From Nigerian Prince to expert impersonation – how to not fall victim to a phishing scam

Since the start of the COVID-19 pandemic, there has been a 660% increase in phishing attacks worldwide. The shift to remote work has further increased our reliance on email for communication, thus creating perfect conditions for email fraud schemes. So how can you protect yourself and your business from being a victim of cybercriminals?

Traditional phishing scams, like the now-infamous “Nigerian prince” scam, are so widely known that few today would fall victim to them. Time hasn’t stood still for scammers, though, and their techniques have become increasingly sophisticated and harder to spot.

In the past, phishers attempting to create a convincing scam often had to resort to tactics such as “dumpster diving” to learn more about their potential victims. Today, social media, spymail, public records and other sources of information make the reconnaissance much easier. As a result, more scammers are sending more-convincing phishing emails more often.

So what steps can you take to avoid falling victim to a phishing scam?

1. “Whenever there is any doubt, there is no doubt.” – Sam (Ronin 1998)

Sometimes there’s nothing overtly suspicious about a message, but still you feel your Spidey Senses tingling. Trust that feeling. Humans are remarkably good at perceiving patterns and spotting deviations from them, especially as it relates to danger.

Phishing is most effective when people act impulsively, so even a brief pause to assess the situation is often enough to reveal a ruse.

There are three attributes that most phishing messages have:

1. There is an ask.
2. There is a reward for performing the ask and/or a risk for not performing it.
3. There is a sense of urgency.

If a message checks these three boxes, it’s much more likely to be phishing. That doesn’t mean it is phishing, because plenty of legitimate messages also display these qualities. It does mean that you should stop and think before you do anything when you get a message like this.

If you get an unusual request from someone you know, it’s safer to follow up with them on another communication channel before you do anything to act on their message.

2. “More human than human is our motto.” – Eldon Tyrell (Blade Runner 1982)

The more sophisticated phishing emails can be almost indistinguishable from the real thing, attempting to trick you into thinking they’re coming from someone you trust.

A common example is the “spoofed file sharing” message. When you share a file with someone on a cloud storage provider, it can generate an email informing the recipient that a file has been shared. This is an excellent pretext for phishing, as it’s common for people to simply click through these emails without thinking about it too much.

Source: spamstopmshere

As you can see, the scammers have worked very hard to make these look like the real thing. In some cases, the email will even have the correct details for “businesses” or “people” you have interacted with, making it feel even more genuine.

If you do suspect a message is phishing, a good first step to assess it is to verify the sender. Check to see that the address is one the sender commonly uses, or that the top-level domain matches the normal domain used by their organisation. The top-level-domain is the last part of an email address that comes after the @ sign.

Genuine:

contact@support.google.com
contact@online.commbank.com.au

Fake:

contact@support.google.some_domain.com
contact@online.commbank.some_domain.com.au
contact@online.coommbank.com.au

For genuine emails, the last part of email address (the top-level-domain) always matches the domain normally used by the sender.

So an email coming from contact@support.google.com is probably from Google, but one from contact@support.google.some_domain.com almost certainly isn’t.

3. “Your eyes can deceive you. Don’t trust them.” – Obi-Wan Kenobi (Star Wars – A New Hope 1977)

Phishing emails generally contain links to fake web pages which are virtually identical to the genuine website. These fraudulent websites are used by scammers to gather your personal data, or to install spyware or malware on your computer system.

The only way to differentiate between a spoofed website and the real deal is by looking at the web address.

Commbank

Source: mailguard

Genuine:

www.my.commbank.com.au/netbank
www.dropbox.com/login

Fake:

www.my.commbank.some_domain.com.au/netbank
www.my.coommbank.com.au/netbank
www.dropbox.some_domain.com/login

So always hover over links in emails before clicking them. If you hover over a link, most email software will display the full address. On mobile, a long tap generally accomplishes the same thing. Again, look at the domain. Does it match what you’d expect? If an email says it is linking to a file in Dropbox but the domain is something else, be wary.

If you do click on a link in an email, then always check the top-level-domain that is displayed in your browser:

Just like email addresses, the top-level-domain of a web-address should always match the website domain normally used by the business/organisation/service etc.

If you do find yourself on a spoofed website, then immediately close the page, clear your browsers cache and report the page to your IT department if appropriate.

4. “Louis, I think this is the beginning of a beautiful friendship.” – Rick Blaine (Casablanca 1942)

Attackers often use comprised email accounts to send phishing emails as the original user. So it’s not uncommon to receive phishing emails from known senders on your “Safe List.”

Phishing emails from “known senders” are potentially the most dangerous, as they won’t be blocked by any spam filters and you are more likely to click on a malicious link or attachment. Once again, trust your instincts when it comes to email. If you catch yourself wondering whether it’s legitimate, and your instinct is to ignore and delete it—then pay attention to that gut check.

If you do receive a phishing email from someone you know, then the right thing to do is to get in contact with the sender and inform them that their account has been compromised. You’ll be surprised how many people don’t even realise that their account has been hacked.

By letting them know (the sooner the better) you’re actively helping to stop the spread of an active and particularly malicious phishing scam… and for that you deserve a BIG THANKS from all of us!

Digital Aviators, Digital Marketing Experts

- Advertisement -