The biggest challenge of phishing is that technology doesn’t provide a perfect fix. Attackers play on trust and fear to manipulate people to take actions that leave their organization at risk. Stopping phishing attacks starts with identifying the phishing email.
This presentation provides 6 examples of phishing emails and how to identify them to mitigate risk.
1. 6 Examples of
Phishing Emails
And How to Identify Them
Teach Your Employees
What to Look for to
Identify Phishing Emails
2. The threat of phishing is increasing both in terms of frequency and
sophistication. This trend shows no sign of slowing.
3. One of the biggest challenges of phishing emails, and social engineering in
general, is that technology doesn’t provide a perfect fix.
4. However, there is one common denominator in all of these phishing attacks.
People.
5. Attackers play on trust and fear to manipulate people to take actions that put
them at risk. The risk goes beyond the individual. Employee actions leave
organizations vulnerable too.
6. There’s a common saying that employees are the biggest threat to information
security. However, employees can be taught how to recognize phishing emails
to keep personal, company, and customer information safe.
Untrained employees may be one of the biggest threats to information
security, while well trained employees are the best and last line of defense.
7. This presentation shows 6 examples of phishing emails with pictures. After
the presentation, users should:
1. Identify common phishing emails
2. Simulate phishing attacks
3. Raise awareness of phishing threats
8. The Lookalike Phish
1. Check the actual sender to confirm the sender is who you expect it to be. Employees can view the sender in the Amazon
example above is ‘emailservice.com,’ and not Amazon.
2. Hover over links in the email to confirm they are going where you expect. Hovering over the links in this example should show
Amazon.com.
One common factor in most successful phishing
emails is trust. If an attacker can establish trust
with the recipient, the likelihood that the recipient
performs a desired action increases significantly.
Establishing trust is easy if the attacker can look like something the
recipient already trusts. For example - Amazon. Almost everyone knows
Amazon and has an account, so it’s easy to establish trust quickly with an
Amazon lookalike email and trick the recipient into providing their password
or confirming their credit card information.
Two Best Practices to Identify
Be aware that attackers are becoming more sophisticated and improving their craft. While a link
may be easy to spot as being fishy, it may be cleverly disguised. For example, by replacing the ‘o’
in Amazon with a zero (Amaz0n), or a similar character, a recipient may miss the slight change.
9. The Internal Request
1. Raise employee awareness of the information security policy. Employees should be aware that no one in the company will
ever ask for their password. The IT department will never require a password to resolve a support ticket.
2. Call the sender to confirm the email and its intent. It’s likely that the company has an extension for each employee so you can
quickly contact the sender to confirm that they sent a request for information.
Similar to the lookalike, The Internal Phish
relies on trust.
Internal does not describe the sender, as
phishing emails typically come from
malicious attackers outside an
organization.
Rather, internal describes the ‘character’
that the attacker is playing.
By playing an internal IT Manager or HR Director, an attacker can quickly gain your trust and encourage dangerous behavior. A common
Internal email is a request to reset a password from the IT manager.
Two Best Practices to Identify
10. The Government Threat
1. Raise employee awareness of the information security policy. Employees should be aware that no one in the company will
ever ask for their password. The IT department will never require a password to resolve a support ticket.
2. Call the sender to confirm the email and its intent. It’s likely that the company has an extension for each employee so you can
quickly contact the sender to confirm that they sent a request for information.
Government threats rely on fear rather than trust.
Even if the victim is innocent, a call or email from the government
increases a heart beat. Passing a police officer while driving
down the highway at the speed limit still causes a break tap, two
checks of the speedometer, and 3 checks in the rearview mirror -
an email from the FBI or IRS will do the same.
This can be extremely effective by phone as described in this
article about a franchise employee sending thousands of dollars
in gift cards to pay for illegal activity by the owner. It’s also
effective by email. A common attack has the attacker
impersonating the IRS and requesting swift action by the
recipient.
Two Best Practices to Identify
Fear/Trust can be increases when this attack is used during tax season.
11. Wire Transfer Fraud
1. Raise employee awareness of the information security policy. Employees and buyers should be aware that no one in the company will
ever use a free email account.
2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure the
email was sent by a trusted person and the account information is correct. Note: Do not use the phone number provided in the email.
Rather used a trusted phone number that’s already been used to connect with the sender.
Wire Transfer Fraud is increasing in the home buying process.
It’s the perfect storm in which home buyers are excited, there are
multiple parties involved, deadlines, and large amounts of money
being transferred. Attackers rely on trust, fear, and time
constraints to successfully implement these attacks.
The attacker can easily create a free email account similar to the
title company or mortgage lenders name, and request that the
buyer make a wire transfer to a new account immediately, or risk
a delay in closing.
Two Best Practices to Identify
Sender: MortageLender@yahoo.com
Receiver: Home Buyer
Message: Hello please the escrow just emailed me that you
need to send the funds via wire, They dont want to accept check
due to a check check issues they just had, You will need to go to
your bank to send the wire tomorrow so they can receive the
funds before the closing, Please get back to me now so i can
send you the wire information.
13. The Spear Phishing Attack
1. Raise cybersecurity awareness with the leadership team. Training the leadership team to be aware of the increased risk and
sophistication in attacks targeting their position will help them to identify these phishing emails.
2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure
the email was sent by a trusted person.
Spear Phishing is another email that relies on trust. As opposed
to a normal phishing email that is sent to many, the spear
phishing email is targeted to a specific individual. Typically these
attackers are looking to steal confidential information.
One common spear phishing targets the CFO. Most CFO’s know
that the CEO has a busy schedule, and may require funds to
support their business travel. An hacker can take advantage of
the CEO/CFO relationship by impersonating the CEO and
requesting a wire transfer for a reasonable sum while he’s
traveling out of the country. The CFO is likely to trust the
request, and make the transfer.
Two Best Practices to Identify
Sender: CEO
Receiver: CFO
Message: Hi CFO. Are you busy? I’m out of the office and I
need you to process a wire transfer for me today.
Please send to XYZ.
Thanks.
Sent from my iphone
14. The Spoofing Attack
1. If you are not expecting something, do not open attachments, click links or share information.
2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure
the email was sent by a trusted person.
Spoofing is an attack in which the attacker
impersonates a user or device for
information or access to an account,
network, etc..
Spoofing can be targeted - for example,
wire fraud transfer attacks might use
spoofing so that the buyer think malicious
Two Best Practices to Identify
wire fraud request email is actually coming from a trusted source.
Spoofing attacks can be used for much wider destruction. For example, attackers targeted Gmail users with the goal of accessing the
users entire email history. Their code would then spread itself to all of their contacts.
The Gmail user would see a link to share a document. When they clicked the link it would take them to an actual Google page asking to
give permission to the attackers fake app.
15. What is Phishing?
Social Engineering is an attack in which an attacker tricks a person into an action
desired by the attacker.
A well known type of social engineering attack is phishing.
Phishing is most commonly associated with email, but can also be done through
text messages and instant messages.
During a phishing attack, the attacker uses one of these mediums to trick their
victim into clicking on a malicious link, opening a malicious attachment, or
providing sensitive information.
Why Are Hackers Phishing?
The goal of phishing varies from broad, shotgun attacks that widely distribute malware to targeted attacks that obtain specific
information. Malicious links, attachments, and sites attempt to install malware that is meant to do some harm to you or your company.
Malware often aims to collection personal information, interrupt computer operation, or gain access to a computer/network.
Attackers may also be looking for very specific information/actions - for example they may perform an attack that dupes a new home
buyer into wire transferring funds on the day of closing in which they know the parties involved and
the date/time of closing.
16. One of the biggest challenges of phishing emails, and social engineering in
general, is that technology doesn’t provide a perfect fix.
The common denominator in all of these attacks are people. Attackers play on trust and fear to manipulate people to take actions that put
them at risk. The risk goes beyond the individual. Employee actions leave organizations vulnerable too.
17. There’s a common saying that employees are the biggest threat to information
security.
However, employees can be taught how to recognize phishing emails to keep personal, company, and customer information safe.
18. Employee Awareness
Untrained employees may be one of the biggest threats to information security, while well trained employees are the best and last
line of defense.
Wuvavi Employee Cybersecurity provides an enterprise-grade awareness platform for small and medium sized businesses. Wuvavi
makes simulating a phishing attack, training employees on best practices, and tracking completion for compliance requirements
easy.
Employee Cybersecurity Awareness Best Practices
1. Find a base level to assess results by running a simulated phishing attack.
2. Assign employees training to teach best practices and raise their awareness.
3. Schedule ongoing phishing simulations at least quarterly to keep cybersecurity front of mind.
Wuvavi (www.wuvavi.com) is the leader in employee cybersecurity awareness for small and medium sized businesses.
14 Day Free Trial