6 Email phishing examples: How to identify and avoid them
Without a doubt, Phishing is still the most common cyber threat in the world.
Every day, three billion fraudulent emails are sent in an attempt to compromise sensitive information. In addition, according to the 2021 edition of the Phishing Benchmark Global Report, one out of every five phishing email recipients is likely to click on the malicious link attached. One out of every five phishing email recipients will click on the embedded malicious link.
The ability to detect and avoid phishing email attempts that arrive in your inbox is a critical component of strong cyber security. To do so, you must first understand the various types of phishing emails and the warning signs to look for in each scenario. But before that, let’s first define what a phishing email is.
What is a Phishing Email?
A phishing email is a type of cybercrime that uses deception to obtain sensitive information from users and organisations.
Phishing victims are duped into disclosing information that they are well aware should be kept private. Phishing email victims typically respond without hesitation because they trust the source of the information request and believe the party is acting in good faith.
Cybercriminals will typically request the following information in a phishing email:
- Social security numbers
- Phone numbers
- Credit card information
- Home address
- Password information (or what they need to reset your password)
This information is then used by cyber criminals to impersonate the victim and apply for credit cards or loans, open bank accounts, and engage in other fraudulent activity.
Some cyber criminals use the information obtained from a phishing email to launch a more targeted cyber attack, such as spear phishing or business email compromise, which requires more information about the victim.
How does Phishing happen?
Phishing occurs when a victim responds to a fraudulent email requesting immediate action.
- Clicking an attachment
- Enabling macros in a Word document
- Updating a password
- Responding to a social media connection request
- Using a new Wi-Fi hot spot are examples of requested actions in a phishing email.
Every year, cybercriminals improve their phishing attacks and develop tried-and-true methods to deceive and steal from their victims. According to Verizon data from 2021, hackers used the COVID-19 pandemic to increase the frequency with which phishing emails were sent out as part of cyber attacks.
Because phishing attacks can take many forms, distinguishing one from a legitimate email, voice mail, text message, or information request can be difficult. As a result, phishing simulations are an excellent way to test users’ knowledge and raise overall phishing awareness levels within organisations.
6 Examples of email phishing attacks
Phishing email attacks, like everything else on the internet, have evolved over time to become more intricate, enticing, and difficult to detect.
To successfully identify and flag suspicious messages in their inbox, all of your users must be familiar with the various forms of phishing emails.
1. Most common Phishing Emails
Phishing emails continue to account for a significant portion of the world’s yearly slate of devastating data breaches. Phishing emails are designed to appear to be from a legitimate source, such as Amazon customer service, a bank, PayPal, Dropbox or another well-known company. Cybercriminals conceal their presence in small details such as the sender’s URL, an email attachment link, and so on.
As an example, you received an email stating that your bank account has been compromised. You will be given a link directing you to what is deemed to be the banks’ genuine website and asking you to update your credentials as soon as possible. Little did you know that this is only a scam, and after giving the necessary details, your bank account has been sucked dry.
To avoid this, always use precaution is clicking any links or attachments in emails that you receive. As much as possible, whenever there are messages telling you that your account has been compromised, always go to the nearest bank and inquire if it’s the truth.
2. Spear Phishing
This more targeted phishing email attack is based on information obtained previously by a cybercriminal about the victim or the victim’s employer. Spear phishing emails typically use urgent and familiar language to encourage the victim to act quickly.
As an example, Bob received an email that Rey needed his password for the company database. Rey (the cybercriminal) uses the words that the actual Rey would use and even calls Bob his brother like Rey used to. With this, Bob was made to believe that it was actually Rey whom he was talking to in the email and gave the credentials to the cybercriminal.
To avoid this, organisations must set up securities and policies regarding sensitive credentials and who can access them. Organisations should also ensure that their employees are well aware of the risk of cybersecurity threats like spear phishing.
3. Fake Websites
Cybercriminals send phishing emails that include links to fake websites, such as a known mail provider’s mobile account login page, and ask the victim to enter their credentials or other information into the fake site’s interface.
To trick users, the malicious website will frequently use a subtle change to a known URL, such as mail.update.yahoo.com, instead of mail.yahoo.com.
To avoid this, users must always use precaution in visiting websites that require you to input any credentials about you. Ensure to always check for the correct URL and if you feel that there is something odd with it, never proceed with your transaction.
4. CEO Fraud
This phishing attack employs an email address familiar to the victim, such as that of the organization’s CEO or HR.
In this kind of phishing email, the email requests that the victim act quickly in transferring funds, updating employee information, or installing a new app on their computer as if it is directed by the CEO. When the employee does what is requested, it could be too late to recover the damages.
To avoid this, organisations must have a robust policy regarding the transferring of funds, updating employee information, and even installing a new app on the company computer. Ensure that every step of the way, there are securities that prevent cybercriminals from pushing through with the illicit transactions, and it could be flagged when it does not meet with the policies set in place.
5. Malware attacks
Clicking an email attachment is all it takes to install malicious software on a computer or company network. These attachments appear to be legitimate, and they may even be disguised as funny cat videos, eBook PDFs, or animated GIFs.
As always, users must never click any link or email they receive in the mail as it may contain malware that would infect their computer and install applications running in the background that secretly records every transaction they make.
6. Man-In-The-Middle attacks
This clever phishing email attack dupes two people into thinking they’re emailing each other. However, the hacker sends bogus emails to each individual, requesting information or updating confidential corporate information. The best way to avoid this is to limit employees from using public networks when doing any confidential work.
Email phishing attacks are a real threat to organisations. Since their employees are susceptible to being a victim of these attacks, as being targeted by bad actors, the organisation should have policies in place to help curb any instances of an employee clicking a malicious link from bad actors.
It’s best to know if your employees are at risk of being a victim of these email phishing scams. Get your free simulated email spoofing exercise from Privacy Ninja now and check if your organisation is safe from malicious actors.