Several new variations on existing email scams have attracted the attention of security experts in recent weeks. These represent another step in the evolution of phishing, most commonly defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to convince users to reveal personal information, such as passwords and credit card numbers.
The first twist puts a fresh spin on the power of illicit attachment. But instead of just asking users to blindly open that unknown attachment, these phishing attempts, which appear to come from a recognizable sender, ask the recipient to enter his or her credentials (usually email address, username, and password) before the attachment can be opened. In addition, the recipient is provided with a phone number to call to verify the authenticity of the attachment.
These two extra layers of personalization add an air of authority to the message. Calls to the phone number provided even go to a real human being who answers and says, “Yes, this is what I sent you.” After calling, the recipient of the phishing attempt verifies the credentials for the attachment and opens it, which then gives hackers access to files, email accounts, and entire systems.
In some instances of this scam, hackers have immediately begun deleting or encrypting files from the unsuspecting user’s computers. In others, hackers have gained access to email inboxes, sending out further illicit messages that perpetuate the phishing scam to more and more users — from, of course, what looks like a trusted source.
The other new twist on phishing is far more nefarious and externally driven. The so-called “sextortion” scam has successfully tricked people into thinking that their computers have been infected with malware that recorded videos of them perusing adults-only content. The cybercriminals rely on a form of blackmail, threatening to share the supposed videos with friends, family, and business contacts — unless they pay up in Bitcoin. So far, cybersecurity experts have tracked more than $4 million in ransom payments in just a few months.
To lend an aura of legitimacy to their efforts, these hackers will often reveal a real password the victim has used in the past. These passwords are often outdated, often leaked in large data breaches like those that have affected LinkedIn and Yahoo in recent years. In addition, fresh phishing attempts related to the “sextortion” scam often arrive from spoofed versions of a victim’s own email address (think firstname.lastname@example.org instead of email@example.com), making recipients think that hackers have already hijacked their account.
What can you do to combat such scams?
Here’s how to spot one:
1. Don’t open unknown attachments!
As the first case illustrates, hackers are getting more creative with their illicit attachments. Which is why you shouldn’t open one unless it’s a specific file you’re expecting from a specific, trusted co-worker. Verify the authenticity of the attachment face to face if you can. All it takes is one click on one of these infected files to wreak widespread havoc on your computer and any other systems it is connected to.
2. Check the sender’s email address carefully.
Does the display name match the email domain? Is everything spelled correctly? At first glance, phishing emails might look like legitimate messages. But if you look closer by inspecting the details of sender name, subject line, and body copy, you might find minor mistakes or strange phrasings that wouldn’t be found in a legitimate email.
3.) Hover over any URL links to make sure they’re valid.
Before you click any links in an unknown email, place your mouse over it to make sure it’s legitimate. If the words say http://www.google.com, the preview link should also be http://www.google.com. Beware of long strings of nonsensical characters or any major differences between the link in the email copy and the preview link that shows up when you hover over it.
4.) Work with an IT expert to implement email security.
Company-wide Internet filtering and network security can stop some unauthorized phishing attempts. Employers should also take extra precautions to alert their employees when and from whom any critical communications will arrive. Also, notifying IT support staff — whether internal or external — when obvious phishing attempts do land in your inbox can also cut down on the future threat of fraud or infection. Even the best technology requires smart, savvy human beings whose insight and intelligence can help systems work properly.
The bottom line? Be careful out there! New phishing attempts emerge on a daily basis, and real security requires a proactive approach to protecting your email accounts. At CMIT Solutions, we worry about IT so you don’t have to, working 24/7 to prevent our clients from being negatively impacted by phishing attempts, scams, hacks, data breaches, malware, viruses, and more. Contact us today to learn more.