Trickery has always been a part of the human behavior and new methods have been invented over time.
Today, various types of cyber fraud are very common. Cyber fraud spans over a wide range of fraud such as identity theft, data breaches and phishing. Cyber fraud causes a lot of damage both for companies and individuals.
A majority of the successful cyberattacks begin with a user acting on a malicious email.
The email can for example prompt the user to verify a password. This type of fraudulent emails are called phishing and is very common. You have probably received this kind of email at some point.
Phishing can come in various forms, all with the intention of deceiving you to; steal your identity, download a malicious attachment, or deceive you in some other way.
The most common form is probably an email containing a link that leads to a malicious or fake website requesting your user information.
Before introducing of Multi-factor authentication, MFA, a lot of accounts were hijacked each month, due to phishing.
Other types of email fraud
Another type of phishing is CFO fraud, emails seemingly from the CEO or CFO asking you for a personal favor, often secretly.
It could be an email to the finance department asking for a secret payment or a request for confidential information. If you receive an email from the CFO or similar asking for a personal favor do a callback to that person using the phone number in your address book. Do not use any contact details in the email itself.
In case of an attachment attack you will be requested to open an attachment that executes malicious code on your computer as soon as you open it. Therefore, be extra careful when doing the checks.
Why does it work?
When we make decisions, we are unconsciously affected by many small factors and emotional drivers.
A phishing e-mail often:
Imitates or exploits a trusted brand, a co-worker or a manager Conveys a sense of urgency Triggers our curiosity Arrives at the same time as software updates
Given that we are often in a hurry and want to help our colleagues, these techniques work again and again, unless we learn to check the authenticity of an email before acting on it.
How do we protect ourselves.
When we make decisions, we are unconsciously affected by Most of the time, some vigilance is enough to spot a malicious email, by performing at least the following controls:
Check for poor spelling and grammatical errors.
Check the sender email address carefully.
Before you send a response to an email validate that the reply-to address is correct. The reply-to address can differ from the sender address.
Check any links by hovering your mouse pointer over them and read the link in the popup menu that appears before clicking on it.
Do not open attachments you haven’t asked for, especially from unknown senders.
The importance of reporting
If you spot a suspected phishing attempt chances are high that other employees has received it as well.
If your immediate reaction is to delete the e-mail, you treat the symptom but not the root disease.
However, if you report the phishing attempt to our IT department / colleagues, then we may be able to implement appropriate defensive measures across our networks.
By following these simple rules, you will protect your company from fraudulent emails:
1. Stop. Don’t open any attachments, follow links or take any action without validating the sender, language etc.
2. Think. Read and assess the e-mail carefully.
3. Ask for a second opinion or call the sender if unsure.
4. Report suspicious phishing attempts.