.st0{fill:#FFFFFF;}

Cyber Security

Common Phishing Attacks and How to Avoid Them

 April 27, 2020

By  Tim Starnes

When handling the world of phishing (the term is easy to remember – think of fishing, a criminal dangling a “hook” (Info-collecting email or message) in the “ocean” (internet) in hopes that “fish” (the victim) will bite) there are generally three most common types of emails.

The best policy is to use an alternate contact method to contact the distressed individual. Follow through to call, text, message them on social media or communicate through some alternate form of contact. This will allow you to verify the situation directly with them. A phone call is the suggested route, as social media accounts could have been compromised in the attack as well.

Cybercriminals are incredibly smart – remember, stealing information and causing damage is the way that they feed their family. Phishing has come far from princes in far-off-lands notifying you that you’ve inherited millions of dollars or won a lottery.

  1. Mimicking a Service or Website

These emails will spoof a widely recognized service such as Amazon, eBay, Netflix, Paypal, or online banking. They look incredibly similar, or exactly similar, to correspondence from these sites – however, the links embedded within them lead to a lookalike site set up to purely collect information from or download a virus onto the PC of unsuspecting victims.

“This is the support team at Amazon.com – we’ve shipped 50 gallons of mayonnaise to your home address. Need to cancel this order? – sent from Amaz0n.co”

               How Do I Protect Myself or My Business?

  • Check the domain name. An official domain should be associated with the service, for example, Amazon.com – criminals cannot gain access to this domain, so they will often swap out or add letters and numbers, such as Amaz0n.com or Amazone.com.
  • If in doubt, log into your account and contact the originating service directly to verify that they were attempting to contact you.

               What If I Accidentally Filled in My Information?

  • Change the password for the account that has been compromised and monitor its activity.
  • The scammer will continue using the email address entered to send phishing emails, as it has been “verified” – do not fill in any information on links sent to that email address.
  • Urgent Emails

Criminals have also been known to use publicly available information in conjunction with stolen information to launch email campaigns against businesses in the form of spoofed pleas for help from bosses and co-workers.

“I’m at a conference in New York and have lost my wallet. Can you send $500 to my PayPal account? I can’t get into any hotels without it!!!”

Of course, this is not coming from the supposed source but is a criminal looking to prey on the sense of urgency to fool the victim into sending money.

               How Do I Protect Myself or My Business?

Should you receive one of these emails, admittedly, it could be true. The best policy is to use an alternate contact method to contact the distressed individual. Follow through to call, text, message them on social media or communicate through some alternate form of contact. This will allow you to verify the situation directly with them. A phone call is the suggested route, as social media accounts could have been compromised in the attack as well.

               What If I Accidentally Filled in My Information?

  • Immediately take the appropriate action for a stop-payment.
  • File a report with the service used to contact you originally with the phishing email.
  • Should funds have been sent, file a police report.
  • Report the incident to the appropriate supervisor or department, should this have happened in a business environment.
  • Financial Hijacking

Emails spoofed as new vendors or in-house departments have been utilized to scam funds into criminals’ bank accounts from unsuspecting employees, straight out of their employer’s bank accounts.

“This Angela, office manager at Quality Plumbing – I was instructed to get into contact with you about setting up a new wholesale account. Your CFO placed an order for a crate of 50 pipes. Could you please send $25,000 to account number XXX-XXX-XXX? We can’t deliver until it is paid, and he says it is urgent. Thanks for handling this promptly!”

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #phishing attack #phishing #what is phishing attack #what is phishing #phishing attacks #phishing email #phishing page #gmail phishing attack

The email isn’t truly originating from Angela at Quality Plumbing, but is instead a criminal attempting to goad the victim into transferring funds, thinking that the charge is a legitimate business invoice.

               How Do I Protect Myself or My Business?

  • The best policy is to have a clear roadmap for financial requests set up. With established policies, even if an attack is launched, roadblocks will interrupt the flow, allowing additional chances for trained employees to catch on. These policies can include time holds on payment requests, required approval from certain department heads, or allowing funds to transfer in or out of only certain accounts.

               What If I Accidentally Filled in My Information?

  • Immediately take the appropriate action for a stop-payment.
  • File a report with the service used to contact you originally with the phishing email.
  • Should funds have been sent, file a police report.
  • Report the incident to the appropriate supervisor or department.

Knowing these three types of common phishing attacks, you can spot them before it is too late. It is critical that businesses take the time to train their staff to sense tacks before damage is done.

Subscribe to our newsletter now!