Email phishing is a common practice by cyber criminals to obtain personal information via a fabricated communication. This email can be from an individual or entity pretending to be a familiar, legitimate and trustworthy source viz-a-viz an employee within an organization, an organization you work for, financial institutions, government agencies, and /or popular businesses.
The message is sent out to trigger an immediate response from the reader by prompting to click on the link in the email, downloading and opening an attachment or fulfilling an information request. The purpose of email phishing is to collect personal, financial and sensitive information, breach information security and data, download virus or pose a ransomware attack. This information is used for various purposes including identity theft, fraudulently obtaining funds, and gaining access to business data and network.
Who are the Targets
Any individual or organization, irrespective of its nature and size, can be a victim of email phishing. This can include government agencies, financial institutions, service organizations including airlines, hospitality, and healthcare groups, IT firms, and professional firms and businesses.
Cyber attacks through phishing scams can bring with them media attention and can cause embarrassment to businesses. The cost of repairing a business’ reputation cannot be gauged but some post-attack costs can include IT costs to reinstate the compromised system, legal costs for suit actions against the spammer and costs to defend suit actions from the affected parties. You can also add operational disruption costs and other related support costs.
Recently, a television personality was a victim of an email phishing scheme involving close to $400,000. The “Shark Tank” judge’s bookkeeper approved an email for authorization of payment towards a real estate renovation. The media personality was an avid real estate investor and it was not unusual for the bookkeeper to receive such emails. The email address used by the scammer seemed to belong to the personality’s assistant as it was intentionally misspelled by one letter.
In another instance, thousands of bank and credit card customers received a phishing email directing them towards fake financial institution websites. They were prompted to enter bank login details including account numbers and passwords which lead to their private data been compromised. The scammers were able to steal about $1.5 million from thousands of credit cards and bank accounts.
Be Alert for Red Flags
A phishing email may be too true to believe and seek an impulsive response involving urgency and emotions. The email may request for confirmations, updates and / or validation of account information. Such scams include a notice your email password will expire soon, request you link to change the email password, or participation in a survey, filling out a form. Other common scams include email with malicious links disguised from Center for Disease Control and Prevention (CDC) and the World Health organization (WHO), donation requests from fake charities to fight pandemics, Canada Revenue Agency tax payment requests, requests for payment authorizations, winning free trips, promise of money, threat regarding loss of money and so on.
The senders’ email address and / or name may be misspelled and at times with only one letter to seek reader’s confidence. For example: “Emailphishiing” or “Emailphishiing.com.”
Defence Strategies
- Whenever in doubt, do not hesitate and reach out to the concerned authority.
- On-going anti-email phishing trainings within the organization for those concerned with first line of defense.
- Two-factor authentication.
- Limited access to confidential information to those not in need.
- An independent expert review for businesses that maintain data on the cloud network with a third party.
- Back up data and encrypt sensitive data.
- Show vigilance about urgent request emails involving financial information.
- Do not email personal or financial information.
- Make a habit of scrolling through the senders’ name and email address.
- Regularly check bank and credit card accounts for any suspicious transactions / activities.
If you believe that you have received a phishing email on your official email address or have already responded to it, report to the IT department within your organization and concerned authority including your financial institution or government agency.
Contact Robert Fowlie, Partner, Forensics Leader, Toronto, at 416.515.3802 or [email protected]