Understanding and avoiding phishing emails

What is phishing?

Phishing is a tactic used by criminals on the Web to trick users into giving up sensitive information or installing malicious software onto their PCs. Phishing is a blanket term describing anything that may be seeking to maliciously obtain sensitive info by disguising itself as a legitimate entity. Phishing emails are malicious emails that are disguised as legitimate ones.

What is a phishing email?

Phishing emails are the most popular form of phishing attack. Attackers disguise their emails as coming from your bank, your email provider, retail accounts you may hold or your social network accounts. They may look convincing or even be exact copies of official emails you have received before. More advanced spear-phishing emails even utilise prior research such as details harvested from your LinkedIn account or contact details on your website. Be aware that even though they sound friendly and can be addressed specifically to you, their purpose is to exploit you.

The emails will differ depending on their angle of attack. Those purporting to be from your bank may request you follow a hyperlink and enter your online banking login and password; some, such as those purporting to be from delivery companies, will only require you to click on a hyperlink to download malicious software to your PC.

Phishing is the most widely used cybercriminal tactic

Anyone can be targeted by attackers using phishing techniques. Fortunately, everyone can make themselves less likely to be a victim by educating themselves on the threat and taking sensible steps to ensure security such as keeping your anti-virus software up to date.

Being aware of the threat of phishing emails is crucial to keeping your business safe. However, it isn’t acceptable to only rely on being well-informed to combat such a serious threat to your company. Almost half of small to medium size businesses were targeted by a cyber-attack in the previous financial year, and 60% of those who were victims closed their doors within 6 months. The damage to your finances and your reputation can be severe. Given the severity of the threat, comprehensive action is necessary to counter it.

How can I minimise the risk of being a victim of phishing?

A great start is by educating your staff on the threat of phishing. In addition, there are a number of industry-leading products that Neuways can offer such as Webroot anti-virus, to defend against malware, and Mimecast, to make email safer for your business. In the event that you are the victim of a ransomware attack as a result of phishing, it is essential to have backups to keep your business running. Get in touch with Neuways to discover what we can offer to make your business more resistant to the threat of phishing.

Examples of phishing emails

Here is a generic list of examples you should be on the lookout for. It is by no means exhaustive – cybercriminals are always working to stay ahead of the game when it comes to phishing emails.

Email sender	Typical example approach	Result…if you get it wrong
Online Banking	“URGENT: Your online bank account may have been compromised. Please follow the link and log in to validate your security details…”	By following the instructions and logging in, you’ve given your online banking login credentials away to a cybercriminal!
Online Retailers	“We have suspended your account temporarily. Please click here and log in to reactivate…”	By following the instructions and logging in, you’ve given control of the account, and any payment methods attached to it to a cybercriminal.
Delivery Companies	“You missed a delivery. Please click the tracking number link to reschedule or arrange collection.”	By following the link, you’ve infected your PC with malware which could harvest your data and your passwords.
Email Provider	“The password for your account will expire shortly. Please click the link and log in to update your password.”	By following the link and entering your password, you’ve given the cybercriminals access to your account. They can potentially reset passwords for other accounts, or email your contacts to spread the deception further.
Fraudulent Companies, e.g Insurance Companies	“We have reason to believe you were incorrectly sold insurance. Please click the link to claim your refund.”	By following the link, you’ve infected your PC with malware which could harvest your data and your passwords.
Government or local councils	“We understand you are due a tax refund for the period 20/1/2017 to 1/1/2018. Please follow the link to claim back your payment.”	By following the link, you’ve infected your PC with malware which could harvest your data and your passwords.

How to deal with suspected phishing emails?

Now you know what you need to be looking out for, keep in mind this handy list of what to do when you are faced with what you think you may be a phishing email.

What you should do

What you shouldn’t do

Check the sender’s address – does it look legitimate? It will be a close approximation of the organisation they are posing as. Check the greeting – do they address you by your name, or simply as “a customer?”  Check the signoff – legitimate businesses provide names and contact details, which you may already know.  Beware of “Urgent” or threatening content requiring immediate action.  Check the design and quality – does the email look as professional as the reputation of the organisation it is purporting to originate from?  Check the spelling, grammar and tone. Do they feature poor grammar and spelling, and miss that professional tone?  Contact the supposed sender via pre-established contact details if you’re still unsure. DO NOT contact them using the details on the email.  Tell your staff/colleagues to be wary. The attacker may be target everyone on a similar domain.  Consider your business relationships. If you get an email from a bank, or delivery company you do not use, treat it with suspicion.

☓ Do not trust every email you receive. ☓ Do not panic when you receive an “urgent” or threatening email. In a real emergency, people are far more likely to make telephone calls. ☓ Do not download any attachments – they may download malware or viruses to your PC.☓ Do not preview any attachments – if it’s suspicious, it’s best to be cautious. ☓ Do not click on any links – they may take you to sites designed to infect your PC with malware. Instead, hover over them with your cursor, and see if they look suspicious. ☓ Do not give up any details such as usernames or passwords. ☓ Do not trust the display name – check the email address the email came from. ☓ Do not respond, and do reach out to the sender with the contact details contained in the suspicious email. Telephone numbers and contact email addresses could be those of the criminals, through which they can further their deception. ☓ Do not forward the email to any colleagues without forewarning them of your suspicions. The best thing to do is delete the email.

An example phishing email to help you identify future threats

Here is an example phishing email from an attacker purporting to be from Neuways. See if you can use the above advice to spot what identifies it as a scam.

• There is an “Urgent” demand in the subject line. Like many companies, if we need to contact you urgently, we will generally use the phone.
• The email looks semi-professional. It is a poor imitation of a real corporate email.
• Whilst the attacker has stolen the Neuways logo, either by accident or in creating their email address, they have made a spelling error –
• The email is addressed to “valued customer.” At Neuways and many other companies, we will always address you by your name.
• The request is generic, to be sent out to as many recipients as possible, and designed to incite panic. It is rare that anyone, especially your IT support provider, would send you a legitimate email of this sort.
• There are a number of spelling and grammatical errors.
• The telephone is false – designed to be a line to the attackers in the event you reach out to them.
• The address listed is meant to give an air of professionalism but a quick Google search would reveal that it is only partially correct.

Don’t become phish food

Whilst this is a very basic example, it gives an indication of the means an attacker may use to steal your email account password and exploit that access. Information such as who you use as an IT support company, or as a logistics partner may be openly available in the public domain, and attackers may tailor attacks to your business using the information they have obtained. Always treat demands for passwords and other sensitive information as suspicious. Never use the contact details in the email. Never follow hyperlinks or download attachments. Educate your staff on the threat of phishing, as they are your last and best line of defence!

Phishing emails can seem like a relatively simple method of cyber-attack, but they can be extremely harmful to your business, and they are so widespread that it is likely you will encounter one. 91% of hacking attacks begin with phishing or spear-phishing. Even after educating and training staff, 23% of phishing emails are still successful in their goal of compromising businesses. You need a strong and comprehensive set of defences against phishing and the range of other tactics used by attackers today – speak to Neuways to get the best solutions that are suited to your business.

Contact Neuways today and avoid falling victim – before it’s too late.