A woman logging in with two factor authentication

 

When you think of phishing attacks, you probably think of email phishing. While email phishing isn't the only kind of phishing, it is so ubiquitous that it accounts for more than half of business infections, and it's becoming more sophisticated.

Below, you can find an phishing email supposedly sent from within our organization, I-M Technology, to our president and CEO, Stuart Bryan. The body of the email requests the recipient add specific documents to a Sharepoint folder. One of the key selling points of this phishing attempt is the spoofed email address domain, giving it an air of legitimacy. Outlook even pulled in Stuart's profile photo.

In the past, we've shared a video showing, in real time, how hackers can breach your business systems, including sending an email from what looks like whatever domain the hackers wants. It's frightening because a fraudulent or suspicious looking email address is one of the easiest ways to weed out a phishing attempt.

What really helps the recipient of the email from clicking is that it looks inconsistent and messy. Misspellings, grammatical errors, janky layouts and other oddities are often another very good clue the email is not legitimate because, thankfully for us, hackers and scammers still manage to mess this part up.  If it doesn't pass the smell test, don't click anything.

 

An example of a phishing email attempt

 

Another key factor to watch out for is the banner at the bottom of the email, which explicitly says the email came from outside the organization. Despite spoofing what appears to be an email from the domain i-mtechnology.com, Outlook knows it didn't actually come from i-mtechnology.com. Keep a look out for warnings like these; they also sometimes appear at the beginning of an email as well.

When in doubt, hover your cursor over any links in the email without clicking. A tooltip will appear showing you the actual destination address of the link. In this case, it's not Sharepoint at all; it's a Google cloud directory. This email is clearly not what it says it is.

If you find yourself scrutinizing a suspect email and truly unsure, contact the sender through some other means. Hackers sometimes get into your systems and monitor email traffic. At best, you'll tip them off that you know something is amiss. At worst, they can intercept the email. Try calling the sender, or using a separate messaging application, like Slack, instead.

All in all, this phishing attempt shows just how sophisticated hackers have become, but still comes up short under scrutiny. Heaven help us if the average criminal can format a convincing layout, but until then, slow down before you click, check for read flags, and if necessary, verify with the sender. It goes a long way to protecting your workplace.

 

For more strategies: Beware the Phishermen

Additional email protection: Two Factor Authentication Protects Your Business Logins