Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Phishing Email Examples and How to Identify Them

4,269 views

Published on

The biggest challenge of phishing is that technology doesn’t provide a perfect fix. Attackers play on trust and fear to manipulate people to take actions that leave their organization at risk. Stopping phishing attacks starts with identifying the phishing email. 

This presentation provides 6 examples of phishing emails and how to identify them to mitigate risk.

Published in: Technology
  • Be the first to comment

Phishing Email Examples and How to Identify Them

  1. 1. 6 Examples of Phishing Emails And How to Identify Them Teach Your Employees What to Look for to Identify Phishing Emails
  2. 2. The threat of phishing is increasing both in terms of frequency and sophistication. This trend shows no sign of slowing.
  3. 3. One of the biggest challenges of phishing emails, and social engineering in general, is that technology doesn’t provide a perfect fix.
  4. 4. However, there is one common denominator in all of these phishing attacks. People.
  5. 5. Attackers play on trust and fear to manipulate people to take actions that put them at risk. The risk goes beyond the individual. Employee actions leave organizations vulnerable too.
  6. 6. There’s a common saying that employees are the biggest threat to information security. However, employees can be taught how to recognize phishing emails to keep personal, company, and customer information safe. Untrained employees may be one of the biggest threats to information security, while well trained employees are the best and last line of defense.
  7. 7. This presentation shows 6 examples of phishing emails with pictures. After the presentation, users should: 1. Identify common phishing emails 2. Simulate phishing attacks 3. Raise awareness of phishing threats
  8. 8. The Lookalike Phish 1. Check the actual sender to confirm the sender is who you expect it to be. Employees can view the sender in the Amazon example above is ‘emailservice.com,’ and not Amazon. 2. Hover over links in the email to confirm they are going where you expect. Hovering over the links in this example should show Amazon.com. One common factor in most successful phishing emails is trust. If an attacker can establish trust with the recipient, the likelihood that the recipient performs a desired action increases significantly. Establishing trust is easy if the attacker can look like something the recipient already trusts. For example - Amazon. Almost everyone knows Amazon and has an account, so it’s easy to establish trust quickly with an Amazon lookalike email and trick the recipient into providing their password or confirming their credit card information. Two Best Practices to Identify Be aware that attackers are becoming more sophisticated and improving their craft. While a link may be easy to spot as being fishy, it may be cleverly disguised. For example, by replacing the ‘o’ in Amazon with a zero (Amaz0n), or a similar character, a recipient may miss the slight change.
  9. 9. The Internal Request 1. Raise employee awareness of the information security policy. Employees should be aware that no one in the company will ever ask for their password. The IT department will never require a password to resolve a support ticket. 2. Call the sender to confirm the email and its intent. It’s likely that the company has an extension for each employee so you can quickly contact the sender to confirm that they sent a request for information. Similar to the lookalike, The Internal Phish relies on trust. Internal does not describe the sender, as phishing emails typically come from malicious attackers outside an organization. Rather, internal describes the ‘character’ that the attacker is playing. By playing an internal IT Manager or HR Director, an attacker can quickly gain your trust and encourage dangerous behavior. A common Internal email is a request to reset a password from the IT manager. Two Best Practices to Identify
  10. 10. The Government Threat 1. Raise employee awareness of the information security policy. Employees should be aware that no one in the company will ever ask for their password. The IT department will never require a password to resolve a support ticket. 2. Call the sender to confirm the email and its intent. It’s likely that the company has an extension for each employee so you can quickly contact the sender to confirm that they sent a request for information. Government threats rely on fear rather than trust. Even if the victim is innocent, a call or email from the government increases a heart beat. Passing a police officer while driving down the highway at the speed limit still causes a break tap, two checks of the speedometer, and 3 checks in the rearview mirror - an email from the FBI or IRS will do the same. This can be extremely effective by phone as described in this article about a franchise employee sending thousands of dollars in gift cards to pay for illegal activity by the owner. It’s also effective by email. A common attack has the attacker impersonating the IRS and requesting swift action by the recipient. Two Best Practices to Identify Fear/Trust can be increases when this attack is used during tax season.
  11. 11. Wire Transfer Fraud 1. Raise employee awareness of the information security policy. Employees and buyers should be aware that no one in the company will ever use a free email account. 2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure the email was sent by a trusted person and the account information is correct. Note: Do not use the phone number provided in the email. Rather used a trusted phone number that’s already been used to connect with the sender. Wire Transfer Fraud is increasing in the home buying process. It’s the perfect storm in which home buyers are excited, there are multiple parties involved, deadlines, and large amounts of money being transferred. Attackers rely on trust, fear, and time constraints to successfully implement these attacks. The attacker can easily create a free email account similar to the title company or mortgage lenders name, and request that the buyer make a wire transfer to a new account immediately, or risk a delay in closing. Two Best Practices to Identify Sender: MortageLender@yahoo.com Receiver: Home Buyer Message: Hello please the escrow just emailed me that you need to send the funds via wire, They dont want to accept check due to a check check issues they just had, You will need to go to your bank to send the wire tomorrow so they can receive the funds before the closing, Please get back to me now so i can send you the wire information.
  12. 12. Simulate Phishing Attacks on Employees 14 Day Free Trial
  13. 13. The Spear Phishing Attack 1. Raise cybersecurity awareness with the leadership team. Training the leadership team to be aware of the increased risk and sophistication in attacks targeting their position will help them to identify these phishing emails. 2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure the email was sent by a trusted person. Spear Phishing is another email that relies on trust. As opposed to a normal phishing email that is sent to many, the spear phishing email is targeted to a specific individual. Typically these attackers are looking to steal confidential information. One common spear phishing targets the CFO. Most CFO’s know that the CEO has a busy schedule, and may require funds to support their business travel. An hacker can take advantage of the CEO/CFO relationship by impersonating the CEO and requesting a wire transfer for a reasonable sum while he’s traveling out of the country. The CFO is likely to trust the request, and make the transfer. Two Best Practices to Identify Sender: CEO Receiver: CFO Message: Hi CFO. Are you busy? I’m out of the office and I need you to process a wire transfer for me today. Please send to XYZ. Thanks. Sent from my iphone
  14. 14. The Spoofing Attack 1. If you are not expecting something, do not open attachments, click links or share information. 2. Call the sender to confirm the email and wire transfer details. Creating a manual two factor authentication process will ensure the email was sent by a trusted person. Spoofing is an attack in which the attacker impersonates a user or device for information or access to an account, network, etc.. Spoofing can be targeted - for example, wire fraud transfer attacks might use spoofing so that the buyer think malicious Two Best Practices to Identify wire fraud request email is actually coming from a trusted source. Spoofing attacks can be used for much wider destruction. For example, attackers targeted Gmail users with the goal of accessing the users entire email history. Their code would then spread itself to all of their contacts. The Gmail user would see a link to share a document. When they clicked the link it would take them to an actual Google page asking to give permission to the attackers fake app.
  15. 15. What is Phishing? Social Engineering is an attack in which an attacker tricks a person into an action desired by the attacker. A well known type of social engineering attack is phishing. Phishing is most commonly associated with email, but can also be done through text messages and instant messages. During a phishing attack, the attacker uses one of these mediums to trick their victim into clicking on a malicious link, opening a malicious attachment, or providing sensitive information. Why Are Hackers Phishing? The goal of phishing varies from broad, shotgun attacks that widely distribute malware to targeted attacks that obtain specific information. Malicious links, attachments, and sites attempt to install malware that is meant to do some harm to you or your company. Malware often aims to collection personal information, interrupt computer operation, or gain access to a computer/network. Attackers may also be looking for very specific information/actions - for example they may perform an attack that dupes a new home buyer into wire transferring funds on the day of closing in which they know the parties involved and the date/time of closing.
  16. 16. One of the biggest challenges of phishing emails, and social engineering in general, is that technology doesn’t provide a perfect fix. The common denominator in all of these attacks are people. Attackers play on trust and fear to manipulate people to take actions that put them at risk. The risk goes beyond the individual. Employee actions leave organizations vulnerable too.
  17. 17. There’s a common saying that employees are the biggest threat to information security. However, employees can be taught how to recognize phishing emails to keep personal, company, and customer information safe.
  18. 18. Employee Awareness Untrained employees may be one of the biggest threats to information security, while well trained employees are the best and last line of defense. Wuvavi Employee Cybersecurity provides an enterprise-grade awareness platform for small and medium sized businesses. Wuvavi makes simulating a phishing attack, training employees on best practices, and tracking completion for compliance requirements easy. Employee Cybersecurity Awareness Best Practices 1. Find a base level to assess results by running a simulated phishing attack. 2. Assign employees training to teach best practices and raise their awareness. 3. Schedule ongoing phishing simulations at least quarterly to keep cybersecurity front of mind. Wuvavi (www.wuvavi.com) is the leader in employee cybersecurity awareness for small and medium sized businesses. 14 Day Free Trial
  19. 19. Make every employee an active participant in cybersecurity.

×