Written by GoPTG.
Phishing emails can be a big problem for businesses of every size. They can be difficult to detect and prevent and can cost you big time.
One of the reasons they’re so difficult to detect is because they can take on so many forms. A phishing email can look like anything. But there are patterns and some common types to be aware of:
1. CEO Impersonation Attacks/Requests for Money or Sensitive Information
CEO impersonation attacks are when a cybercriminal impersonates the CEO (or another high-ranking member of the organization) asks a lower level employee to either wire them money or send personnel files. They’re banking on the lower level employee not asking too many questions.
The hacker usually imitates the CEO’s email by creating an account with a very similar looking email address (like Joe@Acnne.com in place of Joe@Acme.com) or spoofs the CEOs email address. We’ve even seen attacks where the hacker has actually broken into the CEO’s email address and sent the phishing emails from there and re-directed the replies to a hidden folder, so the CEO wouldn’t see them and get suspicious.
We’ve also seen a variation of this targeting employees who are out of office and their back up contacts.
How to Spot These
CEO impersonation attacks can be hard to spot. Hackers will usually do some research beforehand to make sure they are targeting the right people with their requests.
Hit reply on the email. Is the email address correct? Copy and paste it into a program like Notepad (or another program that removes formatting and uses a monotype font). Is the email address still correct or is that lowercase “L” actually an uppercase “I”?
Pay attention to the language and formatting of the emails. If something looks different from that person’s usual emails, then take that as a red flag. Are there phrases that person doesn’t regularly use in the email? Is this a different font, color or signature than their other emails? Is their name formatted differently in the From section?
What to Do
Require a verbal confirmation for any request involving moving large sums of money or sending sensitive data. If that’s not possible, require some other sort of confirmation outside of email. A new email to them won’t work if the hacker has control of the CEO’s email – they can just reply that it’s legitimate!
Depending on your email service provider, you may be able to flag messages coming from outside your organization. You likely won’t be able to stop all CEO impersonation attacks from coming through, but you can add a message to the email warning users they are coming from outside your company (PTG customers – we can help you add this to your Office 365 emails).
2. Fake Resumes
Hackers will send fake resumes to companies with the intention of getting you to download and open malicious files. These are difficult to spot, especially if you’re currently hiring and accepting resumes. Even if you’re not hiring, it’s likely you have people sending in resumes anyway.
How to Spot These
Spotting fake resume emails is tricky since there aren’t a lot of warning signs. These are typically pretty generic, though, and don’t contain much (if any) information about your company, the applicant or a specific job opening. They just say something along the lines of “Hello, I am interested in working for your company. Please see my attached resume.”
What to Do
You obviously can’t stop accepting resumes, but be cautious about the way you accept them. Block executable files – sometimes the fake resumes are executable files disguised as Word documents. Do not enable macros on any files sent to you (resume or otherwise). It’s disabled by default – keep it that way.
You can use a job board and require the applicant to submit their resumes through there (this is what we do when we’re hiring a new position). If an applicant emails their resume in, we just ask them to submit through the job board, too. The resume is fully viewable on the job board, so we never actually have to download the file if we don’t want to.
Office 365 users can add Advanced Threat Protection to their users accounts to help catch malicious attachments and links. It scans attachments and links for malicious activity before releasing them to your inbox. If it isn’t realistic to add this to every users account, you could create a user specifically for accepting resumes (like firstname.lastname@example.org) and add it to that.
3. Fake Transactional Notifications
Fake transactional notifications prey on your sense of curiosity. These typically take the form of shipping notifications, invoice notifications, and e-fax notifications – but really, it can be any notification that makes you click a link to find out more information. Spoiler alert: Nothing good comes from clicking the link.
How to Spot These
If you get a notification you aren’t expecting, it’s not necessarily malicious, but treat it with extreme caution. If you have legitimate emails from the service the email appears to be from, compare it to those emails to look for any inconsistencies.
Check the sender email address. Hackers will sometimes register domains that look legitimate, but sometimes won’t even bother with that and just use a random email address. Pay attention to the formatting. If something looks off, it probably is.
Invest in a program that can scan links in your email for malicious activity before they reach your users’ inboxes (like Advanced Threat Protection for Office 365). It’s not going to catch 100% of the malicious emails, but it will drastically cut down on the amount your users see.
What to Do
Don’t click on any links in notifications emails. If you need to check the status of something, check directly with the company rather than clicking the link.
For example, instead of clicking a link in a shipping notification, copy/paste the tracking number into the shipping company’s website (If there isn’t a tracking number, this should be a red flag – all major shipping companies have tracking numbers).
4. Fake software/service/app notifications
These are similar to the fake transactional notifications, but these target you based on a particular software, service or app you are using. They appear to be a notification from the company and can take on a few forms.
Some versions try to scare you into clicking on a malicious link. They say something like your account has been suspended or your account will be closed in 24 hours and direct you to click a link to stop that from happening. No one wants their account to be suspended.
Other versions will try to blend in with regular notification emails you’d typically get from the service. We’ve seen one example targeting Office 365 users that appears to be a spam quarantine notification. It preys on that sense of curiosity by telling you that you that it has blocked spammed messages, but not telling you what they are. They are hoping you’ll be curious enough to click the link to see what the spam message are, but that the message looks innocuous enough not to raise any red flags.
How to Spot These
The warning signs for these are similar to the warning signs for fake transactional notifications. The best way to spot these is to compare them to real emails you have from these services.
Check the from email address. Does it match? Cybercriminals will register look-alike domains to try to trick you.
Look at the overall contents of the email. Does it give you concrete information? Or is the email vague? Be wary if the email doesn’t give you much information and tells you to click to get more information.
What to Do
Give any notification email a second look. Don’t click on links in notification emails – log in to the service to check notifications. If you get an email saying your account will be disabled, call the company directly to get more details (your IT company may be able to help you with this, especially if they help you manage your licenses).
Like fake transactional notifications, a program like Advanced Threat Protection can help cut down on the number of these reaching your users by scanning emails for malicious links before they reach your inbox.
Often times, cybercriminals will use combinations of the above types. Take a look at this phishing attempt (click to enlarge) sent to our Operations Director. The subject line and attachment name make it look like she has been sent an invoice via DropBox.
It’s a well-done email and looks pretty convincing. In this case, the cyber criminals took extra steps to make this look like an email the recipient should click on. They use language about security (“secured message” and “secure server”) and even add a fake a message saying it’s from a trusted sender (in the green bar).
How to Stay Safe
These examples are the most common types of phishing scams, but they aren’t everything. Phishing, by definition, can be any email that tries to trick you out of money or resources (whether you send it to them or you click on a link that gives you ransomware).
Err on the side of caution when checking your email, especially when it comes to clicking links and downloading attachments. Give every email a second glance before you take any action. If you’re in a hurry, and can’t give an email your full attention, save it for later.
Remember, email is an excellent tool, but it’s not the only tool you have at your disposal for communications. When in doubt, pick up the phone and call the sender to get confirmation. Or send the email to your IT team and ask them to look over it for you. The extra few minutes it will take to you do this will save you a lot of time and money if it stops you from falling victim to an attack.