Let’s begin with the technical definition:
“The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
Ok, but what does that look like in the real life?
A perfect example is an email that looks like it came from someone you know, but isn’t, and it is asking you to do something that seems safe, but isn’t. Sort of a new, better version of the Nigerian Uncle who wants to send you a check, but needs your bank account info. Except, the modern version of phishing actually looks like it is coming from your real Uncle and the ask isn’t as obviously nefarious.
Let’s walk through a real world scenario –
Imagine you are a sales person working for a mid-size company. On any given day you send/receive a hundred emails, texts, LinkedIn messages, etc. You talk with customers, bosses, marketing, other sales folks, legal, and accounting. Your company’s email is @acmememoxyz.com.
It is end of year, everyone is pushing to close business and you are out in the field, in between flights to see a big customer. Great time to catch up on email, so you open your laptop and see that Jane Doewisnewenheiger from accounting sent an email titled “Year End Commission – Info Needed”.
You know Jane Doewisnewenheiger in accounting. She has been with the company for years, nice lady, you even chatted with her in the break room a few times. You open the email, because it is about your commission, and see that Jane needs you to fill out the attached form. You open the attached word file and…BAM! Your laptop is now infected with Gandcrab or Ursnif.
What you didn’t see was that the email came from email@example.com not “.com”. Because, let’s be honest, no one really reads that long of an email address. Not to mention, most email browsers condense it down to just the name and leave out the actual address. This issue is even more prevalent when checking email on phones (little screen equals less detailed info).
Think that scenario is far fetched? Here is a real email we received that is absolutely phishing, not from a hacker, but a thief:
What junior sales person wouldn’t love to get an email like this? Play this out – junior sales rep sends quote, “customer” replies with credit card info (or possibly worse, what if Schnitzer was an existng customer with credit terms), we ship the 370 drives, and never get paid because this is a phishing email. And a really, really good one.
The “customer” name and signature actually matched the real world LinkedIn profile for the Senior Director, Procurement at Schnitzer Steel Industries, Inc.
The domain of the email address is very close to the domain of the company. At the time, copying and pasting the domain as written, with the “-” in the middle, went to a fully functioning site that appeared to be Schnitzer.
But it wasn’t. A google search for Schnitzer Steel Industries, Inc. resulted in a domain that did not include the “-” in the URL.
Think about that – a thief went out of their way to research a company to come up with the info for a real life buyer, bought a domain one character off, spoofed their site, found our organization, and sent a request for products that we specialize in.
That isn’t just phishing, that is “spear-phishing”. This is a highly targeted attack that is very difficult to detect if you are not extremely vigilant. As a small organization, we are that vigilant. But as we add more people with varying levels of experience, vigilance is not going to be good enough.
So what can you do to protect your organization from phishing attacks? First, and the least expensive, educate your staff. Here is a great article from our partner Vade Secure to share with all of your employees –
With attacks like the two examples detailed above, awareness is not enough. Anti-phishing solutions like Vade Secure provide a next level of protection that is an excellent way to combat the hackers and thieves.
If you want to learn more about how anti-phishing software works or to implement it in your organization, contact us at firstname.lastname@example.org today!