This article was originally published in 2019 and has been updated with new content.
Not long ago, phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to businesses. Today, phishing is the top social attack on businesses, responsible for more than 75 percent of security breaches. Because no cybersecurity solution can block 100 percent of attacks, your employees need phishing awareness training to understand what to look for to protect themselves from phishing attacks.
Although there are dozens of phishing techniques hackers can use to trick your employees, there are a handful of methods they rely on most. Below are just eight things your employees should understand:
1. Phishing is a crime
Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. A common example of this is the Microsoft 365 phishing attack:
A hacker sends an email that appears to come from Microsoft asking the user to log in to their Microsoft 365 account. When the user clicks on the link in the email, it takes them to a fake Microsoft 365 login page, where their credentials are harvested. With Microsoft branding and logos both in the email and on the phishing page, an untrained user will not recognize the email as a phishing attempt.
2. Email addresses can be spoofed
Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the email is really coming from a malicious source.
The most common types of email spoofing are display name spoofing and cousin domains. With display name spoofing, the phisher uses a legitimate company name as the email sender, such as firstname.lastname@example.org, but the email underneath is a random address like email@example.com.
Display name spoofing is most effective when a user views the email on a mobile device, because the sender’s email address is hidden. Phishers are counting on the fact that most mobile users will not expand the sender’s name to view the email address.
A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an Apple.com email, the hacker might use Apple.co. In other cases, hackers will use extensions to trick users. Some examples include apple-support.org, apple-logins.net, and apple-securities.com. We’re also seeing an increase in lengthy, confusing subdomains, such as firstname.lastname@example.org.
3. Subject lines and text are often threatening or enticing
Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond emails that indicate potential financial loss or that could result in personal or financial gain.
Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should be considered a potential scam. This technique is often used to scare people into giving up confidential information.
Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended. Showing samples of these types of emails during phishing awareness training will help users understand the psychological tricks used in attacks.
4. Attacks are becoming more targeted and personal
Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. The emails would often address a user with a generic term like “customer,” “employee,” or “patient.” Your employees should be cautious of these terms, because professional organizations commonly address users by their first name in email, but a personalized email is not a sure sign of a legitimate email.
Today’s phishers are launching targeted attacks that include the victim’s name in the subject line. With the help of automation, hackers can pre-fill the victim’s email address on the phishing webpage and even load the company's logo onto Microsoft 365 pages.
5. Phishing emails are getting more sophisticated
Employees need to read their emails carefully, not just skim them. Many phishing and spear phishing attacks are launched from other countries. As a result, many phishing awareness training sessions instruct users to look out for glaring grammar and stylistic issues.
Hackers today are more sophisticated. They have the resources to compose clean emails in their target language, they have networks of hackers to help with attacks, and they make fewer mistakes. Employees should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable.
[Related Content] Infographic: Learn How to Detect a Phishing Email
6. Links aren’t always what they seem
Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Go to PayPal account,” the URL takes the user to a phishing page designed to look like PayPal. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it's probably a phishing attack.
It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org. Additionally, phishers use URL shorteners, such as Bitly, to bypass email filters and trick users, so be cautious of clicking on shortened URLs. IsItPhishing.AI can determine if a URL is legitimate or a phishing link. If you or your employees are in doubt of the legitimacy of a website, IsItPhishing can tell you.
7. Phishing links can be hidden in attachments
All phishing emails contain a link, but links are not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean.
The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information. During phishing awareness training, users should be trained to hover over links in attachments in the way they do when inspecting links in emails.
8. Hackers use real brand images and logos
Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source.
While any email filter can detect a phishing email that has been previously reported, they might not recognize that same email if it is resent with an altered image or logo. As a result, hackers distort images and logos to bypass detection. Additionally, phishing URLs can be hidden in QR codes, malicious text can be placed on images, and images are often hosted remotely to avoid detection.
Phishing awareness training is an ongoing commitment
Dealing with the repercussions of a phishing attack is not only time-consuming but also costly. One careless click has the potential to compromise your entire network, so it is important that everyone works as a team to protect the company. Make sure there is a system in place to report attacks, and make sure all of your employees understand how important it is to follow through in reporting it.
While structured annual or semiannual cybersecurity awareness training is recommended, employees should also receive on-the-fly phishing awareness training to fill the awareness gap. If an employee clicks on a phishing link, they should receive immediate feedback and additional training. Review the email with them, show them the red flags and indicators they missed, and provide additional training materials to help them avoid being phished in the future.
Vade for M365 users receive an invitation to complete a phishing awareness training exercise if they interact with a phishing email. Vade Threat Coach is an automated feature that triggers training at the moment of need, rather than months later in annual training.
To learn how Vade Threat Coach can boost your users' phishing awareness, download the infographic.