+1 717.312.5890
sales@everound.com
Careers
Blog
Everound - A Cutting-edge IT Business Solution and Cybersecurity Company
Everound - A Cutting-edge IT Business Solution and Cybersecurity Company
phishing Tag

Phishing scams are nothing new and are one of the biggest cyber threats to a business. According to Proofpoint, more than 80% of companies were targeted by phishing cybercriminals in 2021. Do you know how to spot phishing attempts at your organization?

Understanding the different types of phishing strategies is the first step to stopping them from infiltrating your organization. Let’s examine the different types of phishing attacks, ways to spot them, and how to block phishing emails.

Types of Phishing Attacks

What is phishing? Phishing is an email or text message scam that tricks users into providing personal information either by clicking on a link or opening an attachment. The emails or text messages appear to come from someone the recipient trusts, either a supervisor, colleague, or in some cases, a family member.

Not all phishing attempts are the same, and there are several different ways a cyber thief can deploy a phishing attack. The most common types include:

  • Deceptive: Deceptive phishing is the most common type of scam. In this method, attackers impersonate a company the user is familiar with to steal personal information or data. The emails may look real and even include legitimate links to trick the user into falling for the scam.
  • Spear: Spear phishing is a more targeted type of a deceptive phishing attempt. With spear phishing, the criminal will specifically target an individual with personal information they can find on the Internet. A spear phishing email may contain the user’s full name, place of employment, job title, email address, and even specific information about their role at their company.
  • Whaling: Whaling is similar to spear phishing, however, targets senior leadership such as the C-suite. With whaling, scammers impersonate the CEO, CFO, or another high-level team member with the hope the recipient will “follow orders” from a superior. The requests are typically to complete a financial transaction or respond to the email with personal information.
  • Smishing: Smishing is a type of phishing attack that uses text messaging rather than emails, but the goal is still the same – to get a user to click on a malicious link or provide personal information. Many phishing criminals will send text messages disguised as a bank and claiming there was suspicious activity with the user’s bank account or credit card.
  • Vishing: Vishing is much the same as smishing, however, the platform switches to a phone call rather than a text message. Senior citizens are particularly at risk for vishing attacks. The caller will pose as someone in an authoritative position to be able to obtain bank account numbers, credit card information, and more.
  • Pharming: As users have become more aware of email phishing, fraudsters have changed their strategy to include pharming. With pharming, users are redirected to a fake or “spoof” website that essentially appears to be a real website. The fake sites are designed to capture a user’s personal information such as their social security number, website credentials, account numbers, and more. Pharming is implemented when the hacker sends malicious code in an email that redirects traffic to the fake website.
  • Angler: Angler phishing is a fairly new type of phishing attempt that targets social media users, particularly ones who are frustrated with customer service at a financial institution. The cybercriminal will pose as a customer service rep for the company and respond to a complaint using a handle that includes the name of the institution. The fake account will attempt to “resolve” the complaint and ask the user to click on a link to talk to an agent. Once the link is clicked, the fraudster can install malware on the user’s computer or steal business data.

While there are different methods of phishing, they all share the same goal. The email (or text message or phone call) may ask for a password, billing information, credit card numbers, or other sensitive data. Once the information is shared, hackers can infiltrate a company’s network and steal information or deploy malware. Phishing is a real risk for all sizes of organizations, from small businesses to large enterprises. If you are concerned about phishing attempts at your business, a cybersecurity team like Everound can help.

How to Spot Phishing Attempts

how to spot phishing attemptsIt’s more than likely that you have been the target of a phishing attempt either at work or at home. Were you able to spot it as suspicious? There are “red flags” to watch out for when determining if an email is real or a phishing attempt.
Here are ways to spot a phishing attempt:

  • Unfamiliar tone: Does the email from your friendly coworker down the hall come off as cold and monotone? Chances are, the email is a phishing attempt. Hackers don’t understand tone very well and some phishing emails are even written by bots. If the content in an email feels a little “off,” make sure you verify the sender actually sent you an email.
  • Spelling and grammatical errors: Most email platforms have a built-in spell check feature for outbound emails. If an email contains several spelling and grammatical errors, it may be a phishing attempt.
  • Inconsistencies with an email address, links, or domain: Another easy way to spot a phishing attempt is to look for inconsistencies with the domains in email addresses or links. For example, if you hover over a link in an email from your “bank” and the URL doesn’t contain the bank name or trusted domain, that’s a huge red flag.
  • Threats or a sense of urgency: Threats or a sense of urgency are often used in whaling. Your “CEO” may be busy in a meeting and ask you to quickly take care of sending a payment to a vendor. If you receive an email that feels out of character, is threatening, or creates a sense of urgency that is uncommon at your business, this is likely a phishing attempt.
  • Suspicious attachments: Attachments sent via email should always be opened with caution. Attachments can contain harmful viruses and malware that can infiltrate an entire organization quickly causing financial damages. If you receive an email with an extension such as .zip, .exe, .scr, etc., or another unfamiliar extension, be very cautious about opening it. Check with the sender by phone to see if they sent you a safe attachment.
  • Odd request: Did you get an email with a request to do something that is not within the normal scope of your job at work? Or perhaps an off-hours text message from your “boss”? Did your IT team send an email with an attachment and you weren’t expecting it? Odd requests are a sign of a phishing attempt.
  • Short and sweet: Some phishing emails are full of content and detail, and others are short and sweet. If you receive a message with a short note like “Per your request” or “As a follow up…” however didn’t request or need anything from the user, do not click on any links or open the attachment.
  • Request for a password or other sensitive information: This is by far the easiest way to spot a phishing email – when the requestor asks for a password or other sensitive information in an email. Passwords, bank account information, and personal data should never be shared via email. A savvier attempt is to send the user to a fake landing page and ask the user to enter their credentials. Remember – banks, financial institutions, and other reputable companies you do business with will not request your credentials via email or their website.

Learning how to spot phishing emails can reduce your risk of a data breach or other cyber threat. Phishing emails are always a little bit “off” and are suspicious. If you are unsure if you can tell the difference between a real email and a phishing scam, working with a cybersecurity team can help.

How to Block Phishing Emails

The first line of defense against phishing emails is learning how to spot them. Your information technology team is likely also implementing several strategies to block phishing emails all together.

How can you block phishing emails?

  • Security awareness training: Phishing attempts all rely on one thing – human interaction. You can reduce your threat and risk of being a target of phishing emails by implementing regular security awareness training at your organization. There are also phishing simulators that can send suspicious emails that are actually harmless to see if employees would fall for a phishing scam.
  • Anti-spam, anti-malware, and anti-phishing software: There are several cloud service software packages that include anti-spam, anti-malware, and anti-phishing support. This technology can identify and stop phishing emails before they even get to a user’s inbox.
  • DNS authentication services: DNS authentication services that include SPF, DKIM, and DMARC protocols help prevent fake websites (spoofing) and impersonation. With DNS authentication, users are blocked from visiting sites that are flagged malicious by the software.
  • Anti-impersonation technology: One of the cornerstones of phishing attacks is the criminal’s use of impersonation. Anti-impersonation technology scans inbound emails and detects abnormalities in headers, domains, and suspect body content.

Cybersecurity Services from Everound

At Everound, we make it our business to protect our clients from phishing and cyberattacks. As a managed IT services provider, we offer comprehensive cybersecurity solutions to protect organizations from phishing, data breaches, dark web threats, malware, viruses, and more.

Unsure if your business is protected and able to sustain a cyber threat? Reach out today for a free cybersecurity audit. We will take a look at your current IT infrastructure, assess vulnerabilities, and work with you to come up with a robust cybersecurity plan. Let us focus on your IT, so you can focus on your business.

Read More

In a world where no one seems to agree on anything, we can all agree that we hate spam.

For some reason, the people who send spam think it’s going to get us to buy something or switch insurance companies.

The problem is that not all spam is harmless; some spam is very malicious.

How Email Scams Work

Email that just arrives in your inbox is not harmful. In order to infect your computer or your network, you need to click something.

Because your spam program can pick up on many of these emails, it can keep you from seeing them in the first place.

There are a number of different scams. While this isn’t all of them, it’s a pretty good list of the most common types:

  • Survey – By definition, a survey online would require that you click something. The moment you do, you will either be sent to a site that has malware or will have prompted your computer to download it. Just don’t take any unsolicited surveys.
  • Imitation – This is an email from a company or a person that you know. Often, it’s an email that looks like it came from a common company, like PayPal or Microsoft. The way to know if it’s real is to look at the actual email address. The best policy is to go to their site yourself and look at your account. Don’t click anything in one of these emails.
  • Official – Scammers love to use official agencies, like the IRS or state government, to run scams. They’re hoping to panic you into clicking a button. Don’t. Again, open a tab and go to their website or look up the number and call them. The IRS doesn’t use email for official notices, ever.
  • Lottery – The lottery scam is a golden oldie. “You’ve won’t $1 million. Just click here.” No one wins a lottery they didn’t enter and no lottery will announce that you won $1 million via email.
  • Phishing – Phishing is when the scammers are looking for information. For example, they might email you posing as your email provider. It will ask you to change your password. They’ll use that to get into your account and give them access to a lot more.
  • Whaling – This is phishing designed to get to the CEO. They’re looking to hook the big fish, knowing that he or she has access to everything in the company.
  • Replacement – One common scam is to step into the middle of a transaction and reroute funds. For example, they hack a business associate to whom you’re going to send money. They send you an email saying the routing and account number have changed. Call that person. Don’t believe the email. Verify it personally with that person before you send money.
How Spam Filtering Software Works

The standard spam filter uses a combination of AI and community information to figure out what’s spam.

The artificial intelligence portion looks at how the email is written, the address it’s coming from, and the topic. It will throw that into the quarantine.

In modern solutions, the artificial intelligence will run a scan and monitor how you the user write your emails.  If it recognizes you requesting something odd, such as a change to your direct deposit, or spelling things in ways you typically wouldn’t, it will quarantine the email.

The community information is when the email or email security provider, like Google, Microsoft, or Barracuda, gets enough spam complaints from a single address. The system then sees those emails as spam.

The Next Level

There is a higher level of spam filtering that every company should have. It actively scans every email.

This software will hold all of the emails in the cloud while it not only scans everything that’s mentioned above, but it actively scans any links in the emails. The system is looking for redirects, unknown email addresses or web addresses, and other indications of fraud.

It also looks for viruses and malware embedded in the email or at any of the links. Active scanning can keep bad emails from ever showing up in your inbox.

This adds another layer of protection on your email inbox and helps you keep control of what you’re seeing, let alone clicking.

Some people complain that this can slow down emails that they’re waiting for, but in most cases, unless there’s an actual problem, it’s microseconds for the system to analyze an email.

Putting Email Protection in Place

Putting email protection systems in place will require understanding the level of information being exchanged and how the company’s email system is configured.

It’s equal parts software and human behavior.

Here are a couple the levels of protection that can be installed:

  1. Antivirus with automatic email scanning – This is the first step. Not only will the antivirus work to protect your computer or servers, but it actively scans emails as discussed above.
  2. Phishing and Internet Security – These programs protect the company from scams that are found on websites. This can include keyloggers that track every keystroke on a computer. This captures our login information everywhere you go and will go in to pretend it’s you.

In many cases, all of these functions can be found in a single piece of software.

If you have a managed IT service for your servers and workstations, your provider should have already implemented this type of software. It’s worth asking to know that your assets are actually protected.

The most important protection you can put in place is education. Whether it’s sending information, clicking a link, or downloading a bad file, almost every email hack requires that a person does something.

Interested in Email Security?

Read More