One of the most common and effective forms of cyberattack is through phishing. Phishing generally comes in the form of an email message disguised to look legitimate, so that you’ll click a link or download an attachment designed to infect your device and network with malware. But the rise of texting and social media has caused these deceptive messages to invade our lives other forms too.
There are social media phishing attacks done by direct message, phishing done via text, and even the old-fashioned phone scams (now known as vishing) are still around.
In Proofpoint’s 2019 State of the Phish Report, 83% of survey respondents had experienced a phishing attack in 2018, which was a 9.2% increase over the previous year.
While managed IT security services can help protect networks with advanced anti-phishing tools, user education like knowing how to tell a phishing email from a legitimate one can go a long way towards safeguarding your network and data.
How Malware Spreads via Phishing
Phishing is designed to get the user to take an action that is going to infect their device and/or network with malicious code, generally in the form of malware (ransomware, viruses, trojans, spyware, etc.).
Below are the three most common ploys and their frequency of use:
- Link to a malicious website (69%)
- Data entry form (17%)
- Attachment (14%)
Most people connect a file attachment with phishing, but it’s only used in 14% of attacks. This is because users have become more suspicious of opening file attachments and anti-malware programs also are designed to scan them for viruses before opening.
But people are still more apt to click a link before they investigate it thoroughly, so you see malicious links being used most often.
Read on to learn more about the most dangerous types of phishing attacks out there and how to identify them before it’s too late.
Phishing Attacks That Commonly Fool Users
There are a number of tricks that phishing scammers use to get someone to click on a link sent in an email, direct message, or text. And with the use of AI and automation, they can often personalize the message, which causes a person to trust it more.
While there still may be those examples of phishing that have misspelled words and bad grammar, making them easier to spot, most are now so sophisticated that they use the logos and signatures of legitimate companies.
Here are some of the most dangerous phishing messages to watch out for.
Online Invoice/Bill
Getting invoices from companies sent electronically is pretty normal. In fact, many of them encourage users to opt for an e-bill rather than a paper statement, which costs a company more. But this also makes it easier for scammers to use an online invoice or bill as a phishing ploy.
In this example below, this phishing email is designed to replicate the look of a legitimate AT&T invoice email and could easily fool many users. However, when you hover over the link, it becomes obvious that this is not from AT&T at all.
Change of Password Needed
Another common occurrence has become a forced password change by a company that may have experienced a data breach. Just about everyone has received at least one email that tells them that “for security reasons” they must change their user password for a particular online service or website.
Phishing spammers use this to their advantage by sending users fake account change emails. When they get to the website, it looks like a legitimate sign-in form and may even use the company’s logo. But it’s actually a fake and just designed to grab your real name and password login so it can be stolen, potentially sold, and your account compromised.
Placing an Order
A common phishing email that can also be done by SMS is from a person pretending to place an order with your company. These may say that the purchase order is attached or give a link to open to view it.
It will also often say “urgent” or “2nd request” to elicit an emotion and get the recipient to rush to click it open, thinking “How did I miss an order?” But it’s just another trick to get you to click before you think.
The Personal Gift Card Request
With so much information available on social media, scammers can now get more personal in their requests. All that many have to do is go on LinkedIn or a company’s own website to see names of employees and titles. They may send you a text message from someone with an important title, asking you to get them gift cards in a hurry for clients. They’re banking that you won’t double check the request and will believe it because the name is familiar.
Tips for Spotting Phishing Attempts
Good spam and anti-phishing protection can backstop users and help protect your devices from an attack but knowing how to spot a phishing email is one of the best defenses against getting fooled.
Hover Over Links
Hovering over any links before you click them will reveal the true URL and help you spot a clever spoof email. If the URL is shortened, such as those on social media, then it’s best not to trust it.
To: “Undisclosed Recipients”
If an email To line states “undisclosed recipients” that’s a key giveaway that this is a phishing email that’s been sent out to multiple people.
You Don’t Expect It
Be very suspicious of any unexpected emails or texts, such as a purchase order coming from a company you’ve never heard of or a strange request from a colleague. Always double check any messages that are unexpected.
View Message Header
You can view the raw source code of a message header in your email program to see where the email originated, and often this will help you spot a phishing attempt.
Get Help to Combat Phishing Attacks
Connect2Geek can help you put programs in place that block malicious scripts from running if you accidentally click a phishing email link. We can also provide regular cybersecurity awareness training to keep your team on their toes.
Get a handle on phishing and secure your network today! Call us at 208-468-4323 or contact us online.