Email Spoofing & Phishing, is a 2 part process.

  1. The spammer must spoof an email, it can be from a legitimate source, or they can simply copy the name of a legitimate person or company and use a fake email address.
  2. After being spoofed, comes the actual Phishing email, where the attacker uses links and buttons that “appear” legitimate, but are bad links.

Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source

Email Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, and clicking the links within the created email, or even replying to the fake email address!

How to identify typical spoofing and phishing attacks…

Given the prevalence of phishing attacks, it is important to be aware of what an actual phishing attempt looks like. While cyber criminals will often try to make their attacks look as legitimate as possible, there are indicators that can be used to identify the authenticity of a message. Here are some examples of actual phishing attempts, and what to look for!

The most recent Example we’ve seen in Email: A “Spoofed” Email: The “INVOICE DUE” Emails…

In this email, it came from someone you know, the email address WAS legitimate, however the link or button inside the email, was NOT real! Users should take note that they do not need to click on a link to check where it leads since hovering their mouse cursor above the URL will also show the link destination. Just because you receive an email as above, it doesn’t mean you have been hacked, it means the senders email has been “Spoofed”.

Example of Email Phishing using a well-known company, Like Apple or LinkedIn, OneDrive…HOWEVER, it could be a simple request for a user to wire money, or approve a payment, or view an invoice, it may look like its coming from someone in your normal contact list…

LinkedIn is used by people to network and keep in touch with other professionals, making it a prime focus for cyber criminals who are looking to steal personal information from the millions of employees who use the social media website.

Before even getting into the actual content of the message, users should first consider why they received a confirmation email in the first place. Most companies will only send confirmation emails for new registrants or customers who change something in their settings. Unsolicited ones should be deemed as highly suspect.

Users should take note that they do not need to click on a link to check where it leads since hovering their mouse cursor above the URL will also show the link destination.

Tips for mitigating phishing attacks

Here are some recommendations to help protect users from falling victim to phishing scams.

  • Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.
  • Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
  • As a rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
  • Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
  • Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
  • Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.
  • Phishing emails are designed to be sent to a large amount of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
  • Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
  • Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
  • Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
  • It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
  • If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.