As the coronavirus pandemic continues to spread, cyber criminals are exploiting the crisis to target victims through phishing email scams. Here’s the best practice advice you need to follow to protect yourself and your organisation from the threat of phishing emails.
Cyber criminals have always capitalised on their victims’ uncertainty, fear and misplaced trust. But if you ever needed evidence of how unscrupulous cyber criminals really are, it’s this: coronavirus, a global pandemic that has a current death toll of over 3,000 people, is being exploited by cyber criminals in phishing email scams that target victims seeking guidance on how to protect themselves and others from the disease. But what are phishing emails, and how can you protect yourself and your organisation from the threat they pose? In this blog we’ll provide the best practice advice you need.
What Is a Phishing Email?
Phishing emails are sent by cyber criminals. They are designed to closely resemble legitimate emails, and their ultimate aim is to steal confidential information or deliver malware packages under the guise of being from a trustworthy entity.
Phishing emails mask themselves as messages from organisations such as banks, online stores or other authoritative bodies, and try to convince you – through various means of persuasion – to reveal confidential information or download malware.
So how are cyber criminals exploiting the coronavirus pandemic? As we said at the beginning of this blog, it all ultimately goes back to uncertainty, fear and misplaced trust. We’re all searching for information about coronavirus, and so it stands to reason that if you receive an email that claims to be from the NHS offering guidance you’ll be more likely to click on a link or open an attachment that promises to alleviate some of your uncertainty and fear. If the email really is from the NHS, then great! But if it’s a phishing email sent by a cyber criminal posing as an NHS representative? That’s where the misplaced trust comes in.
How to Spot a Phishing Email
Spotting phishing emails is not an easy task, and deciding what is and what is not potentially dangerous often comes down to a matter of importance. Here are some questions you should ask yourself each time an email arrives in your inbox.
Are you expecting it?
This is more than likely the hardest thing to judge. Information comes from many sources, and in some instances emergency information may come from a stranger at an unexpected time. However, if there is any doubt don’t open any attachments or click any links but instead continue to analyse.
Where has the email been sent from?
Providers such as Yahoo, Google and Microsoft offer free, more-or-less anonymous email accounts. Remember that information from Government offices or banking institutions is not going to come from a free service. For example, HMRC will not send information from email@example.com. You should also look out for domains with similar addresses to legitimate organisations – a malicious actor might, for example, create hbsc.com and hope recipients confuse it for hsbc.com.
Personal emails will usually lend a clue as to who they are from within the email address, and hopefully the message context will provide confirmation that the address is valid. Emails from firstname.lastname@example.org are unlikely to send a CV to a respected financial institution, and if there is any doubt the email should provide a contact number which could be used to verify the information that is being sent.
Sometimes there is a requirement to solicit emails from unknown sources. In such cases a simple security measure would be to state that the subject line should contain a reference number or other identifying detail, making it less likely for random phishing attacks to make it past your analysis.
Should I really open this attachment?
Here we are dealing with the problem itself: you have looked at all the textual information contained within an email body and have decided that the information within the attachment warrants investigation. If the icon next to the picture is one you recognise as a document or a picture, should you click it?
Document types such as .pdf, .xls and .doc should be easily identified, but it is easy to play tricks with these files. Vigilance is the watchword: keep in mind the context of the email text and the expectation you have for these messages before opening them.
There is one more thing that you can do, and that is to look at the file size. A Microsoft Word document should be at least 10 KB, and a Microsoft Excel document at least 8 KB. This is for a blank document, and a document containing information should be bigger, with a PDF bigger still. Anything less than this should be ignored, or further technical advice sought.
Upon opening an email attachment like a Word or Excel document you may be prompted to run a macro. If this happens your first action should be to decline (unless you are expecting the document to contain a macro). A macro can be used to run code which can lead to a malware infection on your PC.
If the file is a .zip file (or .rar, .7z) for something that could be sent as a document or a picture, don’t click on it: rather obtain technical assistance. There are valid reasons for sending things as .zip files, but if it is out of context for your expectations it would be better not to, as opening .zip files can trigger a chain of events that may result in malware being installed on your PC.
Is it safe to follow this web link?
Often a link is sent via email with the intention of taking the user onto the internet to view content that is too large for an email, or to view information which is interactive and not suitable for email. The problem is that a link can also take a user to malicious sites which serve up malware. Again, it is difficult to say don’t click the link, but that should be the first thought: context and expectation should be used as primary wardens for any link.
Another technique is to hover over the link in question and examine the web address. If it is logical by context that the link is safe to click and you are expecting to be taken to view some reference material then it is likely prudent to click the link. If an email simply says ‘check this out’ and provides a link to a nonsensical web address ending in .ru, deleting the email and notifying the admin team so they can block the email sender on the Exchange server is likely the best course of action.
Staying Safe from Phishing Emails
Phishing emails rely on your comfort and lack of suspicion, and there really is no better way to protect yourself than by remaining diligent. Following these five steps will help you stay safe:
- Keep your email security up-to-date
An effective email security service should protect you from most – but not all – phishing emails. Make sure that your email security is up-to-date and licenced; some security software will continue to run when out of licence, but will not update with the latest security definitions. Given the constantly developing threats that are out in the wild, it’s important that you remain protected at all times.
- Never provide confidential information
As a rule, legitimate organisations will never contact you and ask you to provide passwords, account information or other personal details. If you receive any email that asks you to provide confidential information, treat it with extreme suspicion.
- Don’t be pressured
A common tactic of phishing emails is to announce that your account is going to be suspended unless you click on a link and provide confidential information. Again, you should be suspicious of any email that you feel is trying to pressure you into providing any type of information. Links within such emails often direct you to a ‘mirror’ site that is designed to look real, but is actually a phishing website designed to steal your data.
- Look at tone of voice
Copious research can go into a phishing email, but how well does the cyber criminal know the tone of voice of the person or organisation they’re trying to mimic? Probably not as well as you do. If the tone of voice of the sender just doesn’t sound right, this should arouse suspicion.
- Follow email security best practices
Following standard email security best practices will go a long way to protecting you from phishing attacks. Unless you’re confident of who an email is from (and with phishing emails you’ll have to pay special attention to the sender’s address, which may only be a character or two out from a genuine address), never open attachments, click on links or fill in embedded forms. Use common sense. If something makes you think twice, don’t risk it.
Protect Yourself and Your Organisation
By remaining diligent, you should be able to stay safe from phishing emails. As with all email security, proper protection relies on the system and the user – even the most advanced email security products let some things through the net. Being smart and adopting a safety-first approach to email use will go a long way in protecting you and your organisation.
Today’s law firms are operating in an increasingly hostile digital