August 2020 Security Awareness

Types of Phishing Emails

  • There are multiple types of phishing emails focused on targeting businesses. We’ll explore a few of them and things to watch out for.

    1. Business Email Compromise (CEO Fraud):
    The hacker sends an email to an employee, pretending to be an executive or owner. The goal of these emails is to get the victim to transfer funds to a fake account.

    Watch for Spoofed email addresses:
    These will appear like:  Gerry Owner <adencar345@gmail.com>
    Instead of:  Gerry Owner <gerry@company.com>

    Add a warning banner to email:
    A banner like below will alert you that this email did NOT come from inside your company.

    Note: this banner is set for your whole company by an administrator. If you are interested in this for your company let us know.

    2. Evil Twin Hotspots:
    A hacker creates a new Wireless Access Point that seems legitimate, once users connect the hacker can collect information like emails, passwords. 

    Avoid open public wifi if you can: If you do need to login to wifi at a coffee shop, only browse “https” secure sites and use a password manager if you need to enter credentials. This will prevent the hacker from capturing your password while you enter it. 

    Use a VPN (Virtual Private Network) connection: If you use public wifi regularly, invest in a good VPN, and open this connection before accessing wifi. A VPN will provide an encrypted tunnel for all data transferred. NordVPN and ExpressVPN are a popular Canadian VPN providers.

    3. Clone Phishing:
    The hacker creates a replica of a legitimate message, usually with a note saying “hey I made a mistake, the banking details are actually…”
    Because the user is already communicating with the sender, they have inherit trust. This is usually preceded by a credential grab.

    Always check website addresses when logging into sensitive sites: Make sure you are logging into the actual site, watch for spoofed domain names with special characters (shown in red below):

    Use Two-Factor Authentication when possible: This will prevent a hacker from accessing your account, even if they have access to your credentials. A cell phone will be required for all new logins.

    4. Spear Phishing:
    The most popular type, targeted to specific users in a company that might have access to sensitive information. When the user clicks on a malicious link, the hacker installs malware that gives them access to the user’s computer.

    Use a good antivirus that is up to date: This will help prevent any malicious files from running.

    Add the warning banner like in point #1 above: The banner will alert you that this email is NOT from the internal user you assume it is.