Posts

Phishing is a type of attack vector that involves a website or email that looks as if it is from a reputable organization but is actually created with the intent of gathering sensitive information such as usernames, passwords, and credit card details (also known as Card Data). Phishing attacks are common in the online world. When your company falls victim to a phishing attack, it can cause brand name harm and interfere with your search engine ranking or conversion rate. It should be a priority for marketers to protect against phishing attacks because they are a direct reflection of your company’s consistencies. Hence, as marketers, we need to proceed with extreme caution when it comes to phishing scams.

Phishing scams have been around for many years. Don’t worry if you didn’t hear about it before, it isn’t your fault. Some say that the cyber scam was born 10 years ago but phishing officially became a crime in 2004. As Phishing techniques continue to evolve, encountering a new phishing email can quickly become confusing, and sometimes it’s hard to tell if the message is legitimate or not. You can better protect yourself and your organization by being alert to these five common phishing techniques.

5 Common Phishing Terms You Need to Know

1) Email Phishing 

Phishing emails are usually sent out in bulk from a domain that mimics a legitimate one. A company might have the email address [email protected], but a phishing company might use [email protected] The goal is to fool you into clicking on a malicious link or sharing sensitive information by pretending to be a real company you do business with.  A fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.

Phishing attacks are constantly evolving and getting more and more undetectable with time. Threat actors are using social engineering tactics to spoof domains and send fraudulent emails from a legitimate domain, for malicious ends.

2) Spear Phishing 

The spear phishing attack is a new form of cyber attack that uses false information to gain access to accounts that have a higher level of security. Professional attackers have a goal of compromising a single victim, and in order to carry out this idea, they research the company’s social profile and the names and role of employees within that company. Unlike phishing, Spear phishing is a targeted campaign against one organization or individual. These campaigns are carefully constructed by threat actors with the sole purpose of targeting a specific person(s) to gain access into an organization.

3) Whaling

Whaling is a highly targeted technique that can compromise the emails of higher-level associates. The objective, which is similar to other phishing methods, is to trick employees into clicking on a malicious link. One of the most devastating email attacks to pass through corporate networks is the whaling scam. These attempts at personal gain using powers of persuasion to lower victims’ resistance, tricking them into handing over company funds.Whaling is also known as CEO fraud, as attackers often impersonate people in authoritarian positions such as the CEO of a company.

4) Business Email Compromise 

Business Email Compromise (BEC) is a form of cyber crime which can be extremely costly to businesses. This type of cyber attack uses email fraud to influence organizational domains into partaking on fraudulent activity resulting in the compromise and theft of sensitive data. Examples of BEC can include invoice scams, domain spoofing and other forms of impersonation attacks. Each year an average organization can lose up to $70 million dollars to BEC scams. In a typical attack, fraudsters target specific employee roles within an organization by sending a series of fraudulent emails that claim to be from a senior colleague, customer or business partner. They may instruct recipients to make payments or release confidential data.

5) Angler Phishing 

Many corporations have thousands of customers and receive hundreds of complaints daily. Through social media, companies are able to escape the confines of their limitations and reach out to their customers. This enables a corporation to be flexible and adjust to the demands of their customers. Angler phishing is the art of reaching out to disgruntled customers over social media and pretending to be part of a company.The angler phishing scam is a simple ploy used to trick casual social media users into thinking that a company is trying to remedy their problems, when in reality, the person on the other end is taking advantage of them.

How to Protect Your Organization from Phishing and Email Fraud

Your email service provider may come with integrated security packages as a part of their service. These however act as spam filters that offer protection against inbound phishing attempts. However, when an email is being sent by scammers using your domain name to recipient inboxes, like in case of BEC, whaling and other forms of impersonation attacks listed above, they won’t serve the purpose. This is why you need to avail of email authentication solutions like DMARC, immediately and shift to a policy of enforcement.

  • DMARC authenticates your emails by aligning them against SPF and DKIM authentication standards.
  • It specifies to receiving servers how they should respond to emails failing authentication checks.
  • DMARC aggregate (RUA) reports provide you with enhanced visibility into your email ecosystem and authentication results, and helps you monitor your domains easily.
  • DMARC forensic (RUF) reports give you in-depth analysis of your DMARC failure results, helping you respond to impersonation attacks faster.

How Can PowerDMARC Help Your Brand?

PowerDMARC is more than just your DMARC service provider, it is a multi-tenant SaaS platform that provides a wide range of authentication solutions and DMARC MSSP programs. We make email authentication easy and accessible for every organization, from small businesses to multinational enterprises.

  • We help you move from p=none to p=reject in no time, so as to protect your brand from impersonation attacks, domain spoofing and phishing.
  • We help you easily configure DMARC reporting for your with comprehensive charts and tables and RUA report views in 6 different formats for ease of use and amplified visibility
  • We cared about your privacy, so you can encrypt your DMARC RUF reports with your private key
  • We help you generate scheduled PDF reports on your authentication results
  • We provide dynamic SPF flattening solution like PowerSPF so that you never exceed the 10 DNS lookup limit
  • We help you make TLS encryption mandatory in SMTP, with MTA-STS to protect your domain from pervasive monitoring attacks
  • We help you make your brand visually identifiable in your recipient inboxes with BIMI

Sign up with PowerDMARC today to get your free DMARC analyzer tool trial, and shift from a policy of monitoring to enforcement to provide your domain maximum protection against BEC, phishing and spoofing attacks.

Email serves as a critical channel for B2B lead generation and customer communications, but it is also one of the most widely targeted channels for cyberattacks. Cybercriminals are always innovating their attacks in order to steal more information and financial assets. As organizations continue to fight back with stronger security measures, cybercriminals must constantly evolve their tactics and improve their phishing and spoofing techniques. In 2021, a drastic increase in the use of machine learning (ML) and artificial intelligence (AI) based phishing attacks that are going undetected by traditional email security solutions have been detected by security researchers from around the world. The main aim of these attacks are to manipulate human behaviour and trick people into performing unauthorized actions – like transferring money to fraudsters’ accounts.

While the threat of email-based attacks and email fraud are always evolving, don’t stay behind. Know the email fraud trends that will take place in the following years in terms of fraudster tactics, tools, and malware. Through this blog post I’ll show you how cybercriminals are developing their tactics, and explain how your business can prevent this kind of email attack from taking place.

Types Of Email Fraud Scams to Beware of in 2021

1. Business Email Compromise (BEC)

COVID-19 has compelled organizations to implement remote-working environments and shift to virtual communication between employees, partners and customers. While this has a few benefits to list down, the most apparent down-side is the alarming rise in BEC over the past year. BEC is a broader term used for referring to email-based cyber attacks like email spoofing and phishing. The common idea is that a cyber attacker uses your domain name to send emails to your partners, customers or employees trying to steal corporate credentials to gain access to confidential assets or initiate wire transfers. BEC has affected more than 70% organizations over the past year and has led to the loss of billions of dollars worth of company assets.

2. Evolved Email Phishing Attacks

Email phishing attacks have drastically evolved in the past few years although the motive has remained the same, it is the medium to manipulate your trusted partners, employees and clients into clicking on malicious links encapsulated within an email that appears to be sent from you, in order to initiate installation of malware or credential theft. Evolved email scammers are sending phishing emails that are hard to detect. From writing impeccable subject lines and error-free content to creating fake landing pages with a high level of accuracy, manually tracing their activities have become increasingly difficult in 2021.

3. Man-In-The-Middle

Gone are the days when attackers sent out poorly-written emails that even a layman could identify as fraudulent. Threat actors these days are taking advantage of SMTP security problems like the use of opportunistic encryption in email transactions between two communicating email servers, by eavesdropping on the conversation after successfully rolling back the secured connection to an unencrypted one. MITM attacks like SMTP downgrade and DNS spoofing have been increasingly gaining popularity in 2021.

4. CEO Fraud

CEO fraud refers to the schemes that are being conducted that target high-level executives in order to gain access to confidential information. Attackers do this by taking the identities of actual people such as CEOs or CFOs and sending a message to people at lower levels within the organization, partners and clients, tricking them into giving away sensitive information. This type of attack is also called Business Email Compromise or whaling. In a business setting, some criminals are venturing to create a more believable email, by impersonating the decision-makers of an organization. This allows them to ask for easy money transfers or sensitive information about the company.

5. COVID-19 Vaccine Lures

Security researchers have unveiled that hackers are still trying to capitalize on the fears tied to the COVID-19 pandemic. Recent studies shed light on the cybercriminal mindset, revealing a continued interest in the state of panic surrounding the COVID-19 pandemic and a measurable uptick in phishing and business email compromise (BEC) attacks targeting company leaders. The medium for perpetrating these attacks is a fake COVID-19 vaccine lure that instantly raises interest among email receivers.

How Can You Enhance Email Security?

  • Configure your domain with email authentication standards like SPF, DKIM and DMARC
  • Shift from DMARC monitoring to DMARC enforcement to gain maximum protection against BEC, CEO fraud and evolved phishing attacks
  • Consistently monitor email flow and authentication results from time to time
  • Make encryption mandatory in SMTP with MTA-STS to mitigate MITM attacks
  • Get regular notifications on email delivery issues with details on their root causes with SMTP TLS reporting (TLS-RPT)
  • Mitigate SPF permerror by staying under the 10 DNS lookup limit at all times
  • Help your recipients visually identify your brand in their inboxes with BIMI

PowerDMARC is your single email authentication SaaS platform that assembles all email authentication protocols  like SPF, DKIM, MTA-STS, TLS-RPT and BIMI on a single pane of glass. Sign up today to get your free DMARC analyzer! 

You know what’s the worst kind of phishing scam? The kind that you can’t simply ignore. Emails supposedly from the government, telling you to make that pending tax-related payment or risk legal action. Emails that look like your school or university sent them, asking you to pay that one tuition fee you missed. Or even a message from your boss or CEO, telling you to transfer them some money “as a favor”.

The problem with emails like this is that they’re impersonating an authority figure, whether it’s the government, your university board, or your boss at work. Those are important people, and ignoring their messages will almost certainly have serious consequences. So you’re forced to look at them, and if it seems convincing enough, you might actually fall for it.

But let’s take a look at CEO fraud. What exactly is it? Can it happen to you? And if it can, what should you do to stop it?

You’re not immune to CEO fraud

A $2.3 billion scam every year is what it is. You might be wondering, “What could possibly make companies lose that much money to a simple email scam?” But you’d be surprised how convincing CEO fraud emails can be.

In 2016, Mattel almost lost $3 million to a phishing attack when a finance executive received an email from the CEO, instructing her to send a payment to one of their vendors in China. But it was only after checking later with the CEO that she realized he’d never sent the email at all. Thankfully, the company worked with law enforcement in China and the US to get their money back a few days later, but that almost never happens with these attacks.

People tend to believe these scams won’t happen to them…until it happens to them. And that’s their biggest mistake: not preparing for CEO fraud.

Phishing scams can not only cost your organization millions of dollars, they can have a lasting impact on the reputation and credibility of your brand. You run the risk of being seen as the company that lost money to an email scam and losing the trust of your customers whose sensitive personal information you store.

Instead of scrambling to do damage control after the fact, it makes a lot more sense to secure your email channels against spear phishing scams like this one. Here are some of the best ways you can ensure that your organization doesn’t become a statistic in the FBI’s report on BEC.

How to prevent CEO fraud: 6 simple steps

  1. Educate your staff on security
    This one is absolutely critical. Members of your workforce—and especially those in finance—need to understand how Business Email Compromise works. And we don’t just mean a boring 2-hour presentation about not writing down your password on a post-it note. You need to train them on how to look out for suspicious signs that an email is fake, look out for spoofed email addresses, and abnormal requests other staff members seem to be making through email.
  2. Look out for telltale signs of spoofing
    Email scammers use all kinds of tactics to get you to comply with their requests. These can range from urgent requests/instructions to transfer money as a way to get you to act quickly and without thinking, or even asking for access to confidential information for a ’secret project’ that the higher-ups aren’t ready to share with you yet. These are serious red flags, and you need to double and triple-check before taking any action at all.
  3. Get protected with DMARC
    The easiest way to prevent a phishing scam is to never even receive the email in the first place. DMARC is an email authentication protocol that verifies emails coming from your domain before delivering them. When you enforce DMARC on your domain, any attacker impersonating someone from your own organization will be detected as an unauthorized sender, and their email will be blocked from your inbox. You don’t have to deal with spoofed emails at all.
  4. Get explicit approval for wire transfers
    This is one of the easiest and most straightforward ways to prevent money transfers to the wrong people. Before committing to any transaction, make it compulsory to seek explicit approval from the person requesting money using another channel besides email. For larger wire transfers, make it mandatory to receive verbal confirmation.
  5. Flag emails with similar extensions
    The FBI recommends that your organization creates system rules that automatically flag emails that use extensions too similar to your own. For example, if your company uses ‘123-business.com’, the system could detect and flag emails using extensions like ‘123_business.com’.
  6. Purchase similar domain names
    Attackers often use similar-looking domain names to send phishing emails. For example, if your organization has a lowercase ‘i’ in its name, they might use an uppercase ‘I’, or replace the letter ‘E’ with the number ‘3’. Doing this will help you lower your chances of someone using an extremely similar domain name to send you emails.