You’ve got mail: phishing emails get more sophisticated
Director - TELUS Wise
Despite the debate about exactly how old the Internet is and how long we’ve been using email for, the fact is that we’ve had some time to get acquainted with this technology and, generally speaking, we’re becoming more savvy internet users. The downside however, is that as we become more aware about how to identify and avoid phishing email traps, cyber criminals are stepping up their social engineering game and making it increasingly challenging for us to detect these sneaky and malicious emails that are disguised to look like legitimate correspondence. We’re seeing a trend where fraudsters are using more targeted approaches in favour of ‘spray and pray’ phishing campaigns that are sent to many people at the same time.
Here we shed light on two recent, targeted and increasingly sophisticated phishing email scams that may be coming to an inbox near you.
1. Odd or unexpected replies to old emails
This scheme works by infecting a user’s computer with malicious software that works by stealing old emails and related contact information. Fraudsters then use the stolen emails and contact information to continue old email exchanges with the user’s contacts, taking time to make it appear as though the email comes from someone known and trusted, using a subject line that the recipient would be familiar with and including malicious email attachments. Unknowing suspects are tricked into opening the email and attachment (after all, the sender and subject line looked familiar) and malicious software continues to spread.
2. Emails that come from your boss or other company executives
In this case, emails are disguised to come from a superior and dutiful employees are tricked into clicking and complying with requests in the email, which may range from simply reviewing an attached malicious document or clicking on a bad link, to providing direct deposit or banking information, to wire transferring money to complete a vendor payment. Some fraudsters may go the extra mile by scouring social media to get some ‘inside’ information about the target which they can then use to make the email seem even more legitimate (for instance, they could start off the email with “Hope you had a lovely trip to Mexico” using insight gleaned from a Facebook account with loose privacy settings, or “Heard the launch event went well last week - congratulations,” gathered from a recent LinkedIn post.
What you can do to protect yourself
Often referred to as spear phishing attacks, these highly targeted and personalized emails can be tricky to detect and easy to fall victim to. In addition to the tips shared in this TELUS Wise video, here are some additional tips to help you stay safe from these more sophisticated phishing attempts:
- Only click on links and attachments that you’re expecting. Don’t click on executable or compressed files, as these often contain malicious code. You can identify these files by their extensions; executable files have .exe or .msi or .js at the end of their name whereas compressed files may end with .zip or .jar or .rar or .7z.
- Limit the information you share about yourself on social media, thereby limiting the information fraudsters can use in targeted phishing attacks.
- Use extra caution and discretion if you receive an email that appears to be: an unexpected reply to an old email thread; out of context, discussing something you’ve already worked on or a matter/project that is closed; containing an unexpected Word document or other attachment.
- If you ever mistakenly open an unexpected or suspicious Microsoft attachment, don’t enable macros, editing or content.
- If you get a request to complete any kind of payment or transfer of funds, or a request to provide or validate personal information, even if it appears to be from someone you know and trust, call the person to confirm the validity of the request. Avoid using the contact information provided in the email itself.