It’s the wee hours of Saturday morning, and you get a frantic call from one of your clients. They are in a different time zone, so it makes sense why this call would come in so early, although it is still unusual for a Saturday.
They proceed to tell you that they can’t access their online account despite having reset their password the previous day. Now, they’re getting a stream of email alerts on activities that just don’t seem to make sense. You try your best to get them to calm down as you try to figure out what the problem could be.
Your client tells you that they were only acting on an email you sent out the previous day, informing them that unusual activity had been detected on their account and that they needed to reset their password urgently.
They clicked on the link, which then sent them to their account dashboard. They proceeded to confirm their identity, enter their old login credentials, and the new password to complete the reset process. Now they can’t access their account despite the stream of email alerts they’re receiving!
Out of everything they said, one thing, in particular, stands out for you – You never sent out an email about a password reset.
Both your company and your client have just become the latest victims of a phishing attack.
You’re now likely wondering, “What is phishing, and is it dangerous?”
Phishing is a technique used by cybercriminals to gather sensitive information from unsuspecting victims using fictitious emails and websites that disguise themselves as trustworthy entities. Phishing attackers have perfected this art of deception to a fault.
They take advantage of human naivety, fear, curiosity, and gullibility to manipulate their victims and extract the information they need to defraud them. In the hypothetical case of your client, the attackers exploited their fear that their account had been compromised. They used it to direct them to a fictitious website where they proceeded to surrender their login credentials.
The criminals created an email address that looked almost identical to yours except that it had one letter missing in the domain name, that only someone with an incredibly discerning eye would be able to spot.
In the recently released 2019 FBI Internet Crime Report, the agency recorded more than $3.5 billion in losses through internet-enabled crimes. According to the report, phishing scams were responsible for a considerable chunk of these losses.
Phishing Scam Examples
No one would be so foolish as to fall for a phishing scam, right? After all, who would be duped by an email from a Nigerian Prince who needs you to transfer funds into their account in exchange for a 20% stake in their multi-million dollar oil exploration project? Hardly anyone.
Phishing scams these days, however, have become a lot more sophisticated.
In email phishing scams, hackers play a numbers game by sending thousands of fraudulent messages to internet users in the hope that a small percentage of the receipts fall for it. But, to better their odds of success, they go to great lengths to design email interfaces that could pass for the real deal. They use the same logos, typefaces, and signatures to make them appear legitimate.
Additionally, the attackers usually craft messages that create a sense of urgency to prompt victims to take action quickly. This makes it less likely to spot any inconsistencies in the malicious email, leaving them vulnerable to falling for the scams.
Finally, the links used within the email redirect the victim to a website that is identical to the authentic one. While the domain name may resemble the legitimate one, if you’re keen, you’ll be able to spot some subtle spelling differences that are otherwise easy to miss.
Phishing Email Examples
Say, for instance, that you have a bank account at “Authentic Bank,” and you receive what appears to be an auto-generated email from a no-reply email address. The contents and appearance of the email look identical to the ones you’ve previously received from the bank, so no red-flag there.
The email states that your account password expires in 24 hours, and you need to update it using the link provided. The real URL to the site is “authenticbank.com.” The link provided in the email reads “authenticbank.com/update.”
Clicking on this link could do one of two things:
- It could redirect you to a bogus page that looks identical to that of the legitimate site. The bogus page’s URL could read something like autheticbank.com/update”. You’re likely to miss the subtle change in the spelling of the word “authentic.” You would then provide your login credentials, which the attacker would steal and use to access your account via the real site.
- It could redirect you to the actual webpage but, in the process, activate a malicious script in the background that hijacks the session cookie. This would give the attacker privileged access across the entire university network.
A more targeted form of phishing, known as “spear-phishing,” uses spoofed emails to target specific individuals in companies as opposed to random recipients. The attackers do their due diligence beforehand, to pose as someone within the organization.
They could reference an on-going project or anything that may be of interest to the target before prompting them to use their network credentials to login and view the attachment.
Phishing Scam Protection
Any spoofed email contains subtle clues that let you know it’s a scam. Pay attention to the domain names used in the links for any differences in spelling and compare them against the URLs of the authentic sites. You should also pause and take a moment to reflect on why you would receive such an email in the first place before you take any action.
Some of the steps companies can take to guard against phishing attacks include:
- Implementing two-factor authentication (2FA)
- Enforcing strict password management policies like requiring employees to change their passwords every week and not using the same one for multiple applications
- Conducting comprehensive employee training at all company levels
Vigilance Is Key
Phishing is getting smarter, and everyone is a potential target. Always double-check the sender’s name and email address every time a new message pops up in your inbox. If it’s from an unknown sender, don’t click on any links in the email. With the rising numbers of phishing crimes, vigilance is key if you want to avoid becoming another statistic.
If you have a company, consult with a cyber-security expert to find out how they can help secure your company against data breaches.