A cybersecurity expert's 10 tips to stop you being scammed on email

Business email compromise (BEC) has cost companies $3.1 billion since January 2015 and consumer email phishing is at an all-time high. Most people don’t question the “from” field in the emails they get day in and day out, yet without the right tools in place, there’s actually no reason to trust the “from” field!

Unfortunately though, no matter how sophisticated a company or enterprise’s email strategy is, some phishing emails will always make it to the inbox. And these messages are extremely effective. Verizon found that 30% of targeted recipients open phishing messages and 12% click on malicious email attachments.

As a critical piece of every business’ email security strategy must be education, below are Proofpoint’s top 10 tips for identifying a phishing email.

Tip 1: Don’t trust the display name
A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Here’s how it works: If a fraudster wanted to impersonate the hypothetical brand “My Bank,” the email may look something like:

Once delivered, the email appears legitimate because most user inboxes and mobile phones will only present the display name. Always check the email address in the header from—if looks suspicious, flag the email.

Tip 2: Look but don’t click
Cybercriminals love to embed malicious links in legitimate-sounding copy. Hover your mouse over any links you find embedded in the body of your email. If the link address looks weird, don’t click on it. If you have any reservations about the link, send the email directly to your security team.

Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Tip 4: Analyse the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Tip 5: Don’t give up personal or company confidential information
Most companies will never ask for personal credentials via email–especially banks. Likewise most companies will have policies in place preventing external communications of business IP. Stop yourself before revealing any confidential information over email.

Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or ask you to action an “urgent payment request.”

Tip 7: Review the signature

Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them!

Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Tip 9: Don’t trust the header from email address

Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address, including the domain name. Keep in mind that just because the sender’s email address looks legitimate (e.g [email protected]), it may not be. A familiar name in your inbox isn’t always who you think it is!

Tip 10: Don’t believe everything you see
Phishers are extremely good at what they do. Many malicious emails include convincing brand logos, language, and a seemingly valid email address. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, do not open it.

* Tim Bentley is the managing director of Proofpoint Australia and New Zealand.

Follow Business Insider Australia on Facebook, Twitter, and LinkedIn

Asia Pacific – Hey CEO, Click Here! How High Level Executives Can Avoid Phishing Attacks?

Asia Pacific - Hey CEO, Click Here! How High Level Executives Can Avoid Phishing Attacks?

When it comes to phishing attacks, senior executives are attractive targets. Their risk of falling victim to one of these invasion attempts is at least double that of other employees. First, like anyone else, they are targeted with run-of-the-mill phishing emails. The mass-produced, impersonal kind that still regularly persuades users to click on a link or attachment, which then downloads malware on to their system. This is one of the most common ways attackers sneak inside corporate networks.

But these executives are also targets of much more sophisticated attacks in terms of motive and approach. Emails meticulously crafted to appear legitimate and personalized, from one member of the leadership team to another, with objectives as general as planting malicious backdoor malware or as specific as convincing the recipient to wire money into their illegitimate accounts.

For National Cyber Security Awareness Month 2016, Stroz Friedberg is producing educational materials to remind readers about the best practices of cybersecurity. In this post, we provide guidance senior executives can use to ensure they’re not duped by an email into compromising the security of their firm.

Here’s how phishing tends to work: An employee receives an email purportedly from a trusted source. The email says something like, “Here’s the document you asked for.” The employee clicks on the attachment or link and inadvertently downloads malware that can lead to the exfiltration of any of the company’s data.

Often times, these phishing emails can be identified by a sense of urgency in the message, and telltale signs like typos, awkwardly worded sentences, emails written to one recipient but sent to multiple people, and requests out of context for the sender.

The attacks targeting executives, however, may not have any of these tells. The criminals conduct online reconnaissance using information from sources such as Google or LinkedIn to find information about the company’s senior executives and their relationships. This information is then used to carefully craft very compelling phishing emails.  For example, recently I worked on a matter with a company involved in M&A activity where the attackers targeted the CEO directly, because they wanted to spy on the conversations between himself, the CFO, the general counsel, and other higher-ups involved. To do so, the attacker crafted an email from the CFO to the CEO with an attachment purported to be a financial analysis report. In reality, though, the file was actually malware giving the attackers the ability to monitor the CEO’s email.

A simple method to thwart these types of attacks is by tagging every leader-to-leader email that contains a link or attachment with a code known only among the group. The code can be a list of numbers, letters, characters, or a passphrase, similar to a password. If the recipient doesn’t see the code, they know not to click. This practice can be applied to all emails among the group or just those that include links or attachments. Executive assistants should also be made aware of this practice; they must be as vigilant as the executives themselves.

Another best practice is to be aware of common attack methods. For example, one particularly popular tactic involves professional conferences. Speaker lists and sometimes even attendee lists are often posted online. Attackers are known to mine these sources to identity targets for trade secret theft. The emails they send seem like thank you emails and include an attached set of slides, supposedly from a relevant presentation. This can be a very believable email for someone to receive, and being aware of this M.O. is the principal way to avoid it.

Executives should also watch for even the slightest evidence of aberrant behavior. For example, if someone generally sends you minutes for a weekly meeting in a doc file but sends it as a zip file, that’s a reason not to click on the attachment. Or, if someone directly sends you a file that is usually sent to a group, again, don’t click. Another subtle sign that should raise suspicion is if an email is sent from a personal email domain, such as Yahoo, Hotmail or Gmail, when normally it would come from the domain of the company. When it comes to the C-suite, it’s not as easy as spotting strange typos. Little details can signal a major attempt at a cyber attack.

When in doubt of the veracity of a message, contact the sender to confirm its legitimacy by phone or by starting a new email thread. You can also hover over any included links to see if the URL is the expected site. If you think you’ve been the target of a phishing attempt or you’ve clicked on a suspect link or attachment, contact your security department immediately.

Paul Jackson, Managing Director, Stroz Friedberg


Cyber security basics: How to recognise phishing attacks

FavoriteLoadingAdd to favorites

CBR sits down with Luis Corrons, Technical Director at PandaLabs, to talk phishing.

Phishing attacks are on the rise, but how can you recognise them? CBR’s Alex Sword talks to Luis Corrons, Technical Director at PandaLabs.

AS: What are some common examples of phishing attacks?

The most common examples of phishing attacks are emails that supposedly come from a bank or payment provider, courier company, or popular shopping site (Amazon, itunes etc.). One way or the other, it will be trying to get our personal information so it can be used to steal further information or empty our accounts.

Phishing attacks take many different forms. What are some common characteristics that people can look out for?

Most times the initial phishing message always says there has been some kind of security incident involving your account, and tells you that in case you do not take action it will be suspended. There will be a link in that message that the user have to click in order to fix the problem, once clicked it takes the user to a web page with the look & feel of the organisation they are trying to fake and will ask the user for their personal information (credentials, security questions, etc.).

AS: What would a good employee training programme in an organisation look like?

The best training programme should start by launching a controlled phishing attack against company’s employees. This can then be used in the follow-up training to show how effective a real attack would have been and teach all employees to be able to recognise these types of attacks. Repeat this periodically to measure the success of previous training.

panda-securitySpecial attention should be given to the finance team to ensure they are aware of CEO fraud (aka Spear Phishing or Whaling) which occurs when an email supposedly coming from a C-Level executive requests an urgent and often substantial bank transfer. The FBI estimate $2.3bn has been lost to this type of fraud over the last three years. Having a system in place where the finance team can verify anomalous transactions directly with the C-Level executives or senior members or staff at any time can stop these losses.

AS: What are some basic checks that can be put in place so that suspicious emails can be vetted?

Most phishing messages rely on the user to click on the link that is in the message or just opening an attachment. Not doing it solves the problem.

By learning the typical characteristics (there is a serious security problem, urging us to act as soon as possible threatening us with closing / suspend our account, giving us a link to solve the problem…) the users can spot phishing attempts.

At the end of the day if the user has any doubts and considers it might be a valid message, they can always go to the company website from the browser without clicking on the link. If available report suspicious emails to your IT team or provider.

Never trust attachments from unknown sources, of course.
AS: How are phishing attacks evolving?

PandaLabsLuis Corrons, Technical Director of PandaLabs.

Historically the cyber-criminals behind these attacks had problems with the language used as English was not their first language, and it was easy to spot grammar mistakes as well as misspelled words. Nowadays they have improved and in general they do not make these kinds of mistakes.

Phishers are more professional, and it is a continuous battle to realise we are facing a phishing attack, by contacting the originator by phone or directly visiting their website will normally confirm if the email is genuine.

Although phishing has often been linked to the theft of online banking credentials, there are some other kinds, such as those made to steal Facebook or Twitter credentials. In these cases instead of an email you get a message with a link, if you click on it, it takes you to a website with the same look & feel as the social network and asks you for your credentials.

AS: Is it possible to protect our data online to make phishing attacks less successful?

Yes, of course. First tip is not reusing passwords. Using a password manager is the most effective solution for this. On top of that we should enable 2FA (two factor authentication) so even if a phishing attack succeeds and our credentials are stolen, our accounts will be safe