Email is the lifeblood of many businesses — and its biggest security risk. That’s because scammers have become experts at gaining access to your business data with emails that trick people into taking actions that open the door. Your best defense? Educating your team on how to spot their tactics and not fall into the trap. This guide can help you do just that and improve your company’s email security.
Social Engineering
Remember the Trojan Horse? Not the virus, the wooden horse the Greeks used to enter the gates of Troy and win the Trojan War. That was social engineering.
Social engineering uses human psychology to exploit the weakest link in any security system — people. Scammers use deception to manipulate people into a variety of actions that provide them with confidential or personal information. They then use that information to gain access to more data and systems.
SIM swapping is a type of social engineering — where the scammer tricks a person at a mobile carrier that they are you and transfers your SIM card to another device. But, by far the most common and most successful (for the scammers) social engineering attack is phishing.
Phishing
Phishing got its name from the lure and hook approach of these social engineering emails. There are many different forms of phishing, but they all appear to be emails for reputable organizations. It’s common for scammers to piggyback on national events or news, such as:
-
- Health concerns (COVID-19 has been a boon for scammers)
- Weather alerts and or natural disasters
- Elections and other political events
- Holidays
- Charities or fundraising
- Security alerts or financial news
Phishing emails are designed to create a sense of urgency so users click before thinking or reading the email carefully. Common calls-to-action include:
- Update your account
- Your account has been suspended, login now
- Fraud has been detected, review your account
- You’ve received a message. Click here to read
- Donate now to save lives
- Confirm your $20 reward
- Update your payment details
- Download a file from {a familiar email address}
- And many, many more
Social engineering scammers are continually adapting their messages to catch people off guard and get the desired reaction. Emails sometimes have strange word phrasing, poor punctuation and misspellings — but scammers are getting more sophisticated all the time.
Scammers also make phishing emails believable by using your data they’ve already stolen. This is often called spear phishing. Emails may mention you by name, reference your company or phone number, or include other details that trick you into believing the email is from a real contact or organization with which you have a connection or account.
When spear phishing targets company executives it is called CEO fraud. Since CEOs often have complete access to company systems and accounts, CEO fraud is especially devastating for a company.
CEO accounts can also be spoofed to get reactions out of employees, a practice called whaling. After all, if you get an email that appears to be from your CEO telling you to pay a bill immediately, send a document to take some other actions, chances are you do it — fast.
Examples Of Phishing Emails
Here are actual phishing messages captured recently. Click on any image to see it larger.
Spotting A Phishing Email
Scammers are making it harder and harder to spot a phishing email. They use graphic design to mimic a trusted company both for the email and the landing pages that links are driven to. One of the easiest ways to spot a scam is to look at the URL.
In your email inbox, you can see where the links of emails are going without ever clicking on them. Simply put your mouse over the button or link and the destination url will appear at the bottom left of your screen. This image shows an example of an email signature. You can see that the link text (convergencenetworks.com) is in fact going to our url (https://convergencenetworks.com).
With phishing emails, the url doesn’t match the link text. Sometimes these urls are way off (e.g., futball.insystemcom.com). Other times they try to look close in some way but are not the same as if you went directly to the company’s website.
The from area of your email can also be spoofed. Not the from email itself, but the from name that is associated with it. Like with the URL, rolling over the from name can show you the actual address. Spoofing the from name is a common tactic in whaling — when spammers send out an email that appears to be from a company executive to spur action in other employees.
Spotting A Spoofed Site
Sometimes the URL alone is not enough to spot a spoofed site. Spammers can use tactics like pharming (sometimes called DNS poisoning) to redirect a genuine website url to a malicious website.
A red flag that this is happening is a change in the URL. Also the site is not likely to be secured, meaning the URL will start with http:// instead of https://. In many browsers secure sites have a small lock next to the URL to help users recognize it as secure.
Another way that scammers fool you is by using a cloud service to host their malicious files. Called cloud phishing, this tactic uses emails containing links to forms or documents hosted on cloud services like Dropbox or Google Drive.
The best way to avoid this type of scam is to not click on links in emails for these services. Instead, keep a bookmark to your cloud services and access through there. Anything someone sent to you should appear under Shared in Dropbox or Shared with me in Google Drive. When in doubt, contact the sender to find out if they really sent you a file.
