When Barracuda first opened shop as an email security company about 15 years ago, spam was the major problem in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious—a lot has changed since then. Today, criminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defense is the human firewall.
The human what? You know, in a world where organizations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at HQ and everywhere else—the only thing between your company and a ransomware attack, could be whether or not your users click, or don’t click on a malicious link.
Let’s take a closer look at the types of phishing emails your users are up against each day, and what they can do to stay safe from creative cybercriminals.
Every day cybercriminals come up with a wide-variety of phishing tactics with the intent of scamming innocent users. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people). So far in June, we’ve already blocked 1.7 million phishing emails with over 2,000 unique attempts. Below, we’ve highlighted some of the real attempts sent by criminals—let’s take a look.
In this first example, the criminals are attempting to entice the recipient with a money scam, which is pretty much what it sounds like. The intent here is to scam users out of money, but in similar attempts we’ve also seen criminals attempt to acquire information or infect a computer with malware.
Money scams like this are fairly common, and they often promise a large sum of money to the user like this one. When the user replies, the criminals usually request a smaller sum and in return promise a larger sum back—which of course never happens.
The next example highlights an attempted information phishing scam where criminals are hoping to gather information from the user. Criminals are always trying to gather information from users, and in this case a spoofed bank message is used to convince the user to act on their request.
[The criminals did a decent job of making this message appear like it could actually be coming from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window—ultimately surrendering their user name and password.
Another common problem users face from phishing, is the distribution of malware. The goal of these messages is to trick a user into either opening an attachment (like the example below) or clicking on a URL.
As you can see with this example, the criminals are trying to convince the user to open an attachment by acting as if it’s pertaining to an urgent matter. In order for the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including: viruses, worms, bots, ransomware, password stealers, and more. I should note that a user would be much less likely to fall for this type of scam if they had in fact received some sort of security awareness training.
Multiple file extensions
As mentioned above, phishing attempts often require a user to open an attachment in order to install malware, and there are a lot of different ways criminals try to get users to do this. One way is that they will include attachments with multiple file extensions in an attempt to trick users into thinking the file type is different than it actually is.
Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they are two different file types; however, this could easily be looked past since they are file types that most people would find familiar.
Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny. This example shows exactly why.
The link itself doesn’t look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, but they can also direct users to sites setup by criminals in order to capture credentials or other personal information. When unsure, it’s best to not click on a link or at least hover the curser over the link without clicking to identify the actual location of a link.
While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual by attempting to create a sense of trust with them. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source. Effective spear phishing takes a great deal of reconnaissance about the target in order to increase the probability of a user actually falling for an attack. Here’s an example where the criminals actually took the time to register a deceptive domain that contains the name of an actual entity in order to appear legitimate.
They obviously want the message to appear like it’s coming from Netflix; however, if you look closely at the URL—you’ll notice that “Netfliix” is actually misspelled. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.
All of these examples are just a small sample size of the many variations of phishing scams criminals are sending out each day, but these examples certainly make the case for why today’s users need to be properly trained in order to stay safe online.
As we discussed, the best defense against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. I’ve included a few tips below based on the examples above; however, the best approach would be for organizations to implement a simulation and training program to improve security awareness for their users. BarracudaPhishLine helps humans recognize the subtle clues to identify phishing attempts, and uses a two-pronged approach to meet this end. First, computer-based training gives users a baseline understanding of the latest techniques attackers are using. Second, PhishLine embeds learning into business processes, by launching customized simulations that test and reinforce good user behavior. A large library of curated content means faster time to value, while rich reporting and analytics provide visibility.
Here are a few quick tips to help avoid phishing scams like the ones highlighted above:
– Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been impersonated by criminals. If there’s ever a question of legitimacy, you can always go to the site directly in your browser.
– Attachments and emails with attachments should always be treated with care because with much of the malware being distributed today—simply opening a single file can result in infecting your computer almost instantly. Attachments may give off some indicators
– Many information scams claim that an email login is required to access some resource or document. A good practice is to never enter login credentials on a page that was reached via an email link, regardless of whether or not the email was legitimate. Instead, go to the site directly in your browser to log in.
– Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if it sounds too good to be true—it probably is.