Phishing emails are one of the most common type of cybercrime that doesn’t need sophisticated tools and techniques for it to be successful. In fact, it is so simple since one only needs to send an email to perpetuate its fraudulent activities.
We understand that this subject is not entirely new but the magnitude of its threat is alarming and cost organizations billions of dollars. This is the reason why we wrote this comprehensive article to educate readers how to spot and protect themselves against phishing scams before it’s too late.
- What are Phishing Emails?
- How John Podesta’s Email Account Got Hacked
- What is Spear-Phishing Email and Why Should You be Alarmed?
- How to Avoid Phishing Emails?
- If You Were Already Scammed
What are Phishing Emails?
Phishing emails are deceptive email messages that scam people into giving out their personal information like passwords, credit card and bank account numbers. It is designed to appear genuine by copying the branding and logo of legitimate organizations like your bank, school, online merchant, or Internet service provider.
These phishing scams intend to scare readers by claiming that their accounts will be compromised if they don’t respond or click something in the email. This empty threat is obviously a scam as legitimate organisations will never ask people to do these actions through email.
Once these scammers have your personal details, they will use them to steal your money or leak your computer files. Despite all the security controls and filters employed by companies, some phishing emails can bypass certain email filters and still reach the inbox.
These scams are so effective that 97% of people could not identify a phishing email on the spot. This is when education plays an important role to keep employees and customers from falling victims to these scams.
How John Podesta’s Email Account Got Hacked
All it takes is one simple phishing email to hack the Gmail account of Hillary Clinton’s campaign manager, John Podesta. Thousands of Podesta’s emails were released by Wikileaks prior to the November US Presidential elections.
His IT team thought the email was legitimate and even convinced his chief of staff to change his password and turn on two-authentication as indicated. But for some reason, the person in charge of changing his password changed his password through a suspicious shortened Bitly URL in the original phishing email.
This shortened URL was linked to a fake domain controlled by Fancy Bear, a group of Russian cybercriminals. Their targets are mostly influential people like journalists and those working in the military and government agencies. Fancy Bear is notorious for using spear phishing email on their victims.
What is Spear-Phishing Email and Why Should You be Alarmed?
Spear-phishing is an advanced type of phishing scam that targets users who use personal information. Unlike ordinary phishing emails, these are not sent as mass emails.
Spear-phishing scammers take time to monitor the activities and people involved in the organisation. They scrape off employees’ email addresses to make their fraudulent activities more persuasive.
A spear-phishing email pretends to have come from a trusted employee or organizations you do business with. It usually warns you that your account has security issues that you need to fix immediately.
A spear-phishing email contains links or attachments that hackers use to access their victim’s accounts. When you click on the link, it will direct you to a website that imitates the original website you frequently deal with. It will then ask for the information needed to gain entry to to your account. In addition, when you download the attachment, it will inject an exploit kit on your computer.
While most people ignore a simple phishing email, spear-phishing is a little tricky to catch sight of. This is why high-profile individuals like Podesta were not spared from it.
So how do you avoid falling victims to spear-phishing emails? Here are some tips on how to spot a phishing email before your account gets compromised. Make sure to discuss this with employees and customers.
How to Avoid Phishing Emails?
- Provide employees with an in-depth training on information security.
It’s a must to educate employees on their roles in maintaining a strong information security within the company. You can follow these tips:
- Conduct trainings and seminars to orient them on different security risk scenarios.
- Ensure that a strict security policy is enforced such as password management, preventing access on certain websites to lessen the risk of compromising your company’s security.
- Check out for red flags.
When you receive an email, a text message or a phone call from someone claiming to be a representative of a bank, school or other companies, don’t believe them right away. If anything looks suspicious, then it’s best not to open the email.
Keep in mind, scammers are really effective in what they do, so you have to be one step ahead of them. Here are some warning signs you need to watch out for.
- The email or text message does not address you by your proper name.
- On your ‘from’ and ‘mailed-by’ drop down menu, the web address does not look like coming from a legitimate company or person you frequently deal with.
- The email message is littered with obvious grammatical errors.
- You might notice that there are new apps on your computer screen or your computer is slower than usual.
- Scan the email but don’t click on any links.
First, hover your mouse pointer over the links in the email. It should point out the webpage address for that link. If it looks remotely suspicious, don’t click it. However, you can test it by opening a new browser tab, copy and paste the link on that tab rather than directly clicking on the link.
If you’re not expecting any documents, then it’s wise not to click on any attachments from unsolicited emails. Malicious attachments may contain malwares or viruses that are deployed as a phishing method. Malwares can corrupt your computer files, steal your log-in details and snoop on your computer activities.
- Use Plain-text to read emails.
Nowadays, most emails are read in HTML, and scammers are exploiting this by integrating clickable images to mask their spoof address. When you read in plain text, you can see texts on URLs where it is directing you to. But, if you still prefer to read in HTML, these are the steps you can do:
- Again, hover your mouse over the link to display the real URL. Check if the text matches with the hover-text link. See if it is the web address where you would usually do business with.
- From an Android device, do a long press on links or buttons. A small window will display the real URL. On iOS device, just tap and hold over the link to show the URL.
- Before clicking any links, see if the sender uses a digital email signature. A digital signature will give you an idea if the message was actually sent by the sender.
- Look for the HTTPS symbol on the web address.
A secure website has ‘https’ right before the web address. It’s easy to spot because it is represented with a green padlock button on the address bar. Secure websites that require you to type in private information will encrypt your connection to protect your privacy.
- Use 2-Factor Authentication.
2-Factor authentication or 2FA adds an extra layer of security to your account when something has been changed or someone tries to access your account from a different device or location.
After entering the username and password, the user needs to enter a special token (usually series of random numbers) sent through SMS. Since these are random and sent directly to the user’s phone, it will be difficult for intruders to access or steal your data without that special 2FA token.
- Add browser extensions.
Make sure to enable your browser that can alert and report any phishing websites. Netcraft Extension is an example of a browser extension that has optimized features to identify and filter out possible fraudulent sites.
If You Were Already Scammed
Accidents happen. If you believe that you have given your account information to phishing scammers, it’s a must to contact your bank or the company where your account was compromised.
Please add information that might help resolve this issue such as screenshots or the email message. Depending on where you’re from, your local government authorities might also assist with these phishing scam reports. You can also report this issue to Google here: Report a Phishing Page.