Ontario IT Services and IT Support
How-to-identify-phishing-emails

8 things your employees should know about phishing

When was the last time you clicked on a link? The answer is likely to be recent, whether it comes from your social media feed, a work email, or a text message. They are everywhere. We are constantly bombarded with them in our personal, professional, and social lives.

One of the most effective methods used by hackers is phishing emails. It is a technique in which cybercriminals impersonate a legitimate organization or person in order to trick you into clicking on a malicious link. It’s also very effective.

According to Proofpoint’s 2021 State of the Phish, 74% of US organizations were victims of a successful phishing attack in 2020. This represents nearly three-quarters of all organizations polled.

Until recently, phishing was primarily aimed at the consumer market, and malware was regarded as the most serious threat to businesses. Today, phishing is the most common social attack on businesses, accounting for more than 75% of security breaches.

So, how do we prevent people from clicking on anything? It is much easier said than done.

Best practices to stop clicking on phishing emails

8-tips-to-avoid-being-victim-of-phishing-emails
Improve your team’s knowledge with regular security awareness training. You can also opt for phishing simulations to empower your team with practical exposure to phishing emails. Hopefully, doing those activities regularly will help everyone in your organization think before they click.

No cybersecurity solution can prevent all phishing attacks, your employees must receive awareness training to learn what to look for in order to protect themselves from phishing attacks.

Although hackers can use dozens of phishing techniques to trick your employees, there are a few that they rely on the most. Here are just eight things your employees should be aware of:

1. Phishing is illegal

Phishing is a type of fraud in which a hacker impersonates a legitimate brand and directs users to a malicious website in order to obtain personal information or credentials. The Microsoft 365 phishing attack is a common example of this:

A hacker sends an email reporting to be from Microsoft, requesting that the user log in to their Microsoft 365 account. When the user clicks on the link in the email, it takes them to a fake Microsoft 365 login page, where their credentials are stolen.

An untrained user will not recognize the email as a cyberattack attempt because it contains Microsoft branding and logos both in the email and on the phishing page.

2. Email addresses can be spoofed

Never trust an email based solely on the sender’s name. Emails can be disguised in a variety of ways by cybercriminals. They know how to fool their victims into thinking the sender is legitimate when the email is actually coming from a malicious source.

Display name spoofing and cousin domains are the most common types of email spoofing. The phisher uses a legitimate company name as the email sender, such as microsoftsupport@microsoft.com, but the email address underneath is a random address, such as xyz@yahoo.com.

Because the sender’s email address is hidden, display name spoofing is most effective when a user views the email on a mobile device. Phishers take advantage of the fact that the majority of mobile users will not expand the sender’s name to view the email address.

A cousin domain appears to be the same as a legitimate email address, but it has been slightly modified. To spoof an Apple.com email, for example, the hacker could use Apple.co. Other times, hackers will use extensions to deceive users. Apple-support.org, apple-logins.net, and apple-security.com are a few examples. We’re also seeing an increase in long, ambiguous subdomains like icloud.accounts@apple.it.support.zqa.ca.

3. Subject lines and text are frequently threatening or appealing

Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended if no action is taken immediately.” A common tactic is to create a sense of panic, urgency, or curiosity. Users are typically quick to respond to emails indicating potential financial loss or personal or financial gain.

Emails with an aggressive tone or claiming that immediate action is required to avoid repercussions should be treated as a potential scam. This technique is frequently used to scare people into disclosing sensitive information.

Phishing emails informing users that their critical accounts have been locked or that an invoice must be paid to avoid prosecution are two examples of this.

4. Attacks are becoming more focused and personalized

Many previous phishing attacks were sent in bulk to a large number of users at once, resulting in impersonal greetings. The emails would frequently address the recipient as “customer,” “employee,” or “patient.”

Your employees should be wary of these terms because professional organizations frequently address users by their first name in email, but a personalized email is not always indicative of a legitimate email.

Phishers today launch targeted attacks with the victim’s name in the subject line. Hackers can use automation to pre-fill the victim’s email address on the phishing page and even load the company logo onto Microsoft 365 pages.

5. Phishing emails are becoming increasingly sophisticated

Employees must read their emails thoroughly and not just skim them. Other countries launch numerous attacks and spear phishing attacks. As a result, many phishing awareness training sessions advise users to look for obvious grammar and stylistic errors.

Hackers are becoming more sophisticated. They have the resources to write clean emails in their target language, networks of hackers to assist with attacks, and they make fewer errors. Employees should carefully read emails for both obvious and subtle grammatical errors that could indicate that the sender is not trustworthy.

6. Links aren’t always what they seem

Every phishing email contains a link, but phishing links are misleading. While the link text may say “Go to PayPal account,” the URL directs the user to a phishing page that appears to be from PayPal.

Make sure your employees hover over all links before clicking them to see the pop-up that shows the true destination of the link. If it is not the expected website, it is most likely a phishing attack.

The most important thing to check is that the URL’s core is correct. Be especially wary of URLs that end in a domain name other than.com or.org. Furthermore, phishers use URL shorteners like Bitly to avoid email filters and trick users, so be cautious.

7. Phishing links can be hidden in attachments 

A link is always included in phishing emails, but links are not always included in the email. To avoid detection by email security filters, hackers will place a phishing link in an attachment, such as a PDF or Word document, rather than the email body.

Furthermore, because sandboxing technology scans attachments for malware rather than links, the email will appear clean.

The email will appear to be from a legitimate company, vendor, or colleague, requesting that you open the attachment and click on the link to review or update information. Users should be trained to hover over links in attachments in the same way they do when inspecting links in emails during phishing awareness training.

8. Hackers employ genuine brand images and logos

Brand logos and trademarks are not proof that an email is genuine. These images are freely available on the internet and can be easily replicated. Even antivirus badges can be inserted into emails to trick recipients into thinking the email is legitimate.

While any email filter can detect a previously reported phishing email, it may not recognize the same email if it is resent with an altered image or logo. As a result, in order to avoid detection, hackers distort images and logos. Furthermore, phishing URLs can be hidden in QR codes, malicious text can be added to images, and images are frequently hosted remotely to avoid detection.

Conclusion

Dealing with the fallout from a phishing attack is not only time-consuming, but also expensive. Because a single careless click has the potential to compromise your entire network, it is critical that everyone works together to protect the company.

Make sure you have a system in place for reporting attacks, and that all of your employees understand the importance of reporting them. While structured annual or semiannual cybersecurity awareness training is advised, employees should also receive on-the-fly phishing awareness training to close the awareness gap. 

Employees who click on a phishing link should receive immediate feedback and additional training. Examine the email with them, show them the red flags and indicators they overlooked, and provide additional training materials to help them avoid being phished in the future.

If they interact with a phishing email, Vade for M365 users are invited to participate in a phishing awareness training exercise. Vade Threat Coach is an automated feature that initiates training when it is required, rather than months later than in annual training.

You might be interested in:

How to conduct a security risk assessment

9 cybersecurity tips to improve your business

Be careful! Hackers have a new way to steal your Microsoft 365 credentials