Phishing is a serious Risk in 2019
Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.
What is a Phishing Attack
A phishing attack, also known as a phishing scam, is a means by which any individual is “fooled” into providing information, granting access or offering up other personal data. Typically, most phishing attacks ares not targeting directed any one person specifically. Usually, it takes the form a a widely distributed scam, specifically designed to [falsely] obtain financial data from a number of individuals. A individual based attack may look for financial information (such as credit card numbers) from any one user. A phishing attack carried out on a corporation is often intended to search for ways of gaining internal access to the office network in order to send perhaps financial records (such as payment methods from suppliers to personal records of customers).
Phishing Scams and the Targets
In the world of phishing scams, humans are the weakest link. Employees, ranging from entry level interns to members on the Board of Directors are typically the gateway to granting phishing scam access. It works in a modernized, Internet based “Trojan Horse” tactic. Typically, a phishing attack falsifies its appearance in the form of an email. The message may look nearly identical to messages sent out by PayPal, Google, Apple, Amazon or other major [trusted] companies, which increases the likely chance of any individual clicking on the provided (falsified) link or to send requested (privileged and often personal) information to the [fake] sender of the email.
The Best Ways to Protect Against Phishing Scams
To easily eliminate the threat of a phishing attack, a simple solution would be to either completely eliminate human users on computer devices or disable all access to the Internet. As neither of these methods are helpful, other guidelines need be understood to provide a safe and reasonable level of security against such threats.
Some basic security measures to implement to prevent and protect against phishing attacks could include:
- Staying current with system updates
- Be sure to setup email spam settings
- Educating employees and users over the types of risks (links and ID requests from sources with false authority)
- Not accepting storage or flash drives from unknown sources
- Learning to recognize risky websites
Try to stay Current With System Updates
Staying current with operating system updates eliminates a largely variety of external threats (particularly for Windows – which itself is the often made a target). This includes everything from a DDoS to phishing attacks. A responsible person (or your IT support person) needs to ensure all software, hardware and system updates are installed promptly. To fail to do so leaves an entire system exposed (and possibly your whole network – home or office based).
Change the level of protection in the Junk Email Filter
In Outlook for Office 365, Outlook 2019, Outlook 2016, Outlook 2013, and Outlook 2010 you can easily change the level of junk email protection or automatically delete junk email.
By default, the Junk Email Filter protection level in the above ares set to No Automatic Filtering. You can make the filter more aggressive so that it catches more junk messages. The higher you set the protection level, the greater the risk of some legitimate messages being identified as junk and moved to the Junk E-mail folder.
- Click Home > Delete group > Junk > Junk E-mail Options
- Choose the level of protection you want
- No Automatic Filtering: Although this turns off the automatic Junk Email Filter, messages are still evaluated by using the domain names and email addresses in your Blocked Senders List.Note: If you want to turn off the Junk Email Filter, you must also remove names from the Junk Email Filter lists.
- Low: If you don’t receive many junk messages, or want to filter only the messages that are the most obvious junk, select this option.
- High: If you receive large amounts of junk messages, but do not wish to restrict messages from senders on your safe lists, select this option. In this case it is recommend to occasionally check the Junk E-mail folder to make sure that the are not valid message moved here in error.
- Safe Lists Only: This is the most restrictive option. Any message that isn’t from someone on your Safe Senders List or isn’t to a mailing list on your Safe Recipients List, is classified as junk.
You can tell Outlook to delete all suspected junk messages instead of moving them to the Junk E-mail folder. This takes away your ability to review messages for possible false positives, so consider the risks of using this option.
- In Mail, click Home > Junk > Junk E-mail Options
- On the Options tab, check the Permanently delete suspected junk email instead of moving it to the Junk E-mail folder
Educating Employees and Users
An employee (and any home user) needs to know how to identify a phishing scam message from an authentic message. As most phishing attacks now come in the form of replicating a [known and trusted] professional company’s email, it is not always possible to do spam filtering based on the email title or context alone. Looking at the sending email address often is the best way to identify whether a message came from an authentic company or a scammer.
Learning to recognize risky websites
Be wary of any web site if it asks you for unnecessary personal information, a credit card number, or a bank number when it is not necessary. This could be evidence of phishing for your sensitive and personal ID. Always be wary of sites with offers that seem too good to be true, have very intrusive ads, have multiple popups, or request you to install a plugin to view content, etc…
If the source of a link seems strange or unusual, such as if it came in an unrecognized email or it has a suspicious link inserted, I would recommend that you forward the original email to myself or someone else with IT skills that can offer you a further analysis. If you want to forward the suspect email to me here, follow up with a brief phone call or a explanation of why you sent it it.
The most common and classic scam involves a criminal impersonating a seemingly reputable company such as Telstra, Apple, PayPal or Microsoft. The sender asks you to verify your login credentials or banking details on a fake website that will look (almost) identical to the real thing. Then, when you do enter your personal information, it is sent directly to the criminals. Not a good idea!
While email is the most popular delivery method, take note that phishing scams can arrive through many other channels, including social media, text (sms) messages, phone calls and more.
Common Indicators of Phishing
- Salutations: Greetings in emails should refer to you by your name. Be very suspicious of any email that fails to address you directly with “Hello Peter,” or the equivalent for you.
- Language: If an email’s wording is vague and non-descriptive, it is likely not legitimate. Most phishing attacks are not targeted at you by your given name. Such [vague and general] emails are sent to thousands of people at one time. And it is because of this global “target” the language of the email appears loose such that it can to accommodate a broad audience (basically a “shotgun” email to many potential victims).
- Spelling: Many phishing attacks contain typing errors and spelling mistakes. If you notice several misspelled words, that should alert to the “fake value” nature of the email. Such phishing attacks are often originating from bots or by non-native English criminals who are more concerned with getting as many emails out as possible than with checking their own use of words. Legitimate professionals and businesses take pains to make certain their spelling and grammar are acceptable and usually impeccable in both spelling and grammar.
- Attachments: Malware is often disguised within attachments to harvest sensitive information from you. For example, if you receive a file ending with “.exe” do not click on it or open it. Commonsense: Do not download anything from an email unless you can determine its source is legitimate. If in doubt, seek help from others!
- Links: URL links in emails are another indicator of a potential phishing attack. Make sure to read through the URL by hovering over it. If you can’t determine if it’s safe, don’t click on it. If you notice weird uses of characters in links like “Amaz0n” instead of “Amazon,” don’t click on the link. Phishing attacks try to manipulate URLs to make them appear legitimate.
- Credentials: If you do get directed to a website through an email and it’s a login page, back out or shutdown. This is very important! Phishing attacks are aimed at coercing you into entering your credentials for online banking or social media accounts on fake login pages. Many such attacks will seek personal information such as your credit card numbers, phone numbers, addresses, birth dates, etc. If you get a link to your bank or any other such service, do NOT click on the link. Instead, contact your bank (or service) directly and report the case to them.They will appreciate the call and your need to act wisely.
- Virus Warning (fake): A fraud web site may also present you with a potential warning that you have a virus or other threat (false) and you need to call the phone number shown on the (false) warning web page. In most cases power off the computer promptly and do NOT call the phone number shown on the screen.
Voice phishing is becoming more advanced
Voice phishing – the practice of (falsely) impersonating a legitimate entity over the phone to extract a persons sensitive information – is certainly not a new concept, but the practice has become noticeably more sophisticated in recent years. With advances in automation and voice recognition, remote attackers can now use a mix of robots and human callers to more effectively imitate well-known brands and contact targets more efficiently.
Warning: Like email scams, phone phishing scams usually invoke an element of urgency in a pressure technique to get people to let their guard down. If such a call raises a concern that there might be something wrong and you wish to call them back, do NOT call the number they offer you to call. If you want to reach your bank, call the number on the back of your card. If this is from another service or company you do business with, find the the company’s site and look up their main customer support number.
Unfortunately, this may present a challenge as well. It is not only banks and phone companies that are being impersonated by fraudsters. Reports on social media suggest many consumers also are receiving voice phishing scams that spoof customer support numbers at Apple, Amazon and other well known technical services & companies. In many cases today, the scammers are polluting top search engine results with phony 800-numbers for customer support lines that lead directly to fraudsters.
It is interesting to note that every modern browser has solid phishing protection built right into the software. A 2017 NSS Labs report on web browser security shows the following results:
- Microsoft Edge protects against 99 percent of phishing attacks.
- Google Chrome protects against 87 percent of phishing attacks
- Mozilla Firefox protects against 70 percent of phishing attacks
These figures suggest it’s very likely that any dodgy URL you might stumble upon will be automatically blocked by your browser.
Fighting back against phishing
Spam filter for Gmail
Gmail also provides users with the option to report spam as well as phishing emails. The only catch is that you need to report suspicious emails.
Reporting email as junk in Outlook 2016/2013 for Windows and Outlook 2016 for Mac
To report a junk/phishing message Outlook 2016/2013 for Windows:
- Right-click on the message you want to mark as junk and select Junk:
- Select Block sender:
The message will be moved to your Junk Email folder and future messages from that sender will be delivered to your Junk Email folder.
Reporting email as junk in Outlook 2016 for Mac
- Select Junk from the ribbon, then select either Junk or Block sender:
Microsoft Junk E-mail Reporting Add-in for Microsoft Outlook
Enable Advanced Threat Protection safe links for Office 365
Managing Office 365 spam control is a bit different from managing a typical Office installation—and that includes enabling reliable spam and phishing filtering options.
For a fee, Microsoft offers what it calls Advanced Threat Protection (ATP) as an upgrade to an Office 365 subscription. One of the components of ATP is safe links, a series of filters that are applied to a message before it is sent to the recipient’s inbox and after it is opened.
ATP safe links is essentially a security aware cloud-based version of Outlook’s junk mail filter, and rules can be applied at the individual, group, or organizational level.
When applied, ATP safe links runs incoming emails (when they contain hyperlinks) through IP and envelope filters, signature-based anti-malware scans, and anti-spam filters. If found to be safe the message is sent on to the recipient.
Office 365 ATP is included in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, and Office 365 Education A5. If you have an Office 365 subscription that does not include Office 365 ATP, you can potentially purchase ATP as an add-on. For more information, see Office 365 Advanced Threat Protection plans and pricing and the Office 365 Advanced Threat Protection Service Description.
Office 365 ATP proactively screens for unknown and evolving threats in real time by “detonating” potential carriers (email attachments, embedded URLs, files linked to malicious websites, etc.) in a secure, sandbox environment, before they can penetrate organisational boundaries. This allows new and hidden threats to be neutralised and blacklisted before they affect a single user – a great example of effective zero-day protection.
The Microsoft Office 365 & ATP Advantage
From a functionality perspective, the combination of EOP and ATP easily rivals the best third-party email hygiene solutions, but the real advantage of Microsoft’s threat protection lies in the nature of Microsoft itself.
Microsoft is actively monitoring cyber threats across its entire, global ecosystem 24 hours and 7 days per week. The result is an unrivalled – and dynamically adaptive – database of known threats against which Microsoft 365 users are defended. This is difficult to match form other third-party solution providers with a dramatically smaller footprint and real-time alert.