In today’s digital age, cybercriminals are learning and implementing new phishing techniques daily and refining their scams to make them more believable than ever. Recent research has shown that sophisticated attacks have discovered the ability to alter HTML and CSS coding in Microsoft Outlook to bypass your internal technology’s “external sender” warning that appears in emails sent from outside of your organization. This messaging is commonly used as a first step to identifying a phishing email, one that many rely on to delete the message and move on with their day.
With that major red flag now potentially missing, does your organization have the proper training in place to recognize other red flags? Here are some additional signs of phishing attempts that are important to be aware of. We encourage you to share these with your employees as part of your security training:
- The sender’s address looks off. If the sender’s email is formatted strangely, is unfamiliar to you, or doesn’t match up with the organization the sender claims to be from, be skeptical and cautious of the sender’s message.
- Numerous grammatical errors. If the message to follow is riddled with errors for being a “professional” email, that is another key indicator that something is off and to be wary.
- Ties into a current event. This is not always the case, but oftentimes scammers utilize current events as leverage for their messaging to make it more believable. We saw this uptick in phishing attacks this previous year with the COVID-19 pandemic and hackers using relief packages as bait. Even if the messaging may be relevant to you, if you don’t recognize the sender or aren’t expecting the email, don’t engage.
- ASAP request present. If the sender emphasizes an urgent request and a tight deadline is present, whether that is responding within 24, or 48 hours or as quickly as possible, don’t buy it.
- Consequences of inaction. Bouncing off the previous red flag, another sign of phishing that pairs with urgency is the threat of consequences if you fail to do something, whether that’s send money, click a link, or send private information if an empty threat is present in the email, that is often a clear giveaway that someone is trying to phish.
- Use of detection evasion. A more recent phishing campaign identified by Microsoft found that phishers were using fake log-in screens and CAPTCHA verifications to capture user credentials. Phishers are trying now more than ever to make their tactics seamless and undetectable which is why it’s so crucial to take your time when opening emails. At BerganKDV, we utilize a multi-layer protection technology for our inboxes that don’t allow these types of emails to be delivered. Here’s a diagram that illustrates how this robust phishing campaign was pulled off by hackers:
Cybercriminals will only continue to get more sophisticated with their tactics and schemes. To ensure your organization is prepared to handle even the most refined of attacks, it’s crucial to have a robust and evolving cybersecurity training program in place so that your employees stay sharp and alert. Training should be frequent and current to keep your organization the safest. It’s also imperative that employees feel comfortable speaking up if they have fallen victim or have received a phishing attempt so your IT team can take action as needed.
If you need help with your cybersecurity training plan or are curious to test the effectiveness of your organization’s defense against phishing attacks, BerganKDV can help. We offer a free mini security assessment so you can learn more about the makeup of your company’s security. Take it here. This will provide you a baseline look at potential threats and opportunities in your technology and organizational infrastructure. If you have additional questions about the benefits of the full risk and security assessment and how it can protect your organization, we encourage you to reach out to one of BerganKDV’s cybersecurity experts.