If you have an email address, it's pretty likely you've received a phishing email. The average user receives 16 malicious emails per month, so you've certainly encountered the problem. In case you're not familiar with the name, email phishing is the act of sending a deceptive email with malicious intent. Email phishers use all sorts of techniques to prey on recipients, but the goal is always the same: to obtain useful information or spread malware (or both).
Phishing scams are the third most reported internet crime per the FBI, and represent half of all cyberattacks. These types of attacks are so high in volume because they work: from 2013 to 2016 alone, American businesses lost an average of $500 million per year as a result of phishing scams. No one is too big or too small to be targeted - half of all phishing scams occur in businesses with less than 250 employees.
Scams have gotten a bit more sophisticated since the days of the "Nigerian Prince" email of the early 2000s (although the old school methods are still quite effective), and use psychology, business practices, and some clever techniques to manipulate the user into clicking and downloading.
Examples we see
The Sneaky Pete
This type of phishing email is all about stealth - the scammer sends a PDF document or a link to a document in a file sharing platform, such as Dropbox or Sharepoint. It seems innocent enough, but that link reroutes you to a fake Office365 page to "log in" to your email. The page looks real, and does log in on your behalf to your actual email account. Now the scammer has your credentials, and will likely sit on them for awhile, possibly setting up redirect or copy rules to see if they can gather personal or financial information they can use. At the very least, they have access to all your contacts and can now start all over again with anyone you've ever been in contact with.
Why it works
Even if a Dropbox or Sharepoint file share email isn't something you regularly see, it's mundane and innocuous enough that it flies under the radar (especially if it seems to be sent from someone you know). Before you can register that something is a little off, the scammer has already accessed your credentials with that simple redirect. These types of scammers will also take their time with your account, which means if you have suspicions, they will likely die down before anything else happens.
The Action Hero
This strategy involves the scammer sending an email disguised as the CEO, owner, or other high-level executive of your company. Typically directed at a finance or office manager, the email contains an urgent request to initiate a wire transfer or send a large amount of gift cards to a fictitious customer.
Why it works
Since these emails appear to be from a high-ranking manager or C-level associate, employees follow through because authority carries weight. Recipients of these types of emails want to immediately carry out requests for high-ranking staff, and that need to please has yielded successful results for scammers.
The False Positive
This email is a lot like the Sneaky Pete, but is disguised as a transactional email that you either see frequently or were already expecting, like a DocuSign request from a client or vendor. Scammers have done research on you and your industry to see what you're most likely seeing on a regular basis, and get you to click or download before you realize it's not a real email.
Why it works
Scammers use research and industry data to figure out what you're likely to see as high-priority, or something you might see on a regular basis. It works because it lulls you into a false sense of security by cloaking itself perfectly as something you might already see everyday. If it's disguised as an email you were waiting for, like a DocuSign or wire transfer information, you might be more likely to act on it quickly without seeing who the sender truly is.
The Panic Button
This email is definitely more aggressive - the scammer sends you an email claiming they have your password, and they've downloaded dangerous malware to your computer to track everything you're doing. They claim that they've found scandalous information on you and threaten to send it to everyone you know if you don't pay their ransom, typically a couple hundred to a few thousand dollars worth of Bitcoin. Their claims are typically unfounded - in most cases, it's a password from 10+ years ago for an unrelated account, they haven't installed malware, and there's no Trojan to be found. But these tactics work just the same.
Why it works
Scammers employ tactics that prey on people's deepest fears: humiliation, stolen identity, irreparable damage to reputation. They bank on the fact that the recipient doesn't know much about IT, and use scary language to confuse and overwhelm. Rather than potentially be exposed or embarrassed, the recipient figures a couple hundred bucks is a small price to pay to make this go away.
Why it matters
Ultimately, these scams harm your bottom line and your reputation in a number of different ways. Should you or your employees fall victim to a sophisticated scam, financial consequences could include things like:
o Remediation for security breach(es)
o Lost productivity from downtime
o Paying the ransomer
o Loss of money through wire / gift card scams
o Loss of revenue and trust from departing customers
Financial burdens from email phishing can be minimal, but can also be incredibly costly. For example, an escrow company had email credentials compromised, and managed to redirect a down payment wire transaction to the scammer's account - in the amount of $100,000. The customer lost their down payment, and the escrow company lost their customer. But it's all preventable!
How to stop it
Look carefully at headers
The name appearing on the email might show the CFO's name, but look carefully at the headers. If it's a phishing email, the actual email address will differ from the CFO's. Additionally, the more tech-savvy will be able to see server and IP address information in the full header, which can help verify where an email is coming from.
Double-check before clicking
Take your time with emails. Give it a good read-through - are there glaring grammatical errors or odd language? Does the sender normally email you directly with items of this nature? Do images or logos look askew or grainy? If you suspect anything amiss, confirm with the sender over the phone or in person that this is an email they actually sent.
Beef up your passwords
If you're still using the same password from your original AOL account, it's time to change it. It's also probably a good idea to change it on a regular basis. That way, if you ever receive an email claiming to have your credentials, you know you can just delete it and move on.
Protect your credentials
Speaking of passwords, it's probably best to make sure you're only entering in your credentials on a secure website (like the one below). These phishing emails like to log in on your behalf to skim your password, so only logging in on a secure site is a great way to protect them.
(image credit: digicert.com)
You're not in this alone - tech experts (like us!) can help train your staff and implement solutions to stop email phishing in its tracks. We keep careful watch over phishing email trends and make sure clients are as protected as possible. Get in touch if you have any questions!
A little about us: Dynamic Computing provides managed IT services, IT support, IT consulting, & cyber security services to top performing small to mid-sized businesses in the greater Seattle area. We're focused on being the premier managed IT services firm in the Pacific Northwest, and we act as a complete IT solution for companies who don't have internal IT departments. Our clients typically range from 10 to 200 employees and we work primarily with professional services firms in the Puget Sound Region.