We know, that dethroned Nigerian prince needs your help, and in return he’ll deposit $5,000 in your bank account. All he needs is a small advance.
While the above scenario is widely recognized as a poor phishing attempt, they can actually be much more sophisticated than that and more difficult to identify. If you’re not familiar with the Nigerian prince scam or phishing in general, phishing is basically attempting to get personal or sensitive information from you through means of deception, usually in an email or on a malicious website.
So, for what types of scams should you be on the lookout? While they can come in many forms, like a website pop-up or an email, they are typically trying to get your bank information or personal information to steal from you or your organization. At first blush, it could look like your bank is emailing you asking for your online login info or the IRS is threatening you with an audit. It could be an email that looks like it’s from a coworker or a superior asking you to wire money, or from UPS saying to click the tracking link. Like we said, they can be very sophisticated.
While there are certain precautions we recommend all organizations take, like utilizing a firewall, spam filtering, website filtering and antivirus, there is still no substitute for a keen eye. These types of threats may still slip through, so it’s important for you to understand that they’re out there and be savvy enough to recognize something suspicious. Here some guidelines to follow when ascertaining if an email or website request for information is legitimate …
Be Discerning of Requests for Highly Sensitive Information
If you receive an email asking you to provide login information, your social security number, credit card numbers, or your bank account information, call whoever is requesting it to verify it’s legitimate. In fact, if your organization’s firewall has the appropriate settings, it may prevent you from even emailing out that data. The firewalls we implement can be programmed to recognize credit card and social security numbers and block those emails from going out.
Recognize Inappropriate Fear Appeals and Urgency
If the request contains a certain level of urgency or plays on your fears, it may not be legitimate. Your bank will not immediately shut down your account if you don’t send over your online banking credentials. The IRS will not notify you of an audit via an email. If your boss is asking you to wire money ASAP and this is an out-of-character behavior, double check on it. A good rule of thumb is to never put anything in email that you would not put on an outdoor billboard.
That email from UPS/FedEx regarding your package will have a link in it. If it’s not legitimate, that URL will take you to a malicious site. Hover your mouse over it and see what it says. If it looks odd, doesn’t contain the name of the company that emailed you, or doesn’t have “https” in it, it may very likely be harmful.
These URLs may use what are called “child domains.” For example, blog.www.mirazon.com would be a child domain. Whatever comes before your actual domain name (Mirazon.com) is completely up to you. So, a scammer could easily create fedex.maliciousdomain.com, and the untrained eye may be deceived.
Beware Impersonal/Generic Greetings in Emails
If they don’t contain your actual name and say something like, “Dear Bank Customer”, you should look closer. Many scammers fire off a mass amount of these emails at once, but your real bank should have a database with your information in it and a system that will easily populate your actual name into their emails to you.
Check the Sender’s Email Address
It’s very easy to spoof the name of the sender in an email, and sometimes email programs will hide the actual email address and just display the name associated with the address.
See here? You can’t see my actual email address:
Hover your mouse over or double-click on the sender’s name to see what the actual email address is. You may find that the email address does match the sender’s name, or that it’s slightly off. We’ve gotten phishing attempts from emails that were just slightly off, like from mirazom.com, for example. Look carefully if an email looks suspicious.
Of course, there are very sophisticated attacks out there, and something can easily slip by your notice. That’s why it’s important to have certain safeguards in place to protect you should something malicious get through. We always recommend a combined solution of antivirus, unified threat management/firewall, and regularly scheduled maintenance and patching as a means to help protect against constant cybersecurity threats.