- A deceptive email address in the “From” field. At first glance, the email address might seem legitimate. For instance, cybercriminals might send out an email message using the address “email@example.com” instead of the real “firstname.lastname@example.org” address.
- A request to update or verify information. Cybercriminals like to get sensitive information by posing as a popular legitimate financial institution (e.g., a bank) and asking you to update or verify your information.
- A sense of urgency. A common tactic in a phishing or spear phishing scam is to create a sense of urgency. The cybercriminals first let you know about a problem that requires your attention. Then, they let you know that there will be unfortunate consequences if you do not take action quickly.
- A deceptive URL. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. For example, the displayed text might specify a legitimate bank name (“Chase”) or bank web address (“www.chase.com”), but when you hover your cursor over it (without clicking it), you might discover that the actual URL leads to a website in a foreign country known for cyber attacks.
- An attachment. Cybercriminals sometimes use email attachments to install malware on computers. Many different types of files can contain malicious code, including PDF files and Microsoft Word documents.
When discussing how to spot phishing and spear phishing attacks with employees, be sure to stress the risks associated with clicking an email link or opening an email attachment, especially if the email is from an unknown source. You also need to let employees know what they should do if they receive a suspicious email (e.g., simply delete it, notify someone about it).
Cybercriminals sometimes try to con employees into giving them the information they need to access businesses’ computer systems or accounts. This is referred to as social engineering. Hackers like to use social engineering attacks because exploiting human behavior is usually easier than hacking security and computer systems.
While social engineering attacks typically occur via email (a.k.a. spear phishing emails), they can also occur over the phone and in person. The cybercriminals often masquerade as employees, but they also might pretend to be suppliers, customers, or even trusted outside authority figures (e.g., firefighters, auditors).
To get into character, cybercriminals usually learn your business’s lingo. When cybercriminals use the terms that employees are accustomed to hearing, the employees are more apt to believe the cybercriminals and do what they ask.
Besides learning the business lingo, cybercriminals sometimes search the Internet for information that can help them in their impersonations. Without realizing it, many people provide a lot of information about their professional and personal lives on LinkedIn, Facebook, and other social media sites.
When discussing social engineering with your employees, stress the importance of being careful about what they post on social media sites. It might become fodder for a sophisticated spear phishing attack. Or, it might provide cybercriminals with the information needed to hack online accounts. For example, if an employee posts pictures and stories about her favorite cat, cybercriminals might try using the cat’s name as a password or the answer to the security question “What is the name of your favorite pet?” With some online accounts, all it takes to reset a password is an email address and the correct answer to a security question. If cybercriminals are able to reset an account’s password, they gain full access to that account.
Our team can share their vast knowledge about cyberattacks with your employees. Armed with this information, your employees can present a formidable line of defense against cyberattacks.