Phishing Has Evolved… Have You?

Technology has changed, and phishing attempts look more legitimate than ever before.

01 October 2019

Top up your cybersecurity survival kit with the Chief Information Security Officer (CISO)! October is Cyber Security Awareness Month, and we're challenging you to look closely at the evolution of cybercrime and check that you've kept up.

Phishing Has Evolved… Have You?

Dear Sir,

The Nigerian National Petroleum Company has recently concluded a large number of contracts for oil exploration in the sub-Sahara region. The contracts have immediately produced moneys equaling US$40,000,000. You assistance is requested as a non-Nigerian citizen to assist the Nigerian National Petroleum Company, and also the Central Bank of Nigeria, in moving these funds out of Nigeria. If the funds can be transferred to your name, in your United States account, then you can forward the funds as directed by the Nigerian National Petroleum Company. In exchange for your accommodating services, the Nigerian National Petroleum Company would agree to allow you to retain 10%, or US$4 million of this amount.

Look familiar? Most people recognize the infamous Nigerian Prince email scam, and even if it's never crawled its way into your inbox, you've almost certainly come across a slew of pop culture references.

But what about this one?

Good morning Jamie,

Please find attached the 2019 financial activity report for your perusal.

Thanks & regards,

Ms. Sharon Mosley
Westmount Day School

They addressed you by your name. You work with Westmount Day School. You've met Ms. Sharon Mosley, and it wouldn't be unusual for her to send you a financial activity report. Everything seems safe - but this is actually a phishing email.

Phishing has evolved. Have you kept up?

What is Phishing?

Phishing is when a fraudulent email is sent from a seemingly legitimate organization or person in an attempt to convince individuals to divulge personal information, such as passwords or credit card numbers. Links in phishing emails will often take you to phoney sites that encourage you to send personal or financial information to these criminals, and attachments can contain malware or ransomware.

There are three main phishing attacks to be aware of:

  1. Clone phishing: a previously delivered, legitimate email is used to create a phishing clone, sent from an email address spoofed to look like the original sender. These phishing emails contain a malicious link or attachment.
  2. Spear phishing: a targeted phishing attack directed at specific individuals or companies. Attackers may gather personal information about their targets to increase their likelihood of success.
  3. Whaling: a targeted phishing attack directed at senior executives and other high-profile business targets.

How Do I Recognize a Phishing Attack?

Phishing emails can look legitimate; that's why so many people fall victim to them. The most important thing to remember is to stay constantly vigilant online, especially when using email.

Here are some tips to catch a phish:

  • Don't trust the display name: always check the sender's actual email address. The sender's domain name (e.g., royalbank@secure.123.com) will indicate if it's a phishing attack.
  • Don't click any links or attachments: hover your mouse over the link to see where the URL leads you, but don't click. Don't open any email attachments you weren't expecting.
  • Check for spelling mistakes. Legitimate organizations have professional communicators, so their emails typically do not contain spelling and grammar mistakes. An excess of spelling and grammar errors indicate a phishing attack. But beware: phishing emails have evolved and won't always contain misspelled words.
  • Be aware of urgent or threatening language. Phishing attacks prey on our emotions. Invoking a sense of urgency is a common phishing tactic, so be on the lookout for subject lines like "your account has been suspended," "unauthorized login attempt," or "claim your $618.52 tax refund now."
  • Review the signature. Legitimate companies always provide contact details. If a signature is missing or incomplete, it may be a phishing attack.
  • Never give up personal information. Banks, lending institutions, insurance companies, health care services, credit card companies, and government organizations will never ask for your personal information over email. If in doubt, call the organization to verify if they sent the email.
  • Always be skeptical. Phishing emails may have convincing logos, language, and a seemingly valid email address. It may even come from a name you recognize. But just because it looks legitimate doesn't mean it is. If an email looks even remotely suspicious, don't click any links or download any attachments.
  • Be wary of monetary requests. Some phishing emails will request or demand monetary payment, sometimes in the form of iTunes or Amazon gift cards. These emails may even seem to come from a trusted contact. But be cautious with anyone asking for money or gift cards. Even if you recognize the name, first pick up the phone and call the person or organization to verify.

Test Your Phishing Knowledge

In January 2019, Google's Jigsaw unit created a quiz that will test your ability to recognize a phishing email. Take the test and see how you measure up.

Keep Evolving

Technology is always evolving, and so are cybercriminals. You need to evolve right along with them. The farther you get left behind, the more you're opening yourself up to a serious data breach.

Ready to evolve? Keep it locked to the CISO News and Alerts page, and find more tips on Facebook and Twitter.