As technology continues to evolve, so do the tactics that cyber criminals use to gain access. Email phishing scams have always been a significant challenge in IT security, and the threats are only growing more sophisticated. Getting email with a malicious link is not new, and these attacks continue to evolve because they remain so of the most profitable tools in the cyber criminal's toolkit. Even though email may seem like a dated technology, the question of how to safeguard against phishing attacks is still relevant in 2023. To safeguarding against these online scams, and phishing attacks organizations need to understand what they are, how they work, and what their ultimate goal is.
In today's interconnected world, email has become a cornerstone of both personal and professional communication. Its convenience and speed are unparalleled, but this widespread use also brings significant risks. In Montreal, where businesses and individuals increasingly rely on digital communication, understanding these dangers is crucial for safeguarding against potential threats.
• Vigilance is Key: Always be cautious with email communication. Be wary of unsolicited emails, especially those requesting sensitive information or urging you to click on links or download attachments.
• Education and Training are Essential: Regularly educate yourself and your team about the latest email threats. Understanding the common tactics used by cybercriminals, such as phishing and social engineering, is crucial for prevention.
• Implement Robust Security Measures: Utilize advanced security solutions for email protection, including spam filters, anti-malware software, and phishing detection tools. Regular updates and adherence to best practices in email security can significantly mitigate risks.
Phishing is a nefarious act committed by cyber criminals who disguise themselves as trustworthy entities. They take the form of phishing emails (email with a malicious link), social media phishing attacks (attacks on social media accounts and content), and even text messages with links meant to compromise smart phones and accounts. To prevent phishing attacks a user must be able recognize the threat and respond appropriately in a short amount of time. Falling victim to a phishing email can rapidly lead to ransomware deployment and email account compromise.
Their ultimate aim? To trick individuals into revealing valuable information such as usernames, passwords, credit card details, and so on. These attacks can wreak havoc, leading to substantial financial loss and reputational damage. As such, it is critical for both individuals and businesses to understand the importance of combating phishing. Their clear goal in most cases is to get access to your sensitive accounts. In most cases cyber criminals launch phishing attacks aimed at getting you to phishing sites that are identical to legitimate website services. They create a sense of urgency with an urgent request that you reenter your password or your payment information lest your account be closed. Login credentials can be sold by IABs (Initial Access Brokers) and can lead to larger infiltration, and data theft. You can read more about what an IAB is here.
The landscape of phishing has undergone a dramatic transformation since its inception. The tactics employed by cyber criminals have evolved significantly, increasing in sophistication and effectiveness. It's no longer a simple email or a social engineering attach. Modern phishing attacks come in a myriad of forms, from the conventional email phishing to spear phishing, smishing, vishing, and even the ominous sounding deepfake phishing. Sometimes the email contains malicious links and sometimes they contain malicious files.
Email phishing scams have always been a significant challenge in IT security, and the threats are only growing more sophisticated. With the advent of WormGPT, an AI model designed to craft phishing emails so convincingly genuine that they are both psychologically persuasive and grammatically impeccable, the everyday worker is facing an increasingly complex task. Some of the methods used to identify phishing attacks in the past like poor grammar, or misspelled words are no longer present in these polished email messages making it harder to detect and prevent phishing attacks.
An integral part of any phishing prevention strategy is recognizing which brands are commonly spoofed. A quick glance at the Q1 2023 data reveals some unexpected contenders. Walmart leads the charge, accounting for a whopping 16% of all global phishing attacks, with DHL, Microsoft, LinkedIn, FedEx, Google, Netflix, Raiffeisen, and PayPal not far behind. This article documenting the domains most likely to be used in phishing attacks gives some specific numbers for 2023.
Below are the top brands ranked by their overall appearance in brand phishing attempts:
Walmart (relating to 16% of all phishing attacks globally)
DHL (13%)
Microsoft (12%)
LinkedIn (6%)
FedEx (4.9%)
Google (4.8%)
Netflix (4%)
Raiffeisen (3.6%)
PayPal (3.5%)
Why these brands, you might ask? The answer lies in their ubiquity. Their omnipresence in our daily lives can make a spoofed email from these brands appear legitimate, increasing the likelihood of the recipient falling into the phishing trap and allow the attacker to gain access. For instance, consider receiving an email seemingly from Walmart, promising an attractive discount on your next purchase. If you're a regular shopper, you may click the embedded link without a second thought, unknowingly falling prey to a fraudulent website designed to pilfer your sensitive data.
Phishing attacks come with a heavy price tag for both individuals and businesses. Imagine waking up one morning to find your bank account drained due to a single successful phishing attack. At a corporate level, the repercussions can be even more severe, from a loss of customer trust and potential regulatory fines to intellectual property theft and data breaches. A case in point is a mid-sized tech company recently targeted by a phishing attack, leading to a data breach that cost over $2 million in damages and business loss.
There is no one step solution to this problem. Modern phishing attempts have become frighteningly sophisticated, making them difficult to identify at first glance. But, fear not. Certain red flags can tip you off about these deceptive cyber threats. Spam filtering can catch emails when the bad actors have misconfiguration their sending services. Watch out for unsolicited requests for sensitive information, generic greetings, misspelled URLs, and unanticipated attachments. Additionally, it's good to remember that your financial institutions and government agencies like revenue services will never email you requesting sensitive data like social security numbers and date of birth. They have all the confidential information on you that the need so they don't need to request it.
For example, you might receive a suspicious SMS that appears to originate from Google, alerting you to supposed 'suspicious activity' on your account and asking you to verify your login details. This seeming malicious message could be a classic smishing attempt. Genuine alerts from Google would typically instruct you to review your account activity directly within your Google account rather than seeking your login information through an SMS.
As I was writing this I received a novel phishing attack in my inbox. This one was not crafted as a request for me to click on a link to "salvage my account", or to re-enter my payment information. This was among the more sophisticated attacks. It alerted me to the fact that there was new activity on a document that has been shared via Microsoft Teams (see image below). The message appears to be legitimate until it is scrutinized.
The first clue is that Microsoft Exchange marks it as a message from an external source and thus not from our domain. If it this had really been from our company Teams account then this warning would not have been there. This is a good reminder for system admins not to disable this these types of warning in Exchange 365. Clients may find them tedious but there are there to protect organizations and they do help identify malicious messages.
The second clue is they the spoofed our domain but got the TLD (last few letters after the '.' like the 'com' in '.com'). Our TLD is a .ca
The third clue is that Microsoft clearly displays the actual sending domain for us in the header.
The fourth and final clue is that there is an .html file attached for me to open. Instead of taking me to a malicious site this attachment would likely unpack as malicious payload and likely display a fake 365 login screen and prompt me for my login credentials.
All these clues are easy to spot when you know what to look for and you are not under duress and stress. They are the exact same details that any trained employee can easily identify. The recipe is almost always the same. An urgent request to act coupled with malicious links, and or malicious code.
Building a robust defense against phishing attacks requires a comprehensive approach. Maintain a healthy dose of skepticism towards unsolicited communications. Ensure your devices and software are updated regularly, and embrace the practice of using unique, complex passwords complemented by two-factor authentication.
Businesses, too, should adopt proactive measures against these types of phishing,. Employee cybersecurity training and awareness programs, robust cybersecurity infrastructures, and sophisticated detection tools can significantly reduce phishing risks. Potential threats are received by users every day therefore cybersecurity training must also be ongoing. Employees and stakeholders need to be practiced enough so that they can spot the warning signs quickly. And, should a phishing attack successfully breach your defenses, an incident response plan can help mitigate the damage.
Commercial anti malware software can be of help but it has to be monitored. There is no "set it and forget it" way of dealing this this type of menace. If you have an MSP ask them about using a managed cybersecurity suite on your office computers. This will ensure that even successful attacks are thwarted in their inception and not allowed to spread. Next generation firewalls can also be a useful part of the threat response plan. NG firewalls can often spot inconsistencies in the message headers or even detect malware embedded in the email.
If you do happen to fall victim to a phishing scam, don't panic. Reach out to your financial institution immediately, reset your passwords, and report the incident to local law enforcement. Take the necessary steps to recover and secure your bank details and personal data and learn from the experience.
In the bustling city of Montreal, where technology is deeply integrated into our daily lives, the importance of understanding and mitigating the dangers of email communication cannot be overstated. By staying informed and vigilant, individuals and businesses can significantly reduce their risk and continue to leverage email as a powerful tool for communication.
The rapidly evolving digital landscape of 2023 calls for an equally adaptive approach to cybersecurity. As phishing scams and malicious software continue to innovate, so must our defenses. Stay informed, remain vigilant, and most importantly, cultivate a culture of online safety.
For more information and resources on cybersecurity, check out our resource section (links to resources). Remember, in the battle against cyber threats and malicious attacks, knowledge truly is your best defense.