Phishing, in all its forms, from malicious emails to SMShing (text phishing) to social post phishing to Vishing (phone call phishing), is now part of the daily life of an organisation.
However, phishing emails are by far the most common form of phishing.
What Are Phishing Emails?
Phishing emails are fraudulent messages sent by cybercriminals impersonating legitimate entities, aiming to deceive recipients into divulging sensitive information or performing harmful actions, such as clicking malicious links or downloading malware.
According to research from Cisco’s “2021 Cybersecurity Threat Trends Report,” around 90% of data breaches begin with phishing emails. Worryingly, the report suggests that in 86% of organisations, at least one person will click on a phishing link. But, of course, it only takes one click to become infected with ransomware or the exposure of sensitive data, etc.
Understanding the tactics used in some of the most common forms of phishing email attacks and how employees can avoid them helps to reduce cyber risk. Here are five examples of phishing emails and how to stop employees from taking risks.
The Fake Invoice Scam
A favourite amongst phishers is the fake invoice scam. Fraudsters send out emails containing fake invoices, hoping to catch out an unaware employee. Unfortunately, if the fake invoice is paid or a query about the invoice is made to the scammer, money or personal data will likely be stolen.
The type of invoice included in the phishing emails varies, but examples include the following:
Billing for security products such as anti-virus software
- Overdue invoices from fake suppliers
- Domain payment expiry emails warning that if you do not act, your website and emails will not be available
- Fundraisers and charity invoices, often offering an ad placement or article in a charity publication
- Business Email Compromise (BEC) is a highly sophisticated and targeted form of fake invoice scams
How to Avoid Fake Invoice Scams
Invoice scams can be very sophisticated, with fraudsters targeting specific persons, such as those working in accounts payable or CFOs. The emails will look genuine, often including an urgent ‘pay now or suffer the consequences’ type of message.
Use simulated phishing that provides role-based training to target the types of users most at risk of fake invoice scams. Role-based phishing simulators will allow you to tailor your simulated phishing campaigns to reflect real-life challenges that specific departments and personnel face.
Fake Technical Support Emails
Creating a sense of urgency and compliance are two of the manipulative techniques used by scammers to trick employees into clicking malicious links or downloading infected attachments. An example of these behavioural manipulations is seen in phishing emails that pretend to be from technical support.
In the example below, you can see staff being urged to move to a new web portal to access important personal and company information – including their payslips. The email reminds staff that they have only 24 hours to comply.
The email contains a link to a malicious website. If the employee clicks this link and navigates to the website, they will be requested to enter their existing login credentials and personal data. If they do so, these details will be stolen, and the fraudsters will use the login credentials to log in to the actual portal.
How to Avoid Fake Technical Support Emails
All staff are at risk from this type of general speculative phishing email. General Security Awareness Training should be used to educate all employees, across all departments, about how to be secure online.
Education on how cybercriminals manipulate human behaviour is crucial in training employees on the tactics used by fraudsters when creating phishing emails. Effective Security Awareness Training programs will use point-of-need learning that uses opportunities to retrain poor security behaviour.
General Security Awareness Training should be used alongside simulated phishing exercises that specifically tackle this type of phishing threat. That is emails that look like they are from internal departments and that use tactics such as urgency and threats of discipline if not acted upon.
Tax Scams
Tax scams often increase in volume during tax season, but they can happen anytime. Often, these emails will offer a tax refund. However, HMRC states explicitly on its website: “HMRC will never send notifications by email about tax rebates or refunds.”
Tax scam emails are typically realistic looking and often well-composed. The scammers use the HMRC logo and related branding to help make phishing emails look legitimate. There is usually a link to the HMRC Gateway login page. The webpage that the link navigates to is a spoof website that is used to gather data and send it to the fraudsters behind the scam. Sometimes, these websites also contain malware, and anyone navigating that website could end up with an infected device.
How to Avoid Tax Scams
Tax scams can be untargeted, being sent to anyone in an organisation. However, the most effective tax scams will be sent to specific employees in financial departments. Therefore, while it is important to include tax scams in your simulated phishing exercises for everyone, you should also focus on educating anyone in the finance department about them. In the run-up to tax season, double down on your training to ensure that employees, particularly those in the finance department, are ready for the likely onslaught of these phishing emails.
Email Account Problem Phishing Email
Suppose an employee receives an urgent-sounding email informing them that their email account is about to be suspended or that it must be urgently upgraded. In that case, they may feel compelled to click the link to fix the ”issue.” However, this email could be a phishing scam that leads to stolen credentials.
The phishing email example below shows how the Microsoft brand has been used to add weight to the claim that the user’s email account is at risk. The link in the email is malicious and takes them to a website that looks like a Microsoft Office 365 login page.
Microsoft is often in the top five most spoofed brands used in phishing messages. According to Cisco, the top five spoofed brands in Q1 2022 are:
- LinkedIn (relating to 52% of all phishing attacks globally)
- DHL (14%)
- Google (7%)
- Microsoft (6%)
- FedEx (6%)
How to Avoid Microsoft Email Problem Phishing Email
Fraudsters often use Microsoft and other well-known brands to give employees a false sense of security. Brand loyalty and trust are used to ensure that victims engage with the email message and click the malicious link. This is where simulated phishing exercises can train employees to be wary of branded emails that include behaviour manipulation tactics such as urgency.
Google Docs Scam
Businesses regularly use Google docs to capture documents and ideas and collaborate with colleagues. In 2020, Google GSuite had over 6 million businesses subscribed to the service. These many users make Google a desirable proposition for scammers.
A recent novel use of a phishing-based attack that uses GSuite to hook a target shows how innovative hackers can be. In this scam, a fraudster creates a Google Document and then comments within it using the @ notation to target a specific user. This initiates Google to send a notification email to the target’s inbox about the comment. The email from Google is genuine, but it has an embedded comment. This comment typically contains malicious links that, if clicked, will take the employee to a malicious website.
Google has recently updated comments so people can see who has left the comment. However, scammers are constantly updating their tactics, and a new GSuite scam may appear soon.
How To Avoid GSuite Comment (And Similar) Scams
Cleverly disguised phishing emails may piggyback on legitimate emails and similar services, as is the case of the GSuite comment scam. These sophisticated scams make it hard for employees to recognise a scam.
Security Awareness Training should reflect company policies, including using cloud-based document repositories and who can and cannot collaborate on company documentation. When carrying out security training, ensure that you have the most up-to-date scam intelligence and that the content reflects the latest scams.
Use Security Awareness Training and a simulated phishing platform that provides excellent support in building training programs that are role-based and that offer multiple languages and accessibility support.
Also, it is essential to recognise that fraudsters regularly change their tactics to avoid detection. Therefore, it is vital to carry out regular Security Awareness Training throughout the year.
