6 Minutes

We’d like to say that it’s incredibly easy to avoid email phishing scams, but they’re constantly evolving, making them more difficult to spot and avoid. We can’t count the number of businesses throughout Phoenix, Portland, Spokane and surrounding areas that have fallen victim to a clever phishing scam.

The best way to avoid these types of scams is to always know what to look for. We stay up to date on the latest tactics cyber criminals use to target businesses. It is always a good idea for every business to know about these methods so they can train employees on what to avoid.

The High Cost of Email Phishing Scams

It’s just an email, what harm could it do? We know it might not sound that dangerous, but phishing emails are one of the top ways that hackers infiltrate businesses. Password reuse and poor security controls are a few of the other common ways. The good thing is all three of these strategies can be defended against. What makes phishing emails so much more dangerous is they’re often disguised as emails a business would normally trust.

All it takes is a carefully targeted email that appears to come from a trusted source, like an I.T. admin, Human Resources employee, or maybe even the CEO. It might ask for an employee’s credentials for a security check, bank account info for direct deposit, or making a purchase with a company card. Instead of investigating further, such as checking the email address itself, or calling the individual, the employee sends the credentials as requested. They think they’re helping, but instead, they just let an outsider into the business, and no one knows it.

In 2018, email phishing scams and business email compromise attacks cost businesses $1.2 billion in the US. Considering phishing often leads to a breach, there’s also the average $3.9 million in breach recovery that businesses must contend with.

While we’ll always recommend our clients have filters in place to reduce phishing emails, nearly 30% make it past those filters. Advanced social engineering scams often look legitimate, making it difficult to create a perfect anti-phishing e-mail policy. For every email that makes it, the chances of an employee falling for it increases. This leads to data loss, monetary loss in productivity, and even reputation damage to the business.

Overall, malicious links and attachments are the most common type of content found in phishing e-mails. Sometimes, all it takes is a single click or download to infect a network. Others use social engineering techniques resulting in business email compromise scams, which cost businesses $300 million per month. These emails pose as clients, trusted businesses, governments, etc. A business hands over data and money, not realizing the scam until it’s too late.

  1. AI Support Phishing

The most convincing email phishing scams are those that look real. There aren’t any obvious hints that the sender is malicious, and the email contains details only a client or co-worker should know. These are typically difficult to put together, but thanks to artificial intelligence, hackers can automate the learning process to create far more sophisticated messages. When in doubt, call or text the sender directly.

As a side note, we’re also seeing a rise in phishing calls that use AI to imitate other employees, clients and managers. This is still new, but it’s a good idea to keep it in mind in case the caller doesn’t sound quite right.

  1. Urgency Phishing

We don’t like disappointing our clients, so we can fully understand how urgency phishing scams are so successful. These appear to come from a manager, client or trusted brand. Threats are often used to incite panic, such as “do this or you’re fired” or “send this sensitive data now or we’ll go with a competitor.” When someone panics, they don’t investigate further.

In the same vein, angry customer email phishing scams work the same way. We’ve gotten some of these and for just a moment, they seem real. However, we always dig a little deeper and find the signs, such as bogus links, questionable attachments (just don’t open them) and suspicious looking email addresses.

  1. Realistic Looking Domains

Businesses often use many of the same services, such as PayPal, to conduct business. For example, sending a targeted message to someone in accounting stating their PayPal account has been suspended is common. The employee clicks the link to log in to the account and resolve the issue. Instead, they’re sent to a realistic looking, fake domain where the hackers scoop up their credentials. This type of scam happens with all types of popular services, but the senders email address and the link locations are usually indicators of a scam.

  1. Job Applications

This is one of the hardest email phishing scams to avoid. We’ve had these come through as well. The scammer sends in an innocent job application to an open position. HR opens the attached resume and malware is distributed. We recommend having applicants fill out an online form to avoid this issue.

Of course, another way to avoid this is to set up a sandbox system to open unknown attachments. We can help recommend the right solutions and help get that set up.

  1. A Trusted Authority

Few employees are going to question an email from their boss. We know we would. However, we’re trained to do so. If scammers know the business’s structure and manager names, it’s easy to send targeted emails assigning the employee a task. All they must do is click a link or download a file. The number one source for leads on how a business is structured or who managers are is social media (LinkedIn, Facebook, etc.)

In some cases, the boss might ask for sensitive information, such as a report or even login credentials. Once again, employees are likely to simply answer the email versus double-checking to see if it’s valid.

Preventing Email Phishing Scams

We know that the above scams might seem unavoidable. However, this isn’t always the case. Typically, no matter what a business does, the occasional phishing email will likely come through. Therefore, businesses must have a multi-layer cybersecurity strategy in place.

The first step is to block any obviously “phishy” messages. Filters can block known malicious and spam source domains. With constant updates, real-time protections add more restrictions to the list as they’re reported. For instance, quite a few PayPal scams come from PayPal, though no one would notice that unless they looked at the sender’s email domain. As soon as that domain is known, it’s blocked.

The next step is to ensure protections are in place in case an employee does click a malicious link or attachment. Backup and disaster recovery plans are critical if the worst does happen. Up to date antivirus software often blocks users from visiting a malicious site or page, while attachments are sand boxed and scanned before they’re opened.

The final, and most important step is employee training. Technology and its corresponding dangers require employees to be properly trained. If they know what to look for, they’ll be more likely to avoid email phishing scams. If they know how to use a business’s technology, they’ll be better equipped to recognize when something’s not quite right. Don’t worry, we can help with this too.

Overall, these scams can be avoided. It just takes due diligence. Contact ISOutsource today to learn how we help protect businesses from phishing scams through the right tools and training.

 

Scott Sjodin

Written by Scott Sjodin