Everyone using a computer in 2020 has gotten a phishing email. While you might not be able to claim that you are a victim of a phishing attack, you’ve likely heard of the scam. If this is the first time you’re hearing about phishing attacks, in this blog post we’ll show you why they’re such a big deal.
Hopefully this shouldn’t be a surprise, but the term “phishing” is a play on “fishing.” The whole idea of a phishing attack is to lure someone into handing over sensitive information. So in a sense, hackers are casting a line and waiting to see who gets hooked.
How do hackers do this?
They set up deceptive websites or send out an email to intentionally misguide someone into handing over their information.
This can take many forms, but there are a few major examples that I’ll share here.
This is when a page looks like a login you use all the time, but in reality it’s a phishing scam. Duplicating Office 365 login pages is a common tactic that hackers use.
The key is looking at the URL of the page for anything fishy.
Unfortunately, hackers are very eager to take advantage of people’s desire to support good causes. They do this by setting up fake causes for you to care about and donate to. Most often, they utilize recent tragedies getting a lot of coverage in the news. Then, they’ll set up a page claiming that any funds you donate will go to help the cause you care about.
What these hackers really want are your login credentials.
This tactic seems to be most successful, and it’s one I’ve seen firsthand in my own inbox.
The email might come from someone you don’t know, but the body of the email will have a long email forward that includes a message from your boss expressing that they need money wired to them and it is urgent. The person will usually claim to be a friend or relative of your boss and supply you with a link so that you can wire possibly thousands of dollars to your boss.
An alternate version of this email omits the forward completely and is sent from an email attempting to mimic your boss’ email. This is done by either creating a Gmail account with your boss’ name in it, or even registering a domain that is similar to your company’s domain. So if I were to receive a message from “firstname.lastname@example.org”, I might think it’s from our CEO at first-glance.
Well, if “scam” is in the address, I hope I don’t fall for that one.
Another favorite tactic of scammers. Everyone pays attention when it comes to their bank account being in jeopardy. So if you get an email claiming that you need to take action in the form of transferring money from your account, double-check that email.
These types of scams usually have “bank” in the sender address. But if it doesn’t match the name of your current bank, do not click anything in that email. Even if it does, call your bank first and talk to them.
A few commonalities you’ll find in a lot of phishing schemes are:
Phishing attacks are easy to deploy. If you’ve seen some of these emails, you probably understand that they’re low effort. Once they have the links where people can hand over bank account information or online logins, they can send blasts. A lot of their attempts get filtered through spam detectors, but enough get through those detectors that it’s worth their while.
It’s also worth noting that a single phishing attack can result in a huge payout. Barbara Corcoran fell for a scheme and paid over $400,000. Mattel nearly lost $3 million in 2015 to a phishing scam, but luckily because of bad-timing on the part of the hacker, they were able to recoup that money. Over a period of a few months, the European theater chain Pathé lost nearly $21 million because they were unknowingly wiring money to fraudsters.
Hackers can launch hyper-targeted campaigns, aiming to steal money from major companies using phishing attacks. Or, they can set up a more generic phishing scheme in an attempt to get smaller payouts from a wide range of people.
The big takeaway here is that there are a variety of phishing scams that hackers can deploy depending on how dedicated they are to the scam. And it’s proven time and again that these scams work.
Honestly, everyone should be concerned about phishing scams. That doesn’t mean you should be afraid to open your email or click on links every time you open your computer. But it does mean that you should be careful online. Knowing that these phishing attacks are out there is the first step.
Education is a huge factor in minimizing the number of people who fall for phishing scams. But part of the reason these scams work is because the hackers that deploy these attacks are clever. So educating your employees is step No. 1 in prevention. Tell them what to look for.
Another way you can prevent phishing attacks is adopting a solution for DNS protection. This takes the responsibility of determining if something is a threat or not out of the hands of your employee. If DNS protection software deems a site is a phishing website, it will not allow you to view the page. If you’re sent a phishing email asking you to transfer money, it won’t open any links you click within the email.
To keep your staff from becoming another victim of phishing attacks, you need to put security in place to protect them.