Is it a phish?

Is it a phish? Hardly a week goes by when I don’t have a client ask me if a certain email is a phish. Or they send me a phish they received.

Why my business?

Businesses get certain types of phishing attempts. Most are attempts to get private information, banking details  and credentials (such as Office 365 or G-Suite logins), or to infect systems with ransomware and malware.

Is it a phish?

Let’s start at the top. The From field is important to look at. Is the domain correct? One client showed me an example of a phishing email where the hackers bought a domain that was just one letter off theirs to make it look like the email was from a legitimate business. Is the email unexpected? Have you ever heard of the sender?

Next look at the To field. Are there other unusual recipients? Are there a lot of other recipients? Do you know any of the other recipients?

The From and To Fields get abbreviated on mobile phones. You will have to look carefully at the next few areas or even better, look a suspicious emails from a full screen browser or email program like Outlook. They will reveal more details.

The subject line. Does the subject make any sense? Does it relate to the content? Is it tacky?

Attachments. Be wary of PDF resumés, ZIP files and invoices you are not expecting.  Occasionally you will still see an Excel or Word file attachment with malevolent macros.

When you first glance at the contents, do you see links? Does the link address match the sender domain? Is the email just one long weird looking link? When you hover you mouse over the link, does the link match what the display shows?

Do the contents create a sense of urgency? Or offer rewards but only if you reply now? Mention bitcoins or gift cards? Unexpected?

How do protect your business?

You could crank your spam filters but the filters are only reactive. The best defense is to educate your staff on typical phishes, and reinforce your business procedures and policies particularly in regards to banking and accounts payable.

Also make it clear how staff will be treated if they get phished. Not knowing someone in your organization has given away business information can bite in you in the gills down the line. It’s important to reassure staff that reporting getting phished won’t get them disciplined.

Why should you worry?

Corporate phishing has increased almost 200% since the start of the pandemic. And the nature of phishing has changed. Below are stats from one company that monitors phishing attacks. From my own clients I have a big increase in attempts to steal credentials, usually Office 365 account information.

The tactics that criminals use in phishing are the same tactics they use in phone calls and smail mail.

Impacts of phishing attacks