How to secure your email against phishing

Scamming

Scams are typically distributed by unsolicited email. They are intended to deceive victims into divulging information that will result in identity theft or fraud.

Cybercriminals use scams to cheat people out of money or steal their identities by getting them to give up personal information. Scams include fake job ads, investment opportunities, notices of inheritance, lottery prizes, and transfers of funds.

Scammers often try to make money off tragedies like hurricanes, the COVID-19 crisis, and other tragedies. Scam artists take advantage of people's kindness, fear, or sympathy. During the peak of the Covid-19 outbreak, phishing incidents increased by 220% compared to the yearly average.

Spear phishing

Spear phishing is a highly tailored scam. Cybercriminals conduct extensive research on their targets—which can be individuals, organizations, or businesses—and produce carefully crafted mail, frequently impersonating a trusted colleague, website, or business. Typically, spear-phishing emails attempt to obtain sensitive data, such as login passwords or financial information, which is subsequently used to perpetrate fraud, identity theft, and other crimes.

More than 71% of targeted attacks employ spear phishing.

Although spear phishing is often intended to steal credentials and take over accounts, the cybercriminals may also infect victims’ computers and networks with malware, leading to financial loss and damage to their reputation.

Whaling is a form of spear phishing that targets public personalities, executives, and other large targets, hence the moniker.

Extortion scams: This form of spear-phishing is becoming more sophisticated because it bypasses email gateways.

Cyber criminals exploit stolen usernames and passwords to extort money from victims by pretending to have an incriminating video on the victim's computer and threatening to share it unless they pay.

Extortion scams are under-reported because they are embarrassing and sensitive.

Business email compromise (BEC)

BEC scams are another form of spear phishing. Malicious users compromise business email accounts to commit fraud and other crimes. They achieve this through social engineering, hacking, and spoofing.

Three variants of BEC frauds are:

The fraudulent invoice scam involves impersonating a well-known organization. The target receives a payment request from this organization.

CEO fraud involves hijacking an executive's email address and sending fraudulent emails to employees handling financial requests.

Messages from compromised accounts are sent to organizations or contacts the user knows. These contain other organizations' bills and payment requests.

Payroll scams, tax threats, travel-based scams, and fake charities are some of examples of BEC scams.

Email spoofing/ impersonation

An impersonation attack occurs when fraudsters appear as a trusted contact that coerces employees into sending funds or disclosing critical information.

URL phishing or domain impersonation is a type of attack where cyber criminals use emails to trick people into entering personal information on a fake website that looks real.

Following are the different ways cybercriminals exploit URLs:

• • Routing victims to desired websites by exploiting reputable websites, such as Google or Bing search engine results.
  • Masked overlaid hyperlinks, that redirect to a separate page.
  • Typosquatting: modifying, skipping, or misspelling letters in a domain name on purpose. For example, managengine.com instead of manageengine.com, or malformed prefix links such as http instead of https.
  • Subfolder links that create the illusion that a link leads to a valid website, but in fact is a subfolder purposely inserted in the middle of a URL. For example, Zoho.com.mail.com instead of zoho.com/mail/.

Clone phishing employs a previously delivered or valid email with attachments or links. The clone is a nearly identical copy of the original, with the attachments and links replaced by malware or a virus.

Conversation hijackings are highly personalized domain-impersonation attacks in which cybercriminals insert themselves into existing business discussions or create new ones to steal money or personal information.

Brand impersonation

The purpose of brand impersonation is to deceive people into divulging personal or otherwise sensitive information by impersonating a firm or a brand.

Service impersonation is a sort of phishing attack that impersonates a well-known corporation or popular business application. It’s a common phishing assault on a point of entry to harvest credentials and conduct account takeover. Additionally, service impersonation attacks are used to collect personally identifiable information (PII), such as credit card and Social Security numbers.

Microsoft is most often impersonated. Credentials for Microsoft and Office 365 are very valuable because they let hackers get into organizations and launch more attacks.

The most common Office 365 phishing attacks are email non-delivery, reactivation requests, and storage limitation alerts.

Brand hijacking occurs when an attacker appears to use the domain of a firm to impersonate the company or one of its workers. This is typically accomplished by sending emails with fake, or spoofed, domain names that look to be valid. Abysmal DMARC adoption is making it easier for scammers to spoof brands. (77% of Fortune 500 companies do not have DMARC policies set up.)

Lateral phishing

A lateral phishing assault sends emails from a legitimate but hacked account to unwary recipients, such as company contacts and external partners.

Attackers can target a wide range of people and organizations after acquiring access to a company's email account.

In a recent spear-phishing report that analyzed lateral phishing attacks conducted against nearly 100 organizations, 63% of attacks employed "shared document" and "account problem" messages (e.g., "You have a new shared document"). Another 30% of events used refined communications, targeting enterprise companies (e.g., "Updated work schedule," “Please distribute to your teams”) In the most sophisticated attacks, 7% used organization-specific content.

Inconsistent web addresses

Look for email addresses, links, and domain names that don’t match. It’s a good idea, for example, to examine a previous correspondence that matches the sender's email address.

Before clicking on a link in an email, recipients should always hover over it to view its destination. If the email appears to be from Acme, but the domain of the email address does not contain "Acme.com," it is likely phishing.

Unsolicited attachments

Malware is frequently disseminated via phishing emails with odd attachments. If you receive an "invoice" in the form of a .zip file, an executable, or anything else out of the ordinary, it is likely malware.

According to a recent Threat Report from ESET, these are the most common types of harmful files attached to phishing emails:

• • Windows executables (74%)
  • Script files (11%)
  • Office documents (5%)
  • Compressed archival storage (4%)
  • PDF documents (2%)
  • Java files (2%)
  • Iterative files (2%)
  • Cut corners (2%)
  • Android executables (>1%)

Inconsistent links and URLs

Double verify URLs. If the link in the text and the URL displayed when the cursor lingers over the link aren’t similar, you’ll be directed to an undesirable website.

If the URL of a hyperlink doesn’t appear to be correct or doesn’t match the context of the email, you shouldn’t trust it. Take the added security measure by hovering your mouse over embedded links (without clicking!) and ensuring that the link begins with https://.

Don’t open the link if the email is unexpected. As a precaution, visit the website you believe to be the origin of the email directly.

Generic salutation

If a corporation with which you do business wanted account information, the email would call you by name and likely direct you to call them.

Phishing emails frequently contain generic greetings such as "Dear valued member," "Dear account holder," and "Dear client."

Tone and grammar errors

The tone and grammar of an email from a legitimate company should be impeccable.

A phishing email will frequently contain misspellings and grammar errors. If an email seems out of character for its sender, it’s likely malicious.

There’s a purpose behind improper syntax. Hackers focus on the less tech-savvy because they believe they’re less vigilant and, therefore, easier targets.

Unusual requests

If an email asks you to do something out of the ordinary, it could be a sign that it’s malicious. For example, if an email says it's from a certain IT team and asks you to install software, but these tasks are usually handled by the IT department as a whole, the email is probably malicious.

According to research by KnowBe4, these were the most common subject lines for real-life phishing emails in 2021:

• • IT: Odd emails coming out of your account
  • IT: Future Changes
  • HR: Satisfaction Survey on Work from Home
  • Facebook: Your access to Facebook has been turned off temporarily so we can check your identity.
  • Twitter: Possible Hacking of Twitter Account

Fake LinkedIn messages are used in 47% of social media phishing attempts. People often get contextual emails asking them to reset their passwords or giving them "information" about possible new connections ("You showed up in new searches this week!" "People are looking at your LinkedIn profile!").