Some of the simplest and most effective techniques used by cybercriminals to achieve their goals are what are known as phishing attacks. It is often much easier to trick someone to click on a link in an email or open a malicious attachment than to hack past an organization’s firewall and other defenses. Phishing attacks can have a number of different goals, including malware delivery, stealing money, and credential theft. However, most phishing scams designed to steal your company information can be detected if you pay enough attention.
Here are a few phishing prevention tips to keep in mind:
1. Always be suspicious of password reset emails
Password reset emails are designed to help when you can’t recall the password for your account. By clicking on a link, you can reset the password to that account to something new. Not knowing your password is, of course, also the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and send those to them. If you receive an unsolicited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on that site (and any other sites with the same password).
2. Always note the language in the email
Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority.
Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment. Some common phishing techniques include:
Fake Order/Delivery: A phishing email will impersonate a trusted brand (Amazon, FedEx, etc.) stating that you have made an order or have an incoming delivery. When you click to cancel the unauthorized order or delivery, the website (which belongs to a cybercriminal) will require authentication, enabling the attacker to steal login credentials.
Business Email Compromise (BEC): BEC scams take advantage of hierarchy and authority within a company. An attacker will impersonate the CEO or other high-level executive and order the recipient of the email to take some action, such as sending money to a certain bank account (that belongs to the scammer).
Fake Invoice: The phisher will pretend to be a legitimate vendor requesting payment of an outstanding invoice. The end goal of this scam is to have money transferred to the attacker’s account or to deliver malware via a malicious document.
In other words, if an email is urging you to take rapid or unusual actions, slow down and verify that it is legitimate before trusting it.
3. Never share your credentials
Credential theft is a common goal of cyberattacks. Many people reuse the same usernames and passwords across many different accounts, so stealing the credentials for a single account is likely to give an attacker access to a number of the user’s online accounts.
Top 10 Brands That Phishing Attackers Use To Scam Users
Scammers delight in impersonating government agencies and well-known brands to lure email recipients into giving up their personal information. That information is then either exploited directly or sold to the highest bidder on the Dark Web.
Have you ever wondered which agencies, companies or brands are the most imitated by these attackers?
Quite often Microsoft tops the list but this year they've been dethroned by shipping company DHL. That may not be surprising given the realities of the pandemic and the rise in popularity of online shopping.
Here is the list of the top ten for this year from their report:
- DHL (impersonated in 23 percent of all phishing attacks, globally)
- Microsoft (20 percent)
- WhatsApp (11 percent)
- Google (10 percent)
- LinkedIn (8 percent)
- Amazon (4 percent)
- FedEx (3 percent)
- Roblox (3 percent)
- Paypal (2 percent)
- Apple (2 percent)
The specific lure used in each of these cases varies wildly. For instance, when a scammer spoofs a shipping company the email is typically some variation of "we're trying to deliver a package to you but are having problems, press this button for more information."
While PayPal scams typically go the route of "Your account has been temporarily suspended. Please click here to verify your information."
Microsoft and Google are commonly spoofed in various software giveaway schemes. Or in the case of Google some variation of "click here to claim your free Chromebook."
Now that you are armed with a list of the most often imitated brands you at least have a list of things to be on the lookout for. The best defense is vigilance just like always. If it sounds too good to be true it probably is and don't ever click on embedded links even if you think you know and trust the sender.
Protecting Against Phishing Attacks
Understanding the risks of phishing attacks and some of the most common pretexts is an important first step in protecting against them. However, modern phishing campaigns are sophisticated, and it is probable that, eventually, someone will fall for one.
