What are phishing emails and why do they work?
“Phishing” pronounced the same as “fishing” is a cyber attack that uses disguised email messages to trick the receiver into believing there is something they want or need. Just like “fishing” the attacker throws the bait (disguised email) hoping they’ll get a bite.
Attackers are smart, they impersonate themselves as a trusted person, group or business, often known to the victim, someone they might frequently do business with and send a disguised email message. And, that’s why phishing emails work! Sometimes they use bad grammar to lure you in. Other times they use the names of the people and businesses that we trust. For instance, a bank request, or an Apple invoice where you need to click on a link or download an attachment.
According to the 2019 Verizon Data Breach Investigations Report almost a third of all breaches in the past year were phishing attacks even though the technology is getting smarter and the anti-phishing tools used for protection are more accurate. The enticement of monetary gains or threat of financial loss, and even physical danger, people and corporations are being scammed out of ten of thousands, and tens of millions of dollars.
These scammers are also getting better at it says Josh Fruhlinger, “thanks to well-produced, off-the-shelf tools and templates.”
A well- known phishing attack that happened in 2016, was when hackers managed to get Hillary Clinton campaign chair John Podesta to offer up his Gmail password.
In many cases we can avoid taking the bait by becoming more familiar with the types of phishing emails scammers use. User education training is a great place to start and if you don’t have that training available, read on!
Let’s have a closer look at some scam scenarios and then the solution:
We are probably all very familiar with the lure of a deactivation notice, the claim that if we don’t take immediate action by clicking the link and adding our login name, password, maybe update our credit card details, we’ll be deactivated. Once upon a time these were easy to spot, but not nowadays, they look very realistic. Some go so far as to include “beware of scammers” or reassurances of “scanned and cleaned by AV notices” Simple to spot if you haven’t got an account with the business that they are impersonating but if you do?
- Check the click on link, does it match the one you would type in for your account? (Have a close look at the browser)
- Get in to habit of closing the email and then typing the web address into the browser for anything similar
Look-alike websites originating from Phishing emails:
The fake website vs the real website, are getting harder to recognise. The fake websites are good copies and contain the real websites URL and therefore hard to spot when they look so much like the real thing.
- With a closer inspection you’ll see the phish points to another domain. So always check it points to the legitimate domain.
- Better still go directly to the legitimate website, without clicking on the email link.
Nigerian Phishing Email Scams
This phishing lure is officially known as “advanced fee frauds” but commonly known as Nigerian scams due to Nigerian scammers attempting these more than other countries. This phish is designed to catch the most susceptible victims, by using bad grammar and far-fetched scenarios which the victim isn’t deterred by. They make the catch of day, and the greatest prize for these fraudster phisherman.
Roger Grimes notes that “Nobel prize winners, CFO’s, doctors, engineers…have become victims of this scam.”
- Free, unexpected money is too good to be true. It’s fake!
Go directly to jail
Whether we are guilty or not guilty these phishers know how to play on our conscience. Nothing gets us to act quicker, than threats of jail time. Phishing scams, in the United States use fake FBI warnings for illegal music, movies downloads or watching porn. Fake penalty notices by email often come with ransomware, locking your computer until you pay.
Commonly in Australia they use the Tax Department in which the lure comes over the phone insisting you pay immediately to avoid possible jail time. Most want the problem to go away, even if they haven’t done anything wrong.
- Stay calm! And examine the warning does it have details about the illegal activity. Scams never have the details
Tech support Scams
Tech support scams can come over email, on the phone and over the web. Often claiming to be Microsoft, the emails can look official with the toll- free number with the dodgy 1800 number to call.
If you call the Technician, they ask you to install remote access software. During the conversation they’ll tell you, you have malware and misconfigured settings and they need to clean it up. They try to sell these to you, grabbing your credit card details.
- Has a real Tech person ever offered you help before you had problem?
- Call an IT friend,
- or look up the company’s detail to confirm
This tricks us into installing malicious software directly from the web by showing up the top of our search result. An issue occurs with your computer and you decide to search Google with the error message that’s appears to check the what’s wrong. Good idea, but occasionally an official looking website offering a quick solution to install software appears first. The problem is the code is malicious.
- Always go to the vendors website for technical support
Classifieds money scams
Craiglist used for personal ads and auction sites is a place scammers love phishing because people click links, exchange personal information and money. Commonly, when you go there to sell an item, a buyer appears immediately offering to pay full price and shipping! Then they offer to overpay if you will use their trusted intermediary to handle the payment and shipping costs. A couple of days later and the bank has returned the check sent because it’s no good and you’re caught for fraudulent funds sent to the intermediary. The bank doesn’t verify the checks at the time of a deposit.
- Follow Craigslist advice https://www.craigslist.org/about/scams
Save a friend via wire fraud phishing emails
The fraudsters hijack your facebook or email account, finding information to help sell their story to you asking to save your friend or relative from some horrible situation that money can prevent. These fraudulent phishing types happen a lot during times of a crisis.
- Never send money to someone without talking to them first.
Scammers install software to study the typical transactions of companies, then send out an invoice asking for payment. Money is then transferred to fraudster and that business doesn’t see that money again.
- Never transfer money to new locations without first verifying the legitimacy of the request.
- Keep computers involved with transfers isolated
Work Mule phishing emails
Job hunters beware! These fraudsters offer work on jobsites and social media that looks legitimate. The new job is real, and you get paid but the work isn’t legal. It’s part of a money laundering scam. The criminals ask employees to send paid monies to another account while keeping a percentage.
In all cases, the money mules risk their own credit and criminal charges.
- If you are being paid money and ask to send it off again for a small fee. It’s probably a scam.
- If you are involved in this type of work, get a lawyer
Phone forwarding scams
Businesses that are face-to face or take credit card payments over the phone are susceptible to this phishing scam. The phone rings and convinces the employee to inadvertently set up phone forwarding. Calls are now being billed to your line. Payments by customers using credit cards by taking business calls.
- If someone calls the business asking you to push buttons on your phone, don’t do it
We’re now getting phishing on our mobile phones. If you respond to a link you are prompted to install trojan software or call a number that initiates social engineering. A text to say your credit card has been compromised, then when you call you have to put in your credit card details and oh no! You’ve been scammed!
- Ignore it or delete it, if you weren’t expecting it
Fake Crisis phishing emails
Crises such as Coronavirus pandemic increase the sense of urgency and provides new opportunity for deception with the use of fake crises notices
Take time to check the domain name of the website or email address.
Unfortunately scammers will take any opportunity they can to steal money. They are criminals and nothing more.
The best thing you can do is remain vigilant when using the internet – in particular email – to ensure you don’t click on something that will give the bad guys an edge.
There are solutions available to combat phishing emails and they’re really straight forward.