Phishing and Spear Phishing Email Scams

Phishing and Spear Phishing are becoming more common and more dangerous.  It’s critical that all of your employees be aware of it and know how to spot it.  

What is Phishing and Spear Phishing?

Phishing is any attempt to trick you into providing info or doing something.  Most typically this involves sending an email (or text) that looks like a legitimate message from a legitimate company.  (For example: You receive an email from your bank or Microsoft saying your account is overdrawn and asking you to click here to resolve the problem.)  These messages can look very real. They may have the correct logos, graphics and format of legitimate emails from these companies.

Spear Phishing is much more targeted to you personally than a standard phishing attempt.  It may appear to be from your boss, co-worker, vendor, or friend. It may reference something about your job.  

For example:  You receive an email claiming to be from your boss asking you to wire transfer money to some account.  It has your boss’ name and you are the accounting person that he/she would normally ask this of. It may even reference some other specific info relevant to your job or your company.  If you reply asking for more info or to confirm something they reply back answering your question.

Spam and Virus filters can stop some phishing attempts but unfortunately they are not very good at stopping spear phishing.  These messages tend to look like normal emails and do not contain lots of graphics, language or bad links that would normally trigger the filters.

There are some services that can help identify spear phishing but they tend to be expensive.  Ultimately the best protection is training and vigilance.

Don’t get caught!

The best protection against phishing is awareness and training.  Teach your users to watch for and recognize phishing attempts. In almost all cases phishing attempts can be identified if the user is paying attention and knows what to look for.

Before we discuss how to identify phishing attempts let’s talk about some other things you should do to keep yourself safe:

• Update your procedures for requesting / authorizing financial transactions.  Make sure that there are double checks to verify proper requests and triple checks for any large dollar amounts.  
• Don’t have employee info on your website.  No names, job titles or email addresses. This is a Spear Phisher’s dream: everything they need to target an email to just the right person.

How to Identify Fake Emails:

There are many ways to identify phishing attempts and a great resource is available at http://www.phishing.org/10-ways-to-avoid-phishing-scams.  Here are some key things to look for:

• Check the sending (From:) email address.  Is it correct?
  • If it is supposed to be from Wells Fargo but the email address is actually “…@welsfargo.com” or “…@email.wellsfargo.com”then it is fake
  • If it is supposed to be from your boss but its not his normal email address then it is probably fake.
• Hover over links in emails to reveal the real web address of the link.  If is is not quite right (mispelled or changed slightly) then it is fake.
• Is it asking for personal or business info? This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your login info with extra caution.
• The formatting and design are different from what you usually receive from an organization.
  • Maybe the logo looks pixelated or the buttons are different colors.
  • Maybe there are weird paragraph breaks or extra spaces between words.
  • If the email appears sloppy then it’s probably fake.
• The content is badly written.
  • Is there awkward sentence structure?
  • Are there lots of spelling errors?
• Is it urgent or desperate for response?
  • “your account will be closed”
  • “urgent response is needed”
  • “your account has been compromised”
• The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
• The website is not secure.
  • When on a website be sure you see the “s” in the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals.

Anti-Phishing Solutions

Willits Technologies provides an anti-phishing service that scans your email and identifies Phishing and Spear Phishing attempts.  It also learns the normal email addresses used by your employees in order to better recognize when an email comes from the wrong address.    Like spam filtering services, anti-phishing services cant guarantee to catch everything but they are very effective and catch the vast majority of phishing and spear phishing attempts.

Ultimately, the best way to keep your business safe is to teach your employees how to recognize phishing attempts and to always be vigilant.  Implementing a Security Awareness Training program can help with this.  Security Awareness Training teach your employees how to recognize phishing attempts and sends simulated phishing attacks to test them on an ongoing basis.  If an employee clicks on a test email, they are launched into more training. Over time this dramatically reduces your risk by keeping your employees well trained and alert.  Willits Technologies provides Security Awareness Training for a very reasonable monthly fee.  

Please contact us if you have any questions or to find out more about how Willits Technologies can help keep your business safe from Phishing.