Email-based phishing attacks continue to soar at an all-time high. According to the State of the Phish™ Report 2018 by Wombat Security, it was reported that 76% of information security professionals had experienced phishing attacks against their organisations in 2017.
As businesses and individuals, we continue to be plagued by phishing emails, which in some cases have a high-degree of technical sophistication. SecureTeam have seen a significant increase in targeted phishing campaigns being launched against individuals within organisations that will often request sensitive information or payments of invoices – also referred to as “Whaling Attacks”. We have also observed an increase in malicious file attachments being sent into organisations that contain “0-day” exploits that are difficult to protect against – even with anti-virus products in place.
We’ve put together 10 anti-phishing tips that you can use as some simple ways in which you can prevent yourself falling victim to a targeted phishing attack both at home and in the workplace:
Verify the email sender
Although the sender of an email may be someone you know personally, there is always the possibility that one of your friends or colleagues has had their email account hacked. If the persons email account has been hacked, the attacker may be the one who is sending out emails in the hope that individuals are more likely to trust the sender.
If you think an email looks suspicious, calling the person or organisation who the email claims to be from is an easy way to check that the email has been sent legitimately.
Does the email content “look and feel” right ?
Often one of the tell-tale signs that an email may be malicious is in the wording and content of the email itself. It is quite common that phishing emails will originate from countries where English is not the primary language. With this being the case, phishing emails may often contain spelling mistakes, grammatical & punctuation errors or wording which has not been used in the correct context.
Watch out for emails which claim to be from someone in a position of authority (for example a manager or a customer) who may be requesting that an action must be urgently carried out. Examples of these might be emails associated with “Whaling Attacks” where the email may request that an urgent invoice be paid immediately or that the recipient logs into a website to check something that is a high priority to them – for example an online payroll application.
Phishing emails may also offer the recipient an offer which is too good to be true. I’m sure at some stage in our lives we’ve received an email from a distant relative in Nigeria, who has an urgent requirement to deposit a large sum of cash in a UK bank account.
Sometimes one of the best ways to spot a malicious email is by trusting your own instinct. If the email content is persuasive or offers something which is too good to be true – be on your guard !
Think before you click
Phishing emails will often contain malicious URL links. Typically, these URL links will take the victim to websites that may contain malware or to webpages that request the victim enters sensitive information, such as their username & password.
If you receive an email that contains a URL link, hover your mouse over the top of the link to reveal where the link will take your browser to if you click on it. If the URL link that’s revealed doesn’t match the text of the link in the email, there is a strong chance the link may be malicious.
If the email claims to be from a public organisation (such as your bank), browse to the website by typing in the URL from a trusted source instead of clicking on the link in the email.
Does the domain name look right ?
A very common tactic used by spear-phishers is to use a “spoofed” domain name which is very similar to that of the target organisation or an organisation which is likely to be trusted. This increases the likelihood of the sender’s email address and any malicious URL links to be trusted by the victim, as it is quite possible differences between the genuine and spoofed domain names would go unnoticed by the recipient. Some examples of “spoofed” domain names could include: m1crosoft.com, abobe.com or barclys.com.
Pay close attention to the domain names that are in use when you examine the sender’s email address or URL links. Look for typos or character substitution in the domain name which could indicate that the domain name is not genuine. If there is any doubt about the authenticity of a domain name, browse to the target domain name directly from a Google search or enter the URL manually from a trusted source, such as company documentation
Not all file attachments are safe
Malicious file attachments are very common in phishing attacks. Attackers will often send file attachments that are laden with malware that can be used to compromise your computer and get access to sensitive information, such as usernames, passwords or financial information. File attachments may be named in such a way as to entice the recipient to open them, for example a PDF document may be received that is named “Payslip.pdf” or an image file might be sent with your name contained in the filename.
Despite having anti-virus installed on your computer, it is possible that an attacker may be able to bypass this protection through exploits and malware which take advantage of vulnerabilities called “0-days” (pronounced “zero days”). A “0-day” vulnerability is one which has been discovered by security researchers “in-the-wild” but has not yet been patched by the software vendor and may not be known to anti-virus products. This means that there is a strong chance that your anti-virus application may not detect a file attachment which relies on one of these “0-day” vulnerabilities to be present. With this being the case, you should not solely rely on anti-virus software to protect you from malicious file attachments in emails.
Treating all file attachments with suspicion is one of the best ways to protect yourself from email-based malware. If you’re not expecting a file to be sent to you by someone in your organisation, speak to them in person and ask if they have legitimately sent you the file. Be cautious of files that may be named in such a way as to entice you into opening them.
Lastly, if you think you have received a file that may be potentially malicious, make sure that you do not open the file. Contact your IT support department or the organisation you believe the file to be from, so they can investigate the file and take further action if required.
Keep your personal information private
Identity theft remains one of the most common cyber-attacks which affect us personally as individuals. A recent report from the Identity Theft Resource Center (IRTC) reported that in 2017 alone, 1579 data breaches were identified, with a staggering total of nearly 179 million records being exposed.
Requesting sensitive information (either through an email or a spoofed website), is a common method employed by attackers to obtain sensitive information that they can either sell on the black market or use to further their attack against you personally or the organisation that you belong to. Phishing attacks often request that the victim logs into a website which is owned by the attacker or that the victim provides a wealth of sensitive information through an online form.
It is highly unlikely that your bank, employer or other trusted organisation would ever request that you enter sensitive information into an online web form. Any requests to submit sensitive information through a website that is referred to in an email should be treated as highly suspicious. If you have any suspicions surrounding the request, contact the sender of the email using a publicly available telephone number (not one contained in the email) and validate that the request is genuine.
Use an Anti-Virus product
A large percentage of phishing emails will attempt to install malware either through embedded URL links or through malicious file attachments.
Ensuring that you have an up-to-date anti-virus application that carries out regular scans on your computer, increases your protection against malicious file attachments and web-based viruses & malware.
Keep your operating system and applications updated
From time to time, security weaknesses are discovered in operating systems and applications that could allow them to be compromised by a malicious user. Ensuring that you automatically install security updates for your operating system and install the latest updates for applications, such as Microsoft Office, Adobe Reader, Java and your web browser, helps ensure that your software is not vulnerable to the latest security threats.
Does the email look suspicious ? – Report it !
Reporting that a phishing attack has taken place can significantly help in containing the attack and preventing other individuals from being targeted.
If you have received a malicious email to your company email account, it should be reported immediately to your IT support staff – either in person or through a helpdesk call. Your organisation’s IT staff will be able to take steps to prevent other users from receiving the malicious email or from responding to it.
If you receive phishing emails that claim to originate from an organisation, the organisation should be contacted and informed that they are being impersonated online. While the organisation may not be able to prevent the attack from taking place, they will be able to take steps to advise their customers or users to be cautious of emails that claim to originate from them.
Knowledge is power
Email phishing attacks are becoming more and more sophisticated as time goes on. Educating yourself on the methods that an attacker may try to use in a phishing attack is vital in improving your own security awareness and reducing the likelihood of you becoming a phishing victim.
In addition to this article, there some great resources out there that can be used to find out more about how you can prevent yourself from becoming a victim of a phishing attack. These include the following websites:
National Cyber Security Centre – Phishing attacks: defending your organisation
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)