Have you ever gotten an email that sounded way too good to be true? Maybe something like an imprisoned, or exiled member of royalty who needs help getting fund out of his country and will gladly give you reward?
Or in more recent news, the email appeared to be from the IRS indicating that they fouled up your tax return from last year, and if you will simply click on the link included in the body of the email, they will gladly return the money you are so rightfully owed.
Or maybe you’ve gotten an email from the CEO (or someone else higher up) of your company saying he needs you to wire him money?
Well, friend, between you and me, the government usually only gives you back what they’re supposed to, and, unfortunately, that niece of the former advisor to Muammar Gaddafi, is a fake. You have just been the target of a phishing attack.
So what is “Phishing”? Phishing is an email attack aimed at fooling the target into thinking that the email address is from a legitimate source in order to gain access to personal or business information such as credit card numbers, account information, or passwords.
In a phishing attack, the attacker is using some communication to inject malicious software, redirect traffic, or get you to reply with your personal information. For example, the email that comes from a bank stating that something is wrong with your account and for security purposes they need to reset your PIN number on your account. This email typically has a link that will conveniently allow you to enter your account and routing number and change the PIN. Unfortunately, it didn’t really come from your bank, and the attacker now has access to your account and all of the funds.
Types of Phishing Attacks
Are there multiple types of phishing attacks? Sure there are:
Phishing is a typically undirected type of attack: A large scale email sent out to as many addresses as possible with the hopes of enough people falling for the scam to warrant the effort.
Spear Phishing is a directed attack. Typically, the attacker has done some research on his target to better tailor his attack with the hopes of a higher chance of success. For example, finding out the name of one of the Human Resources and the type of coffee that this person drinks to create an attack that appears to be an email from said coffee chain with the hopes that the user wouldn’t think anything strange and thereby increase the chances of successfully stealing the information when the user replies to that email. Or an email to a lower level employee that looks like it’s from a member of the leadership team asking them to wire money.
Whaling is a phishing attack directed at executive level users. Companies love to publish the names and contact information for their executives on their websites. Hackers love this as it takes the guesswork out of figuring out the correct email address to send their bogus emails.
How to Spot a Phishing Attack
There are several dead giveaways to spotting phishing emails:
Bad grammar and misspelled words are usually huge, glaring clues that the email isn’t legitimate. These can be in either the subject or the body of the email. The existence of special characters such as punctuation marks in the middle of a word is another dead giveaway. These errors usually occur as the result of being run through a translation program because the attacker doesn’t speak English.
A quick test is to hover over the sender’s name in the email itself. If it doesn’t show as the email address from the person or organization that it should be, it’s definitely a phishing attack. What the attacker has done in this case is spoofed the email address to disguise itself as a legitimate message in order to get past any security messages you may have in place.
The sender only has one way of contacting them, no phone number, no email address (the one used to send the email is most likely fake), and no online portal to contact the sender.
The email asked for financial or other sensitive information. Any emails that appear to be from banks, the IRS, medical institutions or other companies that handle sensitive data, can typically be ignored. Trust me, if these people want to get in touch with you, they’ll get in touch with you and it won’t be by email. If there’s a problem with your account or payments, they will get a hold of you. So please do not send out any personal information, account numbers, PIN codes, or passwords over email. EVER. Chances are these emails are being sent unencrypted and, therefore, can be intercepted by a number of means leaving you wide open to identity theft.
The email uses a different font, color or a different writing style than the writer typically uses. If you get an email from someone in your company that doesn’t really sound like the way they normally write or is formatted differently than their emails usually are, that may be an indication of a phishing email – especially if they’re asking for sensitive or financial information.
So what can you do?
A great spam filter will help filter out the majority of these attacks. The spam filters can analyze the message before it ever gets to you and kick out any blatant attacks. A good antivirus solution will scan emails and attachments for any malicious software or back doors that may be working to break into your system and steal personal data. Unfortunately, these attacks are getting better and better at disguising their true identity and intentions and are getting past spam filters.
If you get an email from a co-worker or boss that looks suspicious, just give them a call and ask them if it’s real before clicking or downloading anything or before sending them sensitive information. Same thing if it’s from a bank or somewhere you actually do business with.
Any links in an email that you are unsure about should NEVER be clicked on. Most of these are directing you to a website that may look like it comes from the supposed sender. Also, NEVER open any attachments on these emails. Many malicious payloads live in these attachments or on these links that when downloaded to your machine will wreak untold havoc on your system to say nothing of your finances or personal data once it is stolen.
The next time you get a suspicious email from the aforementioned royalty, a bank or credit institution that you have no account with, the government, or anything that looks suspect, give it the sniff test. A deleted email and a phone call from the sender if they actually sent it is always preferable to financial ruin. As always, feel free to call us at PTG and tell us about the message and remember the old adage: If it sounds too good to be true, it probably is.