Read Blog Post

Read Blog Post

Contributed on November 25, 2019

378

576

How to spot a phishing email

Blog: Professional advantage - BPM blog

While an organisation’s employees are its most
valued asset, they are also, potentially, its
weakest link in the area of IT security defence framework
(technology, policy enforcement, and people behaviours), and their current
capability to protect, defend, and respond to such threats coming into their
organisation via email. Cybercriminals target employees at every organisational
level, and those who are not aware of their
tactics and means can easily and innocently fall for them. Such is
the case of these organisations that we encountered previously:  

• An international and very high profile government authority suffered a very serious phishing attack. Their finance team received two invoices from separate supplier entities via email, both of which looked very authentic with electronic funds transfer details and links. The problem was that the invoices were from corporate entities that were subsequently identified as being fake and setup by bad actors, and this regrettably occurred only after the invoices were paid and funds transferred. The government entity unfortunately suffered serious financial losses of approximately US$300,000.

• An Australian
  organisation risked losing approximately AUD$1,000,000 after their bank
  received an email seeking release of funds for a supplier to a nominated bank
  account. The email seemed to come from this organisation but their bank’s fraud
  detection systems identified anomalies with the email domain format of the
  senders of both invoices. The organisation’s bank checked with them to verify
  if their instructions were true and valid. Fortunately, they both came to a realisation
  that it was a scam email and attempted fraud, and stopped the release of the
  funds to the bad actors.  

• Our final story involves
  another Australian organisation where their business IT operations completely
  stood still for three weeks after a ransomware request followed a successfully
  executed malicious and destructive phishing attack via email against them. This
  attack brought their critical corporate IT infrastructure to its knees and eliminated
  all access by staff to applications and systems for the 3 weeks until the
  situation was resolved with the bad actors.

Cybersecurity threats, in general, pose real
and serious risks to all businesses today, including but not limited to:

1. Financial loss from substantial
   fines to government regulatory authorities for security related compromise
   events.
2. Temporary or permanent loss of
   valuable business data and identity theft.
3. Operational disruption and staff
   productivity losses.
4. Damage to one’s organisational brand
   reputation and public image.

These risks can happen to your business as
a result of a malicious email that your people probably wouldn’t know or
identify as suspicious, even if it is right in front of them. A small effort
towards education and making your people aware of how to spot a phishing email
will go a long way towards reducing the risk of occurrence and further securing
your IT operations environment.

What is Phishing?

According to Microsoft, phishing is an
attempt to steal sensitive information through emails, websites, text messages,
or other forms of electronic communications that often look to be official from
legitimate organisations (commercial, government, not-for-profit, education) or
individuals. It is a practice used by cybercriminals to entice users to reveal
personal information like passwords or payment details which they seek to profit
from commercially. Common phishing techniques use invoice phishing, payment or
delivery scams, file downloads, or those that deliver threats such as
ransomware in the email attachment.

How to detect a Phishing Email

The key to prevention is awareness and
education, so we’re sharing with you some of our pointers on how to spot a
phishing email:

Unusual, urgent request

Does the email message ask you to perform
an unusual activity like changing your password or updating your bank
information? Does it require you to take urgent action for a strange request? If
it smells “phishy”, it must be! Banks and many authentic organisations do not
typically ask for personal credentials via email, so do not give them up that
easily.

Suspicious links or attachments

Think before you click. Be wary of misspelt website domain names or bizarre links. Check that the link will go to a legitimate website by hovering over it first. Do not open abnormal links or attachments until you can verify them with the sender by calling them.

Dubious sender

Does the “From:” field have a matching email address? Legitimate companies would normally use matching sender name and business email. In the sample below, the sender’s name is ‘Yahoo business Email’ but it goes to psmc_jdcantillo[a]yahoo.com.

Badly written email

Phishing emails typically contain odd phrases and grammatical errors. Badly written emails like the one below coming from a well-known corporate or government entity brand is one of the sure signs of a phishing email.

What to do when you encounter a phishing email

Being overly cautious is better than having regrets in the future for not taking action. Don’t ever hesitate to report to your IT department a suspicious-looking email. You may also contact the sender by calling them on the phone to confirm.

If you are using Office 365, you should turn on its built-in Multi-Factor Authentication (MFA) function for additional security and safety. Back up your data so you still have a copy of your files in case you fall victim to a phishing trap.

Need assistance with a cybersecurity incident or to broader and deepn your defences? Contact Professional Advantage. Complete the form below and our Security Specialists will be in touch.

This iframe contains the logic required to handle Ajax powered Gravity Forms.

The post How to spot a phishing email appeared first on Enterprise Software Blog – Professional Advantage.