Learn how phishers target employees and how to spot a scam. 

George Mateaki, CISSP, QSA
By: George Mateaki
Security Analyst
CISSP, QSA
Social engineering isn’t always done in person; sometimes all it takes is for a single malware-infected email to cause havoc on a business’s entire network. That’s why phishing attacks are often so effective.

Here are a few things you should know about these types of attacks.

What is phishing? 

phishing
Phishing refers to a type of social engineering that happens primarily through emails. Hackers will send emails that often have links to malware.

The reason why phishing is effective is because it targets a big weakness in security: people. The best firewall in the world can’t help against an employee clicking on a malware-loaded email. Once one computer gets infected, if that computer is connected to the businesses network, the malware can spread throughout the entire network. It becomes even more dangerous when it spreads to computers with sensitive data.

For some businesses, all it takes is one infected computer to bring down an entire network.

SEE ALSO: Fighting Phishing Email Scams: What You Should Know

Common phishing tactics

So what phishing methodologies are put to use?
How do phishers target your employees?
A few common phishing tactics your employees should watch out for include:
  • Impersonation: a phisher may impersonate a higher-up, asking an employee for sensitive information/credentials, or ask the employee to wire money 
  • Contest winner: If you get an email claiming you won something you never even entered, it’s highly likely the email is a phishing scam 
  • The victim: This type of phishing email acts as an angry customer who supposedly sent you money in return for a shipped product. The email concludes with the threat that they will inform the authorities if they don’t hear from you
  • False bank notification: This ploy tricks you with a fake account notification, stating that an amount has been withdrawn from your account that exceeds your notification limit. It often gives you a convenient link that leads to a web form asking for your bank account number “for verification purposes”
SEE ALSO: Top 10 Types of Phishing Emails

How to spot a phishing email

So, you’ve received an email that seems a little strange. How do you know if it’s a phishing scam? Here are a few questions to ask.

When was it sent?
phishing email scams

Was it scheduled at a random time, such as 3 in the morning? Did you receive the email during business hours?

Do you know the sender?
If you’ve never heard of the sender or had any previous contact with them, it could be an indication of a scam, especially if they claim to know you.

Are the URLs slightly different?
Some phishers create domains to mimic larger, more established organizations. For example by adding an extra number like www.2target.com or www.bestbuy1.com, it may thwart the busied user into clicking a malicious link.

Does the content not match the subject?
This is a big red flag. If the subject line doesn’t match the content in the email, it’s a good indicator that the email might be a scam.

How is the grammar/spelling?
Does the email appear to have really bad grammar? Are many words misspelled? These could be indications of a scam.

As a basic rule of thumb, if something seems weird about an email, do not click on the link it offers or download anything. It’s better to be cautious than to risk infecting your entire business network.

If you see a phishing email, take the following steps:
  • Don’t click on any links or open attachments
  • Don’t try to reply to the sender
  • Report the scam (forward the e-mail to FTC-spam@uce.gov)
  • Delete the email from your computer
  • If you do business with a company mentioned in the email, you may want to call them and ask if they would like you to forward the email to them, so they may take further action

Tips to avoiding phishing scams

What can you do to combat phishing scams? Here are a few things to do to help you and your employees be ready.
  • Train employees: Do quarterly training meetings on avoiding and combatting phishing. Send daily reminders to employees to keep those tactics fresh in their mind
  • Test employees: Send out a “phishing” email to see how employees react. Hire an ethical social engineer to test employees on their training
  • Segment networks: keeping your card data environment separate from other networks is a good way to avoid potential breaches. This prevents your entire network from being vulnerable to malware should one employee fall victim
  • Use unique usernames and passwords: If your employees all share credentials, all a hacker has to do is gain access to one employee’s credentials to cause damage to your business
Need help with data security? Talk to one of our consultants!

SecurityMetrics 2017 Guide to PCI DSS Compliance

0 comments