October 16, 2017
How to Avoid Phishing Scams
Phishing attacks are online scams that use fraudulent email to steal confidential information, such as: usernames, credit card numbers, banking information, corporate passwords, and intellectual property.
Periodically, clients ask me a question similar to this: “I’m a marketing manager. Why would anyone target me in a phishing scam?”
There are many reasons to target individuals at varying levels across organizations. However, I think these are the most relevant:
- Your computer has access to your organization’s network and can serve as a beachhead for a deeper-penetrating attack on that network.
- You may have access to market-moving information about the brands and products that you manage.
The threat is real. In terms of records breached, healthcare was the sixth-most-frequently hacked industry.1
For similar reasons, scammers target agencies that work for pharmaceutical, biotechnology, and healthcare organizations. It is essential that your agency partners have security expertise and continuously evaluate the threat landscape and monitor their networks, devices, and activities.
Vigilance Is Critical
Even with my decades of cybersecurity experience, I was nearly hooked by a phishing attack.
Here’s what a recent attack looked like:
The phishing email was fairly well crafted, using details and context from my real life. The “From” name is Dan Hedges. Dan is a relative of mine. The body of the email is contextually relevant because I had recently issued press releases and been covered in the press. Additionally, the subject line implies that the message is a forwarded email, and the message looks like a forwarded press clipping. If I hadn’t noticed that the email address did not match my relative’s name or business name, I might have clicked the link in the body of the email.
The attacker included just enough information that if I were busy multitasking, I might have missed subtle signals that this was not a credible email. I’ve included a link to an article by Johnson below that has additional examples of phishing emails.2
Red Flags That Indicate a Phishing Attack
Some attacks are laughably obvious, such as the “prince” who promises to wire you a share of his fortune after you provide your bank information and a $100 processing fee. Other attacks are savvy enough to fool the most watchful individuals and advanced email filters.
These are some common indicators of phishing emails3.4:
- Spelling errors and bad grammar
- Threatening wording, such as “To avoid a fine, respond within 24 hours”
- Requests for personal information about you and people you know
- Requests to immediately open an attachment
- “Reply-to” email addresses that are unfamiliar or don’t match the expected destination
- A large number of email addresses in the “To” section of the email
7 Steps to Safety
We’re all vulnerable, but good email hygiene reduces the risk of phishing attacks. Here are steps you can take to protect yourself and co-workers:
- Don’t click links in email, unless you expected to receive the link from a known sender.
- Don’t include sensitive information in email.
- Be wary of links such as “verify your account” and “login.”
- Don’t place phone calls to phone numbers on suspect email.
- Don’t open attachments that you did not expect to receive.
- Think twice before opening attachments, even if you recognize the sender. When in doubt, contact the sender.
- Use antivirus and firewall software.
Phishing attacks are dangerous and costly, as you can see from these examples5:
- Hackers used malware-laden emails to attack a restaurant chain’s point-of-sale system and steal credit card information from millions of the restaurant’s customers.
- A phishing attack injected malware into the computer system of a Ukrainian financial technology company; the malware then spread to hundreds of organizations around the world.
- Employees received phony email messages, supposedly from executives of their company, asking for personal information. This attack compromised more than 120,000 people at 100 organizations.
- Phishing attacks have led to the wire transfer of hundreds of millions of dollars from corporations’ to attackers’ bank accounts6
A healthy dose of skepticism, vigilance, and good practices will keep you and your organization safe. While Arteric does not provide email and network IT security services, we do believe it is important for our customers to understand the risks and steps they can take to protect themselves, their brands, and their companies.
- IBM X-force threat intelligence index 2017. IBM website. https://www-0ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=WGL03140USEN&. Published March 2017. Accessed October 13, 2017.
- Johnson C. 15 Examples of Phishing Emails from 2016-2017. EDTS website. Available at http://www.edts.com/edts-blog/15-examples-of-phishing-emails-from-2016-2017. Published July 21, 2017. Accessed October 10, 2017.
- Don’t take the bait. Indiana University Protect IU website. https://protect.iu.edu/online-safety/personal-preparedness/email-phishing.html. Accessed October 10, 2017.
- How to recognize phishing email messages, link, or phone calls. Microsoft Safety and Security Center website. https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx. Accessed October 10, 2017.
- Benishti E. Devastating phishing attacks dominate first half of 2017. Ironscales website. https://ironscales.com/blog/devastating-phishing-attacks-dominate-first-half-2017/. Accessed October 11, 2017.
- https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/. Published July 11, 2017. Accessed October 13, 2017