know how to phish, there are complete tutorials on the dark web for another $20. $40 spent and you have the tools to steal hundreds, thousands, or more.
Here’s how an email is spoofed for a phishing attack:
- The attacker gets their own SMTP server to send the emails. This is easy to do and not malicious in itself.
- They download an email creation tool. PHP Mailer is a popular option as it’s free and often used for legitimate emails so it won’t draw suspicion.
- Attackers can now control the “From” and “To” sections of email they send, allowing them to spoof any email address. This is where the malicious intent comes in.
- The attacker sends an email spoofing a trusted source. They then ask for sensitive information, or to download helpful content that is actually malware.
- If you reply to a spoofed email it will go to the proper person. That isn’t the point though as the attacker wants you to click a malicious link or download malware in the email.
There is nothing difficult about doing this. Attackers only need the motivation to execute the attack and the ability to not get caught afterwards. The email is traceable via the IP address it was sent from, but skilled hackers have ways around that.
Misleading “Reply to” phishing attack
A variation on a phishing attack has the attacker send an email that looks like it might be from the right email on first glance:
- Boss@ourcompany.com is the email that your boss uses.
- Boss@ourcompany.co is the email the attacker uses to pretend to be your boss.
- Boss@ourcompany-exec.com is another common tactic.
Attackers hope that you don’t notice the missing or added letters and reply to the message as if you’re replying to the person being spoofed.
The attacker controls the “@ourcompany.co” domain and can read emails sent there. If they spoof the “@ourcompany.com” email they don’t control that domain and are trying to get you to click malicious links or download malware instead. Both are phishing with the variation being how they manipulate the “From” field.
What is spear phishing?
Spear phishing is a targeted form of phishing. Where a phishing email is identical for many thousands of users, spear phishing creates messages targeted at individual victims.
These messages will typically include personal data. This data can be taken from social media, social engineering, talking with people the victim knows, or from past hacks. This makes spear phishing very difficult to detect. The victim will have to actively contact people via trusted communication methods to verify the authenticity of suspicious emails.
How to identify phishing scams
All phishing scams have commonalities:
- They usually have a time pressure angle to create urgency.
- They motivate the user over the fear of something bad happening, or;
- The user is motivated by the fear of missing out on something positive.
You have to recognize these common traits. Besides being aware of the common ways that phishing happens, and having a tool like an MDM for email security, here’s how you can protect yourself against phishing:
- Update your browsers frequently because they have anti-phishing tools built into them warning you of suspicious sites before you visit them.
- Set your email’s spam filters to a higher level, Microsoft Outlook allows this. These filters can steer phishing emails from your inbox to spam.
- Quality antivirus software blocks the malicious files a phishing attack asks you to download, and are a good general way to protect your business anyway.
- ‘Hover’ over a link to preview it before clicking. If you’re on mobile, where you can’t hover, you can hold your finger down on the link until a preview comes up.
- Contact live customer support from the main website yourself for any issues involving your money, or better yet go into a local store or bank branch.
- Be cautious of shortened links. They are becoming more common thanks to social media, leading to more people trusting them. Use a website like CheckShortURL to see a URL in full before visiting it.
- Never give out sensitive data to a website without a valid SSL certificate. Check for free here.
Even if you do every single one of the steps above you can still get phished. The ultimate failsafe is to use your better judgement and use a trusted communication platform—such as face-to-face or a trusted team chat app when working remotely—to verify requests that you are not sure of.
Read over the examples below and think about how there is a common theme of sensitive data being requested from you in an unprofessional manner.
Types of phishing scams
The basis of all phishing is imitating a trusted sender via non-personal communication methods. There are a wide variety of scams out there built on this premise you should be aware of.
Here are 4 of the most common scams with an example letter that could be sent to execute these phishing attacks. Save the email images and share them around your office to warn people of these threats.
The Government Scare Tactic
The attacker pretends to be some type of government agency—FBI, CIA, RCMP—in an attempt to scare you into complying. They’ll demand information to settle a legal issue.
A Problem with Your Billing
When this phishing attack is done right it is very difficult to detect. Flawless execution of this scam looks like this:
- Attackers steal a list of recently added email addresses from a legitimate vendor.
- The email states that they are having a problem with your billing information.
- You are requested to click a link to fix your billing information.
- The link sends you to a legitimate-looking spoofed site.
- Your payment card details are stolen via a form.
You must always go through the payment gateway of vendors yourself and never go through a link sent to you because of this. Go back to the original email sent when you made your purchase, verify URLs, and talk to live customer support.
Your computer is infected
Scammers will pose as some sort of account representative for an online service (such as Apple Support, or HP Support), or as someone associated with your ISP, and tell you that your computer has been infected. You will have to click a link to go to a spoofed site, or download a form to fill out and send back—the form will have malware in it.
You are a winner!
Scammers will pose as a legitimate site that you visit often—data easily obtained, purchased, or stolen. They then claim that you have won a prize for being the XXXX visitor to the site, a top engaged fan, or something along those lines.
All you have to do is click a link to claim your prize. That link will ask for credentials, partial payment of shipping, or be a download button for malware.
Phishing attacks happen to everyone
With the wide variety of tactics scammers use, all business types can expect to become targets of phishing attacks. Some will inevitably take the bait and become a victim. Notable examples include:
There is no guaranteed way to stop 100% of phishing attacks—especially with spear phishing becoming more sophisticated—but there are steps you can take. An important one is to use SKY WORK to establish trusted communication platforms. Mandatory apps give everyone a space to communicate with trust.
The next step is to make sure your coworkers read this article and take the free phishing quiz included below. One employee being aware of phishing is good, but it takes everyone being aware to protect an entire business.
Free “What is phishing?” quiz
If you’ve paid attention to the article above you should be able to do well with this phishing quiz. Remember to think about how attackers try to steal your data, and be skeptical of requests to succeed both with this quiz and in real life.