Most people have heard the term phishing in relation to companies and Cybersecurity, especially if you have watched any news channels in the last few years. Phishing, not to be confused with fishing, is where threat actors create emails to pretend they are someone from a reputable company or an individual in order to gain revealing information or to install malicious files such as malware. Fishing on the other hand is a wonderful, relaxing sport where people often try to catch fish and other ocean life using a rod and hook, though other methods do exist.
Let's turn our attention on phishing, as this is something all companies and individuals at some point in life will experience. It is best to understand as well as identify these types of activities as phishing is something a lot of companies fall prey to because it takes one misstep from anyone in the company. This and for compliance reasons are why many companies enforce some form of yearly phishing training.
An ever so popular, and most recognized phishing email is the Nigerian prince scam. This is where a prince promises to transfer their fortune to you but cannot because of ‘frozen’ bank accounts, so they want you to transfer a small amount (thousands of dollars) to unfreeze their accounts, and in turn they claim that they will send you their money. Let’s break this down.
Why would a prince randomly contact you for money to unfreeze a bank account? This isn’t how unfreezing a bank account even works.
Who knows a prince that emails them for this kind of favor? No one I know, that is for sure.
Look at the sentence “I want to transfer all of my fortune outside if Nigeria due to a frozen account…” They misspelled “of” with “if”, now this could of been a common mistake- but phishing emails are often riddled with misspellings and bad grammar.
Some phishing attempts can be via text message, which is even harder to detect.
Above is a phishing attempt targeting Universal Music Group employees, from an unknown number that just provides a quick message and a url. This url at first glance, looks legitimate- until you realize the url is a different extension than often used. A url extension can be a .com, .net, .io, .org, etc. However, if you do not know the number- do not trust it. Why would a helpdesk contact your personal device if they never have in the past? When in doubt, ask your IT department or Cyber team if they are aware of notifications like this being sent out.
Microsoft has a very interesting, new phishing email that is claiming customers could “win a free iphone”. The email is pretty convincing, but it is always important to look at email headers, who the sender is, and if links have re-directs or aren’t going to where they claim.
This email is beyond convincing, except that the “reply in teams” url is using a url shortener to hide where it is actually going. As you can see below, this doesn’t look right.
You can read more about this Microsoft phishing email at the following link: https://answers.microsoft.com/en-us/msteams/forum/all/is-this-teams-email-legitimate/ae27bbd0-0b80-4f66-acde-e119d9b785d8
Phishing is something that every person needs to be aware of and needs to be educated on as falling for phishing scams can result in devastating for a company of any size. Just remember, be aware, be diligent and report phishing emails so that we can combat it better.
Comments