When we first started bringing attention to phishing scams years back, they were pretty easy to spot. Criminals didn’t really think about how to actually sell their scam to their victims. Their emails were chock full of typos and their grammar was so bad that even your grandma could have read through the email and known that something was up!
Fast forward to today, criminals are using sophisticated tools to spoof messages and websites that actually look like the real deal. These phishing emails might even include official company logos that completely make them seem legitimate.
This is just one thing to watch out for. Criminals have also learned that subject lines with urgent messages get people’s attention. But there are a TON of things to be thinking about and looking for in phishing scams to make sure your users stay protected.
Note: while I will cover quite a bit of ground in this post, this is just the tip of the ice berg. Consider attending my webinar: Phishing: How Not To Get Hooked, here are the details:
Bruce McCully
May 2, 11 AM ET
The synopsis:
Are you rolling out the red carpet to hackers, thieves, and scammers? What can you do to keep from mistakenly giving a hacker everything they need to get into your network? In this 45 minute webinar, Bruce will reveal the 3 major signs you are being phished, how you can recognize them, and avoid being hooked!
Just another reminder: phishing attacks don’t just target everyday Joes. Sometimes they are going after your company and your employees in what FBI calls business email compromise (BEC) scams.
Basically, a hacker or scammer attempting to implement an effective BEC scam attempts to trick employees into sending money transfers or handing out sensitive information, by impersonating executive email accounts. These attacks are initiated either as social engineering ploys, spoofed email and may even be a means to infect your network with malware or ransomware.
Just to give you a sense of how criminals are working, I want to focus on some of the most common phishing subject lines that we’ve been seeing. Here are some of the top subject lines that have led to compromised accounts, money wires and ransomware attacks:
- Request
- Follow up
- Urgent/Important
- Are you available?/Are you at your desk?
- Payment Status
- Hello
- Other
- Purchase
- Invoice Due
- Re:
- Direct Deposit
- Expenses
- Payroll
Even a simple subject line of “Request” gets a ton of clicks. It’s certainly common and at this point contributes to nearly 40% of successful attacks.
“Follow Up” was another very commonly used subject line that got people to click (nearly 20% of successful attacks).
What have we been seeing with phishing attacks?
Nearly three-quarters of email attacks try to establish rapport or a sense of urgency with the recipient of that email. In many subject lines, scammers are trying to make it seem like they’ve already established an email chain on the subject with your user.
A few tips to outsmart scammers?
Don’t click—one of the biggest ways your users can outsmart scammers at this point is to NOT click on links or attachments in emails if they aren’t expecting the email from the specific sender. If there is an attachment, you should contact the sender first (I know this might be annoying, but this could save you a ton of money). Never trust a link. Have your users make a habit of copying and pasting URLs from emails instead of simply clicking on links. If they have any reservations about clicking, tell them to follow their gut reaction and NOT click.
Another huge area where users tend to give out information is through using the same password on multiple accounts. If your credentials are stolen from one account, rest-assured criminals will try to use the same password on everything they can get their hands on. If your password is the same across your accounts, your network might be easily compromised with little to no work (and what’s worse is you probably will have little control keeping your network safe). Make sure you enforce regular password changes to ensure that your team is not just reusing the same old password on Facebook as they are on your business network.
Another word about passwords, the simpler that password is, the easier it will be to break in. Make sure you have your users create unique and complicated passwords.
I know that I haven’t even scratched the surface when it comes to scams. If you’re concerned about your users, make sure you sign up and encourage your team to sign up for our upcoming webinar on latest phishing tactics criminals are using to break into your network!
Consider attending Phishing: Don’t Get Hooked!