While it may be cold outside, phishing remains the hottest attack vector in business: Over 90% of all successful cyberattacks are said to start with a “phishing” email. And these attacks have become far more advanced throughout the years, with the potential to fool even the most vigilant.
With this cold truth in mind, what should you be on the lookout for?
Design and Conquer
You probably remember the old emails from a “Nigerian Prince” urging recipients to help move money out of his country. Today, His Majesty is still far from retirement: “advance-fee fraud” has existed for hundreds of years, and criminals still iterate on the attack.
These and other relatively unsophisticated attacks still fool some, but most recipients are much savvier nowadays. Just as fishing enthusiasts upgrade their equipment with the season, cybercriminals have upped their game with more modern techniques.
Nowadays, characteristics of particularly convincing phishing emails include:
- Appear to come from a common and trusted service, e.g. Amazon, FedEx, or Netflix
- Use real company logos and layouts to mimic legitimate messages
- Have a recognizable call-to-action, such as “Update your payment information” or “Track your package”
Interacting with a phishing email can lead to infecting your computer and/or network with things like malware or ransomware. Other attacks aim to steal login credentials, personal information, or money.
An Advanced Maneuver
Phishing attacks are often well-designed and difficult to detect, even for seasoned professionals. To make matters worse, cybercriminals have even more tricks up their sleeve:
- Spoofing or obfuscating the “from” email address
- Adding “ZeroFont” to impersonate companies while hiding from spam filters
- Using characters from non-English alphabets to mimic recognized sites
- Fake popups that look exactly like legitimate sites
- Phishing your 2FA code to break into your legitimate accounts
Those are just a few of the cold and devious tactics out there – and we hear about new ones constantly. The bottom line is that no matter how real an email looks, you have to be cautious and diligent to ensure it is authentic.
Don’t Fall for Those Shiny New Lures
The attackers may have tempting bait, but don’t get hooked! Slow down and be mindful, especially of any email – even if it looks like it’s from a company or person you trust – that asks you to complete an action like:
- Clicking a link or opening an attachment
- Logging in with your credentials or filling in a form
- Completing a transaction or changing account information
- Replying with confidential or personal information
To help put those phish on ice, remember the acronym ICE:
- Inspect messages carefully—look closely at the email address, domains, words, and links.
- Confirm any message received that was unexpected or that you’re wary of—don’t hesitate to pick up the phone to call and verify legitimacy.
- Eliminate messages that seem, well, fishy. Important! Be sure to check your company's policy: Some will ask that that you report them to your IT team, then delete; others will ask that you immediately delete anything suspicious.
Phishing season is never truly over for cybercriminals, but you can leave them out in the cold.
Your Friends @ Defendify