Email Phishing Safety Guide
You’ve heard about the cybercriminal scam called email phishing, but what is it really, how does it work, and how does it affect me? We address this, as well as types of email phishing scams, how to spot scams and illegitimate companies, and how to report them.
What is email phishing?
Well to start, let’s make clear that this has nothing to do with the catch of the day or sushi of any kind. Phishing is when a scammer or cybercriminal tries to trick you into giving them money or personal information such as your:
- Private or personal information
- Financial information.
They will usually try to impersonate a trustworthy entity, whether it’s a family member, colleague, SARS, or even your bank. This means that the emails can appear to be coming from an official or trusted source. In reality, you could be one click or email away from falling victim to the scammers’ nefarious plots.
Why should you care?
It’s important to know that the primary goal of phishing is to elicit information from you that the scammer does not have. In some cases, they may have your name, street address, or even an account number from your bank. Often times, however, it’s not enough for them to gain access to your passwords or any of your accounts. If you’re unsure of how secure your passwords are, check out these best practices to create an ironclad password.
Essentially, they’re laying bait with the little information they have in the form of emails hoping you bite, hence: phishing. If you do bite, you may end up being the catch of the day and that’s not a prize you want.
Phishing is a kind of social engineering that is cleverly designed to play on people’s emotions, desperation, and unawareness.
It’s important to be honest with yourself. If you didn’t order a package, partake in a competition, or don’t have a family member who just passed inheritance on to you, the prize or recognition you’re getting is likely bait.
The dangers of email phishing
So, some scoundrel sent you an email trying to trick you into releasing personal information. What does this mean and what can they really do?
Depending on the information you volunteered, they could make your life a waking nightmare by accessing your financial information, personal records and data, health information, and much more. The primary impact successful phishing attacks had in 2020 was data breaches and compromised account credentials (60% and 52% respectively).
It’s fair to say that the two are closely linked together, but what does that mean for you? You may not be too concerned with scammers having some of your personal details or your account numbers, as it’s all password protected after all – this is a mistake.
Scammers use this information to hack into your work and private bank accounts, or company systems and take as much as their virtual arms can carry. Just one phishing expedition can give a scammer access to your company and bring it down, resulting in loss of trust, clients, and money. They may even use your details and fool you into paying them by pretending to be SARS, your bank, supplier, or someone with whom you do business.
Among the worst things that can happen would be paying an account or purchasing something, but the account you paid it to was the hacker’s and not the intended party. You’ll be trying to figure out what happened while the scammer laughs all the way to the bank.
In May 2021 hackers breached Colonial Pipeline in America, forcing them to pay $4.4 million (R63 million). The cause: one lapse in security from a single employee. Secure your website and ensure that you and your staff know how to be safe online to save yourself from future losses.
You may not be giving them the exact password key to your accounts, but by allowing your data to fall in the wrong hands you may as well be handing them a crowbar with directions to their next hit.
In a work setting, phishing emails can give scam artists free reign over a company’s financials or proprietary information. In 2020 alone 75% of organisations experienced phishing attacks of one kind or another.
Cofense released a report that found that of the millions of emails their AI scoured, 47% were Microsoft-themed. Other popular brands ‘phishermen’ impersonated were PayPal, Google, Amazon, LinkedIn, and DHL.
They could also take it a step further and blackmail you to get to a bigger target. Some examples would be threatening to sell your information online, release private messages and pictures to people you know, or demand a ransom.
It’s best practice to always confirm banking details, payment instructions, and other security information in person or via a phone call, especially if received via email.
Types of email phishing scams
While each phishing email could be tailored to specific companies or individuals, there are three main kinds:
- Clone phishing. This is when an email address that was previously legitimate is stolen or hijacked then cloned to create an identical email. Everything about the email seems secure because you would have corresponded with the sender already, before knowing that their account had been hacked. Almost all clone phishing emails will include malicious links and/or attachments that install malware and compromise your system.
- Spear phishing. Spear phishing is a targeted attack usually directed at a specific person or organisation. The bad actors will use a spoof email in the hopes of tricking you into giving sensitive information about yourself or a particular organisation. Once they have more information that increases the likelihood of success for their phishing expedition. Most phishing attacks are looking for credentials. The discrepancy between looking for credentials versus malware drops can be a much as 70%.
- Whaling. This type of phishing is when scammers target an upper manager, usually a CEO or CFO, because of their position in a company or organisation. The email will tend to fit the target’s position in the company. This can be in the form of a legal document such as a subpoena, a high-level customer complaint, or a fake invoice from a spoofed email. Out of millions of vetted phishing emails, around 6% were found to be CEO fraud
How to spot phishing scams and not take the bait
Hackers and scammers have thought up some ingenious ways of procuring our data via phishing. Fortunately, there are signs that are easy to spot if you know to look for them.
Examine the email address
Scammers will often use a spoof email address, which is a fabrication of the email header. The email header will look similar to an address with which you are likely familiar, thus creating trust. If you inspect the email header properly, however, you’ll spot the fake.
This may seem like a simple one, but bad actors tend to copy a script for their illicit activities. As a result, many of the phishing emails include spelling errors, have the same format, or can appear less professional. That is not to say that this is always the case, but should an email have one too many grammatical errors take a second look to ensure its legitimacy.
Dramatic and urgent claims
Cybercriminals will try to lure you in with lucrative deals or eye-catching offers that need to be capitalized on right away. Perhaps saying you won a series of gift cards, some electronics, or some other prize. While it may seem ideal, it’s very unlikely you’d have struck gold in a random raffle, particularly when you know you didn’t enter one. Remember, officials from reputable organisations will offer enough time for whatever request they have.
Check the salutation and signature
Sometimes the scammers script can give themselves away with the very greeting. Any person in your circle will address you by your first name, while businesses may address you by your first or last name. The salutation is always, however, uniform, or personalized. If you come across a salutation such as “Dear valued customer” or “Dearest friend”, etc. it could be spam at best, and a scammer at worst. When checking the signature, always be aware that an official correspondent will have much of their contact information present. This will include their email address, phone number, landline, and whatever other means are available to them. Your bank won’t be contacting you from a Gmail account, that’s for sure.
Don’t click on links or attachments
Many phishing attempts using spoof emails can illicit you to trust a link or attachment. Unless you are expecting a link or attachment, be wary. Even if you are expecting it, it’s a good idea to hover your mouse over the link first as that shows the actual URL. The text may show “Safebank.co.za”, but upon inspection the link could take you to a phishing site named “Safebamk.co.za”. One simple phishing email sent is the ol’ “verification email”. The digital scoundrel will prompt information by using your account being at risk as the ruse. The accompanying link is bad news. If you are concerned about the safety of your account, contact the support team directly using the number or email on the official website. In the case of attachments, any unsolicited attachment should be treated with care. They often contain malware or ransomware that can lock you out of your system and give control to the scammer.
How to spot an illegitimate company
Now that we know the key markers for blasting phishing emails out of the water, we can take a look at some of the ways scammers can front as a company.
Check the website of the company
- As with the phishing emails, check the grammar. Any professional company would want to minimize the amount of grammatical and spelling errors on their website.
- Try and find a brick-and-mortar location for the business along with a phone number. Any cyber ruffian can create a scam website, but having a physical location requires a lot more investment and can usually be a sign of legitimacy. Addresses and phone numbers can, however, be faked. A good idea is to check the local area of the business online and see if surrounding businesses have similar area codes or addresses.
Use WHOIS lookup
- You can also make use of a WHOIS domain lookup. This will tell you who owns the domain name, and can give you other information as well such as when and where it was registered and when it will expire, the registrar it was registered with etc. If the information is private or the domain was created recently, you should tread cautiously going forward.
- Another method is to check the CIPC (Companies and Intellectual Properties Commission) website. A simple search on the website will verify the official existence of a company. If the name shows up on the website the company is genuine, if not, the company is likely to be fraudulent.
How to report fraudulent websites
If you determine that a website is used for phishing or is a scam, you can take action to ensure the internet is a slightly better place by reporting it to the web hosting provider.
You can use our WHOIS lookup tool. Simply enter the domain name and find the name servers. You’ll find who is hosting the website there.
Once you determine who the hosting provider is, you can report the website to them via email or phone. Ensure that you include as much detail as possible on the activities of the website and how they are conducting their fraudulent activity.
To sum up, email phishing and fraudulent companies can be easy to spot if you know what to look for. It only takes one compromised person to bring down an entire organisation. Your best line of defence is to train your staff or loved ones about the risks online. Share this article with them to ensure they don’t become bait.
Remember, scammers bank on people being unaware and untrained, but by following the tips and tactics we’ve laid out, knocking cybercriminals down should be a simple hook, line, and sinker.