You work hard to make your business successful. Unfortunately, there are a number of people out there working hard to separate you from your profits. Malicious actors continually evolve their tactics to try to trick you and your employees into divulging sensitive data or sending money from the business to their pockets. Phishing emails and fake landing pages work in tandem to deceive you and cause expensive harm to your business. This article talks about the different types of phishing emails, how to identify fake landing pages and what to do if you think you’ve received a phishing email.
What is phishing?
Operators on the wrong side of the internet create emails that encourage the recipient to click through links or download files. They typically mimic well-known companies by using their branding and common email templates. These emails usually impart a sense of urgency by saying that a payment has been declined, or a subpoena has been issued. Sometimes, the emails offer a simple Word document attachment, described as an invoice for a previous purchase or a resume from a potential employee. Unfortunately, the links usually direct users to fraudulent landing pages, and the downloaded items contain viruses (in the case of compressed files) or macros (in the case of Word documents) that create gateways for data theft and ransom.
Finesse: spear phishing and whaling
As users become more familiar with typical phishing emails, malicious actors are now dialling in their phishing attempts to look even more specific. Incidental information like birthdays or parties mentioned on social media are being incorporated into the emails and are designed to appear as though from a colleague. These personal, real time touches are designed to create a sense of trust and reduce our scepticism when reading an unexpected email. Unfortunately, the negative outcomes are the same.
Whaling takes this one step further by complicating our judgement with the veil of authority. Fake email addresses are created that closely mimic those of the CEO or other highly placed people within the business. Through these accounts, staff are instructed to process payments to external accounts. Depending on the internal structure of the company, directives like these may be common and will often be acted upon without verification.
Fake landing pages
When staff click through a link sent in a phishing email, they will be greeted with a landing page that’s mocked up to replicate an official company one. Often branding is similar, and the URL will look official – minor spelling reversals that are easy enough to miss at a glance, for example. These fake pages will prompt for log in details, credit card details or other information that will either allow access to finances or internal secure networks.
How to spot a fake landing page
There are some key characteristics that many fake landing pages have. Not every page will have all of the markers – usually even one should be enough to trigger further investigation.
- Incorrect URLs: As mentioned above, the fake landing pages may have a URL that looks similar to the official one but with key errors. There may be letter reversals, similar spellings, or a different domain, such as .org, .net, .io or others in place of the correct one.
- Immediate invitation to fill in data: fake landing pages rely on staff being too busy to verify details, so will have data fields located on the landing page to collect sensitive data. Typically, a valid website would require some type of verification before requesting confidential information.
- Bare bones page layout: Valid websites will commonly have headers and footers on their pages that allow to click through to contact information, site maps, or other data. Fake landing pages usually skip these, as there is no need to encourage navigation away from the data collection page.
How to protect against phishing emails and fake landing pages
Before phishing attempts became personalised, they were often generated en masse and distributed at random. Sometimes these will still land in your inbox. If you receive an unexpected email, look for the following red flags,
- Generic greeting (hi, or hello) without your name included. True corporate accounts will have your first name and will use it in communications,
- Poor spelling or grammar,
- URLs listed will redirect to a false address (viewed by hovering your pointer over URLs to display the true destination),
- Generically named Word documents or compressed files included in the email.
As general awareness of these schemes has grown, phishing emails have become far more sophisticated. Many will slip past automatic filters. In truth, the only way to ensure an email is correct is by making contact with the supposed sender independently from the email itself.
- In the case of whaling, call the CEO (or their office) directly and ask for verification of payment instructions,
- Contact institutions by phone or through the official website to verify any supposed charges, disqualifications, infringements, fines or invoices,
- In the case of spear phishing, contact the co-worker directly or the department to confirm any action to be taken.
If you do find yourself in possession of a suspected phishing email or on a possibly fake landing page, do not click any links, submit information or download any files. Contact your IT support team to ask for specific instructions. Sometimes they will ask you to forward the email, so they can inspect it. Other times they will ask you to delete it. Some banking institutions and corporations have specific fraud email accounts that you can forward suspected phishing emails to.
About Prosyn, your cyber security partner
Prosyn are one of the most trusted IT support providers in London. If you would like more help advice and support with phishing emails or fraudulent landing pages, or any other IT support issues, contact us today to see how we can help.