As scammers and hackers get more sophisticated, it becomes increasingly difficult for security professionals to prevent breaches. To make matters worse, attacks via email target the weakest part of every network or system, the user.
Hacking attempts that occur via non-programmatic means that specifically seek to exploit users are known as social engineering. This form of attack is much more successful than SQL injections, cross-site scripting, and buffer overflow attacks. To avoid a catastrophe it is imperative that all company employees are trained on techniques to spot phishing emails.
Here are some effective ways to spot phishing emails, with varying levels of difficulty. Some will require a little bit of familiarity with how hyperlinks work.
Chances are, if you are receiving a message from Microsoft about the company's Office 365 subscription, the email will come from their automated messaging services. These messages will always come from a domain name with the word 'Microsoft' in it.
If the domain name of the sender is something like @homersoft or @mickro-soft and they are claiming to be with Google, it's a scam! Don't click on any of the links or download any images. If you get trigger happy and click a link, make sure you don't enter any credentials into the site you are taken to.
Evernote scam emails have been going out increasingly often. So much so that the company has taken notice and published a list of trusted domains. If you receive an email claiming to be from Evernote, and it is NOT one these listed below, its a scam.
Weebly is a domain registrar, similar to GoDaddy and Amazon Web Services that allows you to create domain names that can be used to access a website. The company also offers a free subdomain service that hackers have exploited to pose as legitimate companies. Here is how the scam works.
The hacker discovers who a company's affiliates are (vendors, strategic partners, etc.) and creates a Weebly subdomain that matches the company's name exactly. Here is an example scenario.
These emails look legitimate and may even include names of people the victim has worked with recently making the attack almost impossible to spot for those who are unaware of the threat.
Unless you work in healthcare, finance, or some other highly regulated industry you probably won't need to send or receive encrypted emails. If you do, however, regularly receive such emails pay attention to the vendor listed as the encryption service. If it's one that you don't recognize, let the IT department know so they can validate it.
Scammers can very easily embed a link within some very deceptive text. See I just did it here. Click here to renew your subscription to this service. Although the text would lead you to think you are going to renew a service when you hover over it, the URL that populates in the tiny box at the bottom takes you somewhere else entirely.
Many times hackers develop sites that are not in their native language. This is done to increase the breadth of their attack. Because of this, they sometimes rely on poor translation services that result in grammatical errors.
One error doesn't mean it's a scammer's site but multiple grammatical errors or poor consistently poor punctuation is a dead giveaway.
Distorted and warped images throughout a website are telltale signs of a scammer's page. Companies like Microsoft, Google, Super Easy CRM, Facebook, and others spend tons of time and money on the look and feel of their site.
Company web pages go through rigorous quality assurance before they are published. So any site claiming to be affiliated with an established company that contains low-quality images is likely a fake.
Educated and skeptical users are the best defense against scam emails. Doing a quick scan of each email you receive may slow your workday down but it can help thwart an attack that could cost the company millions.
Subscribe to my blog!