MSnet - Gone Phishing?

Gone Phishing

Phishing is the most common cybercrime and the most dangerous for your business. Some of today’s most devastating cyberattacks, including incidents like the Colonial Pipeline ransomware disaster in May 2021, started with a phishing email.

Employees may encounter phishing attempts daily if action isn’t taken to keep phishing messages out of your business.

An estimated 6 billion phishing emails were sent to businesses daily in 2020!

What is a Phishing Attack?

Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information or to deploy malicious software.

Phishing is the type of cyberattack employees see the most, the reason cybercriminals favour phishing is because it has a low barrier to entry, it’s cheap and it’s effective. Phishing is an easy way for Cybercriminals to obtain passwords, user data and other credentials, enabling them to undertake other cybercrime operations like business email compromise or deploy ransomware.

An estimated 75% of organizations in the United States were hit by a phishing attack that resulted in a data breach in 2020.

 

How to spot a phishing attack?

Phishing can be tricky to spot, but these red flags should always give you pause as they’re common indicators that an e-mail is actually a phishing attempt. 

Subject Line

Is the subject line accurate? Subject lines that feature oddities like “Warning”, “Your funds have” or “Message is for a trusted” should set off alarm bells. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected elements like emojis or other things that make it stand out from emails you regularly receive from the sender, it’s probably phishing. 

Greeting

If the greeting seems strange, be suspicious. Are the grammar, punctuation and spelling correct? Is the greeting in a different style than you usually see from this sender? Is it generic when it is usually personalised, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate.

Domain

Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. 

For example, If the message says it is from Sender@microsoftsecurity.com instead of Sender@microsoft.com, you should be wary. 

Word Choices, Spelling & Grammar

This is a hallmark test for a phishing message and the easiest way to uncover an attack. If the message contains a bunch of spelling and usage errors, it’s definitely suspicious. Check for grammatical errors, data that doesn’t make sense, strange word choices and problems with capitalisation or punctuation. We all make the occasional spelling error, but a message riddled with them is probably phishing. 

Style

Does this look like other messages you’ve received from this sender? Fraudulent messages may have small variations in style from the purported sender’s usual email style. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. 

Links

Using malicious links to capture credentials or send victims to a web page that can be used to steal their personally identifiable information (PII) or financial information is a classic phishing scam. Hovering your mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you have interacted with it, definitely don’t provide any information on the page that you’re directed to because it’s almost certainly phishing. 

Attachments

Never open or download an unexpected attachment, even if it looks like a normal Microsoft 365 (formerly Office) file. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions. 

Origin

Is this someone or a company that you’ve dealt with before? Does the message claim to be from an important executive, politician or celebrity? A bank manager or tax agent you’ve never heard of? Be cautious about interacting with messages that seem too good to be true. Messages from government agencies should also be handled with care. Phishing practitioners love using fake government messages.

How Can I Protect My Business from Phishing Attacks

Cybersecurity requires a multi-layered approach to fully protect your business.

Protecting your employees from phishing equally requires a number of different layers of protection.

  1. The first should be training! Security Awareness training, prepares employees to recognise the threat of cybercrime and how to avoid the dangers. 
  2. The second is simulated Phishing E-mails. Test phishing E-mails are sent to employees to allow them to review and fine tune their new knowledge.
  3. Lastly an integrated threat protection service to filter and remove dangerous E-mails and files from reaching employees in the first place.

 

MSnet was founded with a passion to assist businesses from the threat of Cybercrime.

Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.

If you would like more information please reach out our team on 01489 539700 or use the Contact US button below