Education and Awareness is the first steps
Just one, innocent-looking – and malicious – email can cost businesses millions of dollars and disrupt business continuity. Add to that the sophistication of email attacks and the meticulous social engineering techniques used, and we have a recipe for potential cyber disaster. So besides deploying the best email security solution around, organizations should educate their employees about email schemes, to create a last line of defense against these attacks.
Common Social Engineering Techniques and How they Exploit Human Nature
Social engineers know how humans work and think, and are more than happy to take advantage of this knowledge. A social engineer can use any of a number of different tactics to get their target to do what they want:
- Use of Authority: Organizations are built as hierarchies, where the people on top are in charge. A social engineer may impersonate someone in authority and order their target to take some action.
- Turning on the Charm: People are more likely to do things for people that they like. A social engineer may try to use their charisma to influence someone into doing what they want.
- Give and Take: Social engineers may give their target something minor for free. Then, they’ll take advantage of a feeling of obligation to get what they want.
- Seeking Endorsements: People are more likely to do something that someone asks after publicly endorsing that person or cause. A social engineer might seek a public endorsement from their victim, then ask for something.
- Do What’s Popular: People like to be popular. A social engineer will make it look like “everyone is doing” what they’re trying to trick a target into doing.
- Scarce Supply: Social engineers may make what they’re offering seem scarce or like a limited-time deal. This makes people likely to rush into getting it (like toilet paper during COVID-19).
Cybercriminals will use any and all of these tactics to gain access to an organization’s network and sensitive information. During and after the COVID-19 pandemic, with many employees working from home, companies are more vulnerable to phishing attacks than before.
Types of Phishing Attacks
In simple terms, a phishing attack is a social engineering attack performed over email or some other communications platform. These attacks are designed to get someone to click on a link, download an attachment, share sensitive data, or take some other damaging action.
Phishing attacks can come in a variety of different forms. Some common examples include:
- Account Issues: A common phishing tactic is to tell someone that there is an issue with one of their online accounts (Amazon, Netflix, PayPal, etc.). When they rush to click the link and fix the problem, the attacker collects their login credentials.
- Business Email Compromise (BEC): A BEC attack is a classic example of using authority. The attacker will impersonate someone important within an organization (CEO, management, etc.) and instruct the target to take a harmful action, like sending money to an account that an attacker controls.
- Fake Invoice: The attacker may masquerade as a vendor seeking payment for an outstanding invoice. This scam is either designed to have the victim send money to the attacker or to get them to download and open an attachment containing malware.
- Shared Cloud Documents: Cybercriminals often take advantage of cloud-based document sharing to bypass Office 365 security and other built-in security solutions. Often these tools will verify that a link is legitimate but not check that the shared document does not contain malicious content. Alternatively, an attacker may pretend to be sharing a document and show a page that requires the victim to enter their login credentials then sends them to the attacker.
Many of these emails are designed to look just like a legitimate email. It’s important to take a second to validate an email before trusting it.
What To Look For in a Malicious Email
Obviously, phishing emails are designed to look as plausible as possible in order to maximize their probability of tricking the victim. However, there are some warning signs that point to a malicious email:
- Sender Address: Phishers will commonly use email addresses that look like a trusted or legitimate one in their attacks. Always check the sender’s address for errors, but remember that an attacker may have compromised the real account and is using it for their attack.
- Salutation: Most companies personalize their emails by addressing them to their recipient by name, but a phisher may not know the name that goes with a particular email address. If a salutation is overly general – like “Dear Customer” – it may be a phishing email.
- Tone and Grammar: Often, a phishing email won’t sound right and will include spelling and grammar issues. If an email seems off-brand for the sender, it’s probably malicious.
- Mismatched Links: You can check the target of a link in an email on a computer by hovering over it with your mouse. If the link doesn’t go where it should, the email is likely to be malicious.
- Odd Attachment Types: Phishing emails are frequently used to spread malware. If you receive an “invoice” that is a ZIP file, an executable, or something else unusual, then it’s probably malware.
- The Push: Phishing emails are designed to get the victim to do something. If an email elicits a sense of urgency or pushes a particular action, then it may be malicious.
The Importance of Email Security Awareness
Email Security awareness is essential to protecting an organization against email attacks. Training employees to recognize the signs of a phishing email – especially the pretexts and techniques that are currently popular – helps to reduce the probability that they will click on a malicious link or open an attachment.
It is also good to teach employees to report suspected phishing emails to your organization’s IT or security team. This enables them to investigate and respond in case some other employee fell for the phish.
However, even with the best training program, occasionally a phishing email will be successful, and, in many cases, the cloud email security features built into your email solution will not be able to catch the attack. Investing in a specialized email security solution is a good choice to prevent these malicious emails from ever reaching users to begin with.