SecurityAwarenessNews

October 2022

the security awareness newsletter for security aware people

Phishing
Fundamentals

Securing Your Inbox

Phishing In Every Format

Business Email Compromise

Securing Your Inbox
Email continues to represent the main way cybercriminals launch phishing
attacks. Even though modern spam filters can eliminate the majority of
spam and suspicious messages, it’s up to you to filter out the rest. Here are
five ways to secure your inbox:

1. Know the warning signs

Phishing scams often feature recognizable warning signs. Poor grammar,
threatening language, unrealistic promises, and unexpected attachments all
qualify. If a message includes any of these signs, take extreme caution and
assume you’re being targeted.

2. Hover over links

Hovering your mouse over a link will reveal the full URL. This helps you spot
malicious links, which usually lead to websites that have nothing to do with
the context of the message. Note, however, that even if a link appears safe,
it could still be dangerous. Only click if you’re absolutely sure.

3. Don’t make assumptions

Just because an email appears to come from someone you know doesn’t
mean it’s safe. For example, if a major data breach leaks thousands of
usernames and passwords, cybercriminals could use that data to take over
people’s accounts and distribute phishing emails. Always take note of the
tone and context of a message to avoid getting scammed.

4. Remain skeptical
There’s a fine line between being paranoid and being proactive. We want
you to live on the proactive side by treating all requests for confidential
information or money with a high degree of skepticism. Follow your
instincts, and use situational awareness!

5. Report suspicious emails

immediately
Any time you suspect an email is a
phishing attack, don’t click, don’t
respond, and don’t ignore it. Instead,
follow policy and report it immediately.
Timely reporting allows organizations
to analyze the email and take
measures to ensure the sender can’t
distribute additional phishing attacks
to your co-workers.
Phishing in Every Format
Email isn’t the only way scammers attempt to phish people. They’ll happily
use every format available to them. Let’s explore a few other avenues.

Text Messages QR Codes

Malicious text messages feature Many organizations use QR codes
many of the same techniques as a quick and convenient way to
found in typical phishing attacks. direct users to websites or other
They often claim a bank account services. Scammers also use QR
has been compromised and ask codes to send users to malicious
you to immediately click on a link. sites that steal login credentials
Doing so could give a cybercriminal or infect devices with malware.
access to personal information or It’s generally best to never scan
allow them to take over banking codes unless you’re sure they’re
and social media accounts. safe. When in doubt, go directly
to a website through a browser
app rather than a QR code.

Phone Calls Web Browsers

Since phone numbers are so easy Browser push notifications are
to acquire, cybercriminals have small messages that deliver
been using them for decades information to users. While push
to scam people out of money notifications can serve useful
and personal information. It’s a purposes, they’re also abused
practice known as vishing, or voice by malicious hackers to deliver
phishing. In many cases, vishing malicious advertisements or
attacks use an automated system trigger installation of unwanted
that asks you to enter banking software. Ideally, block all
details. Some attacks will even browser notifications to help
connect you to a live scammer avoid this threat.
who will attempt to impersonate
legitimate organizations.

Regardless of the delivery method, almost all phishing attacks share one
thing in common. They attempt to manipulate people into doing something
they shouldn’t, such as clicking a link, downloading a malicious attachment,
and revealing confidential information. Don’t fall for it! Use extreme caution
before you click, download, or share anything confidential.
 Business Email Compromise
Business email compromise, or BEC, is an advanced phishing scam that
impersonates people, organizations, or entities that the victim knows.
It works by manipulating email addresses so the sender appears to be
legitimate.

You can thwart these attacks by

Common examples of BEC:
slowing down and:

• Fraudulent Invoices • Carefully inspecting the sender’s

By impersonating vendors or other email address.
account representatives, scammers Scammers often create addresses that
can trick people into wiring funds appear to be legitimate but actually
to fraudulent accounts. This is often contain slight variations in the way
accomplished by sending fake invoices they’re spelled.
that look almost exactly like an invoice
• Paying attention to the tone.
the victim typically receives.
When you email regularly with
• CEO Fraud someone, you are likely familiar with
How likely are you to respond to how they communicate via text.
an email that appears to come Unusual tone = untrustworthy email.
from your boss? CEO fraud involves
• Avoiding attachments.
a cybercriminal attempting to
Email attachments represent one of
impersonate upper management and
the most common ways malware gets
sending out requests for wire transfers
distributed. Never open an attachment
of money or confidential information.
unless you have confirmed it’s safe.
• Account Takeover
• Verbally confirming.
When someone falls victim to a
If you receive a request for money or
phishing attack, they may lose control
confidential information, it’s always a
of their email account. This then allows
good idea to confirm with them via an
the attacker to distribute phishing
alternative method before complying.
emails to the victim’s contact list. Since
the recipient recognizes the account,
they are likely to engage with the
attacker.
• Employee Data Theft
Those who work in bookkeeping or
human resources have access to an
abundance of employee information.
Cybercriminals often target those
people in hopes of stealing data such
as full names, national ID numbers,
home addresses, and phone numbers.