How to Beat Phishing Attacks

Everyone needs to know about phishing emails and the serious impact that they can have on you and your company’s data.

Phishing is widely used term now and to make sure we’re all clear, it’s a form of social engineering in which cyber criminals will try to gain access to sensitive information and data by posing as a legitimate organization or person through email.

What types of emails should I look out for?

Please pay extra attention to the types of emails listed below as they are commonly used to take advantage of users.  These emails may try to manipulate a user’s emotions to make them feel a false sense of urgency or to spark their curiosity.

Emails relating to accounts and passwords: Password resets, account log in verifications, anything pertaining to banking, finances, credit cards, or account updates.

Emails that are offering or asking for money: You won money, claim this prize, special offers, ‘you got hacked, pay me’, or ‘send me money or else this will happen to you’.

Emails containing extra links or attachments: Social media messages with website links, LinkedIn invitations and profiles with website links, or emails with download links and attachments. 

What can I do to verify legitimacy of an email?

Cyber criminals will try to disguise themselves so they seem like a legitimate organization or person. Double check these areas of an email to validate legitimacy or to confirm the email is a phishing email.

From: Check to see if the sender’s email address is someone you recognize and that it is spelled correctly.  If the email seems suspicious, do not open attachments or click on links without first verifying with the sender that the email is valid.  If you have an internal IT department or an MSP, ask them to check it for you. Pay attention to the characters after the @ sign.  Common tactics that are used are to interchange characters that look identical or to use a similar website.

YourBoss@arrovv.amazon.com where it should be YourBoss@arrow.amazon.com

(There are two ‘V’s, not a ‘W’)

Support@Mlcrosoft.com (This is a lower case ‘L’, not an ‘i’)

Yourcoworker@the-realdomain.com, helpdesk@therealdomains.com, support@therealdomain.org (These may seem legitimate at a quick glance, but these email addresses are not from therealdomain.com)  

To: or CC: Check to see if this email has multiple recipients, or other recipients you do not recognize.

Links: Hover over any links and verify the link is to the website it indicates.  If you feel unsure or uncertain, do not open any attachments or click on any links.  Call, or otherwise contact, the sender to verify the email and any attachments or links are valid.

Verify any hyperlinks are spelled correctly:

www.bankofamerica.corn, (What looks like ‘m’ in .com, is lower case ‘RN’)

www.WeIIsFargo.com (The ‘ll’ in Wells is two capital ‘i’s, not lowercase ‘L’s)

www.paypal.net (This is not correct, if searched the website for PayPal it is actually www.paypal.com)

facebook.com (This looks correct; however, when you hover over it you see www.fadebook.com)

Date: Check if the email was sent during normal business hours.

Subject: Check if the subject irrelevant or if it is an unexpected reply.

Attachments: Check for attachments that were not expected.  Also confirm the file type is something that is expected (i.e. an attached voicemail is an audio file, not a PowerPoint file or Word document).  Be extra cautious with any attachments in an email. If you feel unsure or uncertain, do not open any attachments or click on any links. Call, or otherwise contact, the sender to verify the email and any attachments or links are valid. If you have an internal IT department or an MSP, ask them to check it for you.

Content: Check for grammar or incorrect spelling.  Read the email to confirm it is business related or regarding something that is being worked on. 

Spear Phishing attacks continually become more sophisticated

Spear phishing attacks are messages typically personalized based on public information the attacker has found on the recipient and organization.  This can include topics surrounding the recipient’s area of expertise, role in the organization, interests, residential and tax information, and any information that can be gleaned from your company website or social networks.  These specific details make the email appear more legitimate and more likely for the recipient to click any links or download attachments.

Links or attachments that are included often include malware that can compromise the credentials of the recipient or may include malware that will attempt to encrypt your data. These emails can be sent directly to a C level executive, IT Director or other individual that may have administrator permissions, or they may appear to be from one of these trusted sources in an attempt to convince you to open it.

Phishing and spear phishing email examples

Here are sites with examples of phishing emails:

https://security.berkeley.edu/resources/phishing/phishing-examples-archive

https://us.norton.com/internetsecurity-online-scams-phishing-email-examples.html

7 Ways to Recognize a Phishing Email: Email Phishing Examples (securitymetrics.com)

Here are a couple of online tests that you can use to test your knowledge of phishing emails:

https://phishingquiz.withgoogle.com/

https://www.sonicwall.com/en-us/phishing-iq-test-landing

Vermont Panurgy Solutions

Opening malicious attachments or links can expose you, your PC, your network and potentially your customer’s data to a possible attack. These attacks may include information disclosures, system viruses, data destruction or encryption resulting in loss of productive work time, loss of customer trust and lost company revenue.

As a managed service provider, we are ready to assist you with suspicious emails that you may encounter.  You are an important layer in the defense of your network and awareness of these tricks and how to spot them is key to preventing a successful attack.

Vermont Panurgyinfo@panurgyvt.com

Tel: 800-974-1115 or 802-658-7788

Leave a comment

Your email address will not be published.