1. Always note the language in the email
Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of people in positions of authority.
Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment. Some common phishing techniques include:
- Business Email Compromise (BEC): BEC scams take advantage of hierarchy and authority within a company. An attacker will impersonate the CEO or other high-level executive and order the recipient of the email to take some action, such as sending money to a certain bank account (that belongs to the scammer).
FOR EXAMPLE: Person claims to be a ABC company employee, building credibility by using fake ABC email address in order to trick you to remit the payment for goods to a fake bank account.
- Fake Order/Delivery: A phishing email will impersonate a trusted brand (Amazon, FedEx, etc.) stating that you have made an order or have an incoming delivery. When you click to cancel the unauthorized order or delivery, the website (which belongs to a cybercriminal) will require authentication, enabling the attacker to steal login credentials.
- Fake Invoice: The phisher will pretend to be a legitimate vendor requesting payment of an outstanding invoice. The end goal of this scam is to have money transferred to the attacker’s account or to deliver malware via a malicious document.
In other words, if an email is urging you to take rapid or unusual actions, slow down and verify that it is legitimate before trusting it. Additionally, it is important to consider whether a phishing email’s tone is “on brand” for the supposed sender. Phishing emails will often – but not always – contain misspellings, grammatical errors, or unusual phrasing. If an email doesn’t “sound right”, then don’t trust it.
2. Always be suspicious of password reset emails
Password reset emails are designed to help when you can’t recall the password for your account. By clicking on a link, you can reset the password to that account to something new. Not knowing your password is, of course, also the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and send those to them. If you receive an unsolicited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on that site (and any other sites with the same password).
3. Never share your credentials
Credential theft is a common goal of cyberattacks. Many people reuse the same usernames and passwords across many different accounts, so stealing the credentials for a single account is likely to give an attacker access to a number of the user’s online accounts.
As a result, phishing attacks are designed to steal login credentials in various ways, such as:
Phishing Sites: Attackers will create lookalike sites that require user authentication and point to these sites in their phishing emails. Beware of links that don’t go where you expect them to.
Credential-Stealing Malware: Not all attacks against your credentials are direct. Some phishing emails carry malware, such as keyloggers or trojans, that are designed to eavesdrop when you type passwords into your computer.
Support Scams: Cybercriminals may pose as customer support specialists from Microsoft, Apple, and similar companies and ask for your login credentials while they “help” you with your computer.
Cybercriminals use a lot of different pretexts and scams to attempt to steal your account credentials. Never tell anyone your password, and, if an email points to a login page, visit the site directly and authenticate from there to protect against lookalike phishing sites.
Should you have any query, please feel free to contact your account manager.