When Barracuda first opened shop as an email security company nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious—a lot has changed since then. Today, criminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defense is the human firewall.
The human what? You know, in a world where organizations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at HQ and everywhere else—the only thing between your company and a ransomware attack, could be whether or not your users click, or don’t click on a malicious link.
Let’s take a closer look at the types of phishing emails your users are up against each day, and what they can do to stay safe from creative cybercriminals.
Every day cybercriminals come up with a wide-variety of phishing tactics with the intent of scamming innocent users. In the month of May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts (the same email content, potentially sent to hundreds or even thousands of people). So far in June, we’ve already blocked 1.7 million phishing emails with over 2,000 unique attempts. Below, we’ve highlighted some of the real attempts sent by criminals—let’s take a look.
In this first example, the criminals are attempting to entice the recipient with a money scam, which is pretty much what it sounds like. The intent here is to scam users out of money, but in similar attempts we’ve also seen criminals attempt to acquire information or infect a computer with malware.
The next example highlights an attempted information phishing scam where criminals are hoping to gather information from the user. Criminals are always trying to gather information from users, and in this case a spoofed bank message is used to convince the user to act on their request.
Another common problem users face from phishing is the distribution of malware. The goal of these messages is to trick a user into either opening an attachment (like the example below) or clicking on a URL.
Multiple file extensions
As mentioned above, phishing attempts often require a user to open an attachment in order to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they will include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.
Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny. This example shows exactly why.
While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual in order to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source. Effective spear phishing takes a great deal of reconnaissance about the target in order to increase the probability of a user actually falling for an attack. Here’s an example where the criminals actually took the time to register a deceptive domain that contains the name of an actual entity in order to appear legitimate.
All of these examples are just a small sample size of the many variations of phishing scams criminals are sending out each day, but these examples certainly make the case for why today’s users need to be properly trained in order to stay safe online.
The best defense against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. I’ve included a few tips below based on the examples above; however, the best approach would be for organizations to implement a simulation and training program to improve security awareness for their users. Barracuda PhishLine helps humans recognize the subtle clues to identify phishing attempts, and uses a two-pronged approach to meet this end. First, computer-based training gives users a baseline understanding of the latest techniques attackers are using. Second, PhishLine embeds learning into business processes by launching customized simulations that test and reinforce good user behavior. A large library of curated content means faster time to value, while rich reporting and analytics provide visibility.
Here are a few quick tips to help avoid phishing scams like the ones highlighted above:
- Don’t click on attachments or URLs from unknown sources. Sometimes even sources that you think are safe—could have been impersonated by criminals. If there’s ever a question of legitimacy, you can always go to the site directly in your browser.
- Attachments and emails with attachments should always be treated with care because with much of the malware being distributed today—simply opening a single file can result in infecting your computer almost instantly. Attachments may give off some indicators
- Many information scams claim that an email login is required to access some resource or document. A good practice is to never enter login credentials on a page that was reached via an email link, regardless of whether or not the email was legitimate. Instead, go to the site directly in your browser to log in.
- Money scams are notorious for displaying poor grammar, and in many cases the language used could appear to be coming from someone who may be writing English as a secondary language. Just remember, if something sounds too good to be true—it probably is.
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. A solution like Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.
More Threat Spotlights:
- Threat Spotlight: Cybercriminals Working Hard to Take Over Email Accounts
- Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt
- Threat Spotlight: Attached Password Stealer
- Threat Spotlight: Cybercriminals are Impersonating Google Docs, Outlook and DocuSign to Steal Your Credentials