In 2017, the National Health Service, UK’s largest public health service, came to a screeching halt. The country’s official report suggested that at least 80 healthcare facilities and 603 primary care had to shut down or limit their services. The culprit? Email scams and phishing.
Although no study reported related mortalities, the event resulted in massive economic losses of nearly £6 million in only a few weeks. Over 65% of it was due to lost inpatient admissions.
If that wasn’t enough, the problem spread to around 150 countries.
The reason: a ransomware attack called WannaCry.
This article is a story of the NHS and the growing number of organizations and individuals hit or are susceptible to one of the worsening problems of cybercrime and breaches. In particular, it highlights email scams and phishing:
- What is it?
- Why are phishing emails getting harder to detect?
- What is their impact on businesses and online users?
- What can you do to prevent phishing?
What Is Phishing?
Phishing is a form of cyberattack that uses social engineering to trick users into handing over their personal information. The attacker usually masquerades as a legitimate entity, such as a bank or other business, and attempts to lure the user into providing sensitive information like passwords, credit card numbers, or other financial information.
Email scams and phishing come in different forms and styles:
1. Bank Email Phishing
The most common type of phishing or email scam involves banks. The story is simple.
- The criminals send you an email supposedly coming from your bank.
- The email can be about many things, such as a compromised account, promos, or special offers.
- The letter will include a link where you might have to log in to your account or input your username and password.
The catch? The landing page (or the website that opens after clicking the link) is fake. You send your login details to the scammers as soon as you provide them. They now have free rein on your banking accounts.
Here’s an example:
Your bank account is at risk. Please click the link below to ensure your account security and prevent any unauthorized access.
2. Malware Phishing Scams
Some email scams and phishing are more complicated, including malware that can infect a device or computer.
Malware emails are usually disguised as important notifications from companies. The message might include a link to download an attachment. This would allow hackers to infiltrate computers, steal data, and access confidential information.
The WannaCry ransomware attack that hit NHS in 2017 was a perfect example. It targeted not the health trust but the software it used.
However, to gain access, the malware exploited the vulnerability of Windows XP, the operating system (OS) the health service was using at the time. In 2014, Microsoft stopped supporting XP, meaning the OS no longer received security patches or updates three years before the attack.
3. Spear Phishing Emails
Spear phishing emails are more targeted than regular ones, as scammers tailor their messages to specific individuals or organizations. The attackers aim to increase the chance of success by researching victims and gathering personal information.
Having done their research, the criminals create convincing emails that seem to be from legitimate sources. They also include malicious links or attachments as bait to lure unsuspecting users into clicking, enabling them to gain access to their computers.
These attacks are particularly more dangerous since they often come from someone the target knows or trusts. Additionally, it makes the scam much harder to detect, as those messages often go beyond basic security protocols.
Here’s one example:
We understand that you have been having trouble with your account. We suggest you review the attachment for further information about our security protocols and enhancements to help better protect your account from intruders.
4. Clone Phishing
This is one of the latest phishing emails you may encounter, and it usually involves two nearly identical letters sent successively.
- For example, the first letter may discuss a security breach in your account. It may ask you to click a link to change your password.
- You may receive another email from the same attacker in a few minutes. This time, it may say that the first letter contains the wrong link.
Why is this dangerous? The process makes either look and sound legitimate.
Why Are Email Scams and Phishing Getting Harder to Detect?
The saying “If it is too good to be true, it probably is” used to work well with phishing. Not anymore.
It is getting harder to detect phishing emails as scammers are becoming more sophisticated:
- To make email scams look legitimate, they now use official-looking logos, use personalization tactics in their messages, and design fake websites that resemble real ones. The changes are so subtle that you should know your bank, for example, by heart to spot the difference.
- New techniques can already bypass email filters. One example is image phishing, which uses legitimate-looking screenshots. Not all email systems can “read” the texts on these photos.
- Scammers also take advantage of current events and trends to increase their chance of success. They will often send emails related to COVID-19, for instance, in an attempt to get victims to click on malicious links or attachments.
- Many cybercriminals operate in large groups or syndicates. They have more resources and access to new tools than ever. This means they can launch bigger, more targeted attacks in a much shorter period.
Common Indicators of a Phishing Attack
With more complex and realistic email scams and phishing, does it mean we are hopeless?
The answer is no.
Fortunately, many still exhibit the following common signs of email phishing:
- Unsolicited messages, especially those related to current events
- Suspicious or unfamiliar sender address
- Poor grammar and spelling mistakes
- Incorrect company name in the email address
- Unusual requests for sensitive information or payment
- URLs that look odd or not from the original site
- Attachments you weren’t expecting
What to Do if You Suspect a Phishing Attack
You can also take several proactive steps to limit your exposure to the latest phishing emails. Here are seven of them:
1. Educate Yourself
Education is one of your potent weapons against phishing. It helps you stay ahead of the attackers by making you more aware of their tactics.
You can learn more about email phishing with these tips:
- Keep up with the latest news. Stay up-to-date on the latest scams and phishing attempts by reading articles from reputable sources, including news sites. Subscribe to your bank’s official newsletters.
- Encourage training in your organization. 82% of security breaches involve the human element. Ensure your employees and colleagues are updated on the latest phishing threats.
2. Invest in Cybersecurity Solutions
There is no better time to increase spending on an online risk management plan than today. This is especially true for small businesses, which are more likely to shut down in less than a year after a cyber attack.
How much do you need to spend on cybersecurity? Most allocate 10% of their budget, but you can always begin at 5% and increase it over time.
Besides budget, consider where to put your money on. These include:
- Firewall/network security. It helps protect your network from unauthorized access and malicious traffic.
- Security software. This includes antivirus solutions, anti-spam tools, and web monitoring services.
- Data encryption and backup. Invest in encryption software and backup solutions that can protect your data, even if a hacker succeeds.
3. Vet Your Vendors
Your suppliers and partners can also be a potential source of the attack. Vet each before establishing business ties to ensure they have the same security standards as you.
Ask the following questions:
- What security measures do they have in place?
- Do they have verifiable customer reviews?
- Are they compliant with industry and government cybersecurity regulations?
- Do they have a data breach response plan?
- How much are they spending on cybersecurity?
- How often do they update their software?
4. Set and Enforce Access and Authentication Policies
All it takes is one person to click on a malicious link to spread malware across the network. Establishing and enforcing access policies can help prevent such an attack.
- Spell out the policies. This includes the number of passwords an employee needs, password complexity and length, policy on external devices, etc. Put all of these in writing, include them in the onboarding process, and update them regularly to ensure that they remain compliant with the industry standards and changes in cybersecurity schemes.
- Implement zero trust. Zero trust is a security model that does away with the idea of trusted insiders and instead assumes that all users are potential threats. It helps to combat insider threats and effectively deals with endpoint security being no longer reliable.
- Create a BYOD policy. Develop a policy on bring-your-own-device (BYOD) and enforce it. This helps to set ground rules for using personal devices in the workplace and provides guidelines on how they can be securely used.
- Use two-factor authentication. Two-factor authentication requires users to enter a one-time code (sent either to their mobile device or email account) besides their password when logging into an account.
- Always update the software and passwords. Ensure your team updates all their platforms, especially browsers and email clients, as soon as new updates become available. Change passwords at least once every three months and immediately if you suspect a security breach.
5. Bridge the Gap between IT and OT Security
Industrial control systems (ICS) and operational technology (OT) are vulnerable to cyberattacks. Bridging the gap between them is essential for ensuring that these systems can respond quickly to threats and remain secure.
- Put in place a risk-based approach. This helps you identify, assess, prioritize, mitigate, and monitor the risks associated with ICS and OT.
- Train personnel on IT/OT security. Your staff should understand the difference between IT and OT security, and why it is important to secure both of them. They should know how to handle cyber incidents, respond appropriately, and implement preventive measures.
- Implement patching and updates. Patching and updating your systems are essential to fix security bugs. It protects against known threats, as well as newly discovered vulnerabilities.
- Transition from legacy systems. Legacy platforms are those that are no longer supported and more vulnerable to attack. When possible, use the latest software or technology.
6. Be Doubtful
The simplest solution to email phishing and scams is to assume that everything you receive could be fake. With this mindset, you can then investigate each in the following ways:
- Do they have the common indicators we mentioned above?
- What does the email address look like? Pay close attention since the spelling difference could only be a letter. Take note that some characters, like the letter l and the number 1, can look eerily similar. For example, PayPal.com is different from PayPa1.com.
- Are you expecting the email? If not, send a separate email to the sender. Call their hotline number if it is supposed to come from the bank or another institution asking for your personal details or money.
- Is the language in the email professional, or does it contain typos and mistakes?
- Does the link direct you to a legitimate website? Check if there are any discrepancies with its URL.
- Are there similar situations online? Fraudsters often use the same tricks and strategies to deceive people. Look up other users’ reviews to ensure it is not a scam.
How to Report Phishing
It benefits the planet if you will report a phishing email whether you suspect it or have fallen victim to the attack.
Here are your options:
- Forward the email to firstname.lastname@example.org. This is the email address of the Anti-Phishing Working Group. It is an organization composed of financial institutions, law enforcement agencies, Internet service providers (IPs), and security vendors.
- Tell your cybersecurity team. Most organizations have a dedicated team responsible for responding to and managing cyber threats.
- Inform the legitimate sender. It is also essential to let the person or website that sent the email know that their was a phishing attack. They can then inform other customers and do what is needed to strengthen their security measures.
Email scams and phishing are a sophisticated type of cybercrime that can have serious consequences. It pays to be vigilant and take the necessary steps to protect your organization from these attacks.
This guide covers the basics of email phishing, including what it is, common tactics used by cybercriminals, and how to protect yourself and your organization from these attacks. We hope it provides a helpful foundation for you to start building upon.