Do you really want to click that?
A big issue for SMBs is recognizing phishing emails. Oftentimes, hackers trick employees into clicking malware infected files and malicious links in emails that redirect to dummy pages. This type of cybercrime involving sending fraudulent emails that appear to come from a legitimate company with the aim to steal confidential information is known as phishing — and it’s a real threat.
What is Phishing?
- Phishing is an online scam where someone appears to be soliciting you from a legitimate company asking you to provide them with sensitive information.
- This is typically done through a link that takes you to a landing page asking you to fill in information that is then passed on to them. This information is typically in the form of credit card numbers, social security numbers, username / passwords, etc, etc.
How Do You Identify a Phishing Email?
- Phishing emails use fake email addresses that imitate known brands, such as FedEx, UPS, Office 365, Google, etc. ALWAYS LOOK AT THE ACTUAL EMAIL ADDRESS BETWEEN THE "< >" SYMBOLS, such as "John Doe <firstname.lastname@example.org>". In a phishing scenario, the email alias may read "Office 365 Admin" but the actual email address is "<email@example.com>".
- Phishing emails most of the time do not address you by your name.
- Phishing emails use scare tactics like threats to close accounts, password verification, password reset, or other tactics that create a sense of urgency and cause you to make impulsive decisions that can end up being detrimental to you and your company.
- Read the emails carefully and look for spelling errors. A lot of phishing emails come from overseas and are typically filled with spelling and grammatical errors. This is a common red flag.
- Spear Phishing is highly customized phishing that can include the target's information such as name, position, company, phone number, etc to trick the recipient into believing that they have a connection with the sender. This information is typically mined from the targets online social media profile on sites such as LinkedIn and Facebook. Employee awareness is paramount and users should be discouraged from publishing sensitive personal and/or corporate information to these sites.
- Common Phishing Email examples are as follows:
- You are asked to verify your email account information or reset your password. DON'T DO IT! Unless YOU'VE initiated anything that would require verification, your email provider, financial institution, etc will not / should not ask you for account verification or password reset out of the blue.
- You get an email stating that your mailbox storage is full. This one is a little tricky because your email admin may have turned on mailbox storage quotas and warnings so ALWAYS double-check that email address in between the "< >" from the sender. It should match a legitimate email account within your domain.
- You get an email about UPS/FedEx/DHL tracking information. Unless you specifically asked from email notifications on a shipment DO NOT follow the embedded link within these emails and more than likely, you're not even expecting a package.
- Dropbox, Google Docs, Office 365 Phishing. Some phishers no longer bait their victims, now they've created specialized attack emails according to an individual company or service. Millions of people use these services every day so it's no surprise that attackers have starting targeting them. The attack is usually initiated by an email containing a link that leads to a fake Dropbox, Google or Office 365 login page for which the attacker captures your login information. To prevent against such attacks two-step / multi-factor verification should be enabled on these accounts.
- Below is a prime example a client of ours got the other day! Fortunately, they knew better not to follow through on the request.