Every single day this month, my inbox has been filled with emails from cybersecurity professionals warning about another phishing email scam that has been released. The reason for the email was to warn others in the community that these emails have seriously hurt organizations both large and small.
One example focused on a recent attack on a city government. Here are the details…
The city’s treasurer fell for a recent phishing scam. I’m calling her Mary to save the innocent. Mary ended up losing over $100,000 to a scammer, the city’s auditor revealed last week.
How did this happen?
Mary received an email posing as the city’s manager asking for money to be wired to an IT firm in an adjacent city.
The email specifically said that she needed to wire the 100 grand to an IT supplier a few cities over. Mary assumed that since the city had just overhauled their website, that the money transfer request was relating to the work that had been completion a couple of weeks before.
Before sending the payment to the IT Supplier, Mary had a couple of conversations with the attacker via email (the city manager had cc’d the IT supplier to the original email). She had confirmed the bank account numbers with them and prepared the wire transfer.
Mary realized a few days later, after receiving ANOTHER request for $150,000 this time that the first request was completely bogus.
The second email arrived when she was at a city council meeting, sitting beside Tom, the city manager. After reviewing the email that popped up on her phone, she nudged Tom and confirmed that he needed another $150,000 dollars. The manager’s face showed that he knew nothing about that request, prompting Mary to ask about the last large payment she had just made.
Mary was mortified that she had fallen for this scam. Her words exactly:
“That I should be the target and victim of this attack has affected me deeply—both professionally and personally.”
Mary never thought she’d ever fall for an attack. She’s detail-oriented, smart and hard-working. She loves her job and gives the 110 percent, representing all the characteristics of a star employee.
My message to you: hackers and scammers do not discriminate when they attack. Your people—especially ones that have the ability or authority to draft large sums of money or who have privileged access on your network may leave your business extremely susceptible to either a cash flow or business continuity crisis.
In the case of Mary, a single request led Mary to fully comply. Simply because the email had been spoofed to look like it came from her boss, she had decided that the request was legitimate and didn’t even think twice about fulfilling the request for a rather large sum of money.
In many other instances, a single click on a link found in an email can be the beginning to perhaps an even worse nightmare.
To avoid being scammed either personally or having your entire organization’s network compromised, you will want to know how to recognize potential phishing scams and what to do if you spot one.
Here are 4 big warning signs your user is dealing with a phishing scam:
False claims or offers and requests for information and funds
Phishing emails are designed to gather information. This information may be about tricking your users into getting them to enter a password into a website that looks real. They may be asking for money (like in Mary’s case). Or it might be asking for some other sort of sensitive information. Obviously if the email came from a rich Nigerian prince asking you to send him money, you’d easily be able to spot that the request is super phishy.
But what about an email that appears to have come from someone you know and trust? Spoofers will go to great lengths to make an email look or feel trustworthy. They will spoof websites (the links they send will look real and link to web pages that also appear legitimate).
If an email is asking for something even remotely unusual, treat it as such. View any email request—a request that could lead to money transfers or information leaking— be skeptical of its origins.
Mismatched URLs
Often, scammers will send you a scam that is extremely hard to detect. One telltale sign that an email is phony is when you can see that the URL address doesn’t quite match the website. You see, scammers will mask the actual address a link is routing you to get you to click on a malicious link. This is extremely common and incredibly tricky, especially if you aren’t sure what to look for.
How can you avoid clicking on a mismatched links?
First, to see if a link is mismatched, hover your mouse over the suspected web address to see if the URL matches and if it doesn’t, you know something is up. A best practice that many security experts abide by is never click on links within emails. Rather, copy and paste the link into your browser to visit a page.
Also, never open an attachment from an unverified source (if you aren’t expecting something from someone, verify with that person over the phone or in a new email to make sure you are not opening malicious attachments).
Do you notice any typos or grammatical errors?
While scammers have far improved their messaging and targeting in phishing campaigns, they still miss the mark when it comes to completely composing well-crafted emails in a tone that sounds similar to the person they are impersonating. If you notice any grammatical errors or typos in the subject line or body of the email, you should consider it a scam.
Does the email make sense?
One of the most important ways to avoid falling for a scam is to use your common sense. If something doesn’t feel or seem right to you, it probably isn’t. If an offer sounds too good, it probably is.
There is no fail-proof way to stop phishing attacks, but there are several ways to prevent phishing viruses from creating havoc on your network. Make sure you have an updated antivirus program, as well as a spam filter in place on your email server.
But most of all, treat you email communications with caution, especially if you see unusual or large requests, attachments, or links within an email. When you spot something that doesn’t quite make sense to you, don’t open it or comply. Verify with the sender that this is actually legitimate—either through a new email chain or, better yet, over the phone to avoid any confusion).
Worried about your security? Consider a network vulnerability assessment to figure out if you’re protecting your users enough from the latest phishing attacks.