Business, SMB

Phishing in the Dark

By on Aug 21, 2013

Phishing scams are one of the oldest swindles, having been around for nearly 15 years. They come in many forms: suspicious phone calls, postal mail and email.  Intended to obtain confidential information from their recipients, these emails typically direct naïve victims to fraudulent websites, disguised to appear legitimate, if not almost identical to the real website. Fraudsters want to trick their victims into downloading hidden malware or into providing information that can be used to generate cash: usernames and passwords, account numbers, social security numbers, etc.

With all of the news being generated by these cons you’d think they would be nearing extinction. But that just isn’t the case. In McAfee’s most recent Quarterly Threats Report, the Labs team did reveal a decline in phishing attacks last quarter, however, the Anti-Phishing Working Group (APWG) states that trends indicate phishing levels will return to those seen prior to record-setting highs of 2012.

We all know to be extra vigilant about giving out our social security and bank account numbers to strangers, so why are phishing scams still so popular? The answer is simple. Criminals today rely on two things: mass volume and human error.

The evolution of phishing

Ten years ago, the average cyber criminal sought out flaws in software or computer hardware to gain access to valuable information. As the industry matured and stronger security measures evolved, criminals were forced to alter their approach. These days, it’s far easier to exploit human error brought on by trust, convenience and distraction. In their infancy, phishing emails were easy to spot – recognizable by their spelling and grammatical errors. Now, they’ve become far more sophisticated.

It’s not just computers that are at risk- phishing scams have migrated to cell phones as well. A recent Pew survey found 91 percent of American adults have a cell phone – opening way for attacks called SMiShing being transmitted via text message. According to Ferris Research, approximately 4.5 billion spam texts were sent last year in the United States alone, 92 percent of which contained phishing scams.

As we multitask throughout the workday and try to navigate the inevitable demands of our personal lives, we become too distracted to look at the intricate details of seemingly normal emails and texts. We don’t look as closely as we should at URL addresses, email domain names, logos and graphics. Well-known company names have been used in many high-profile phishing scams in recent years, including T-Mobile, PayPal and Bank of America, among many others.

How to spot a phishing email

First and foremost, users should be wary of any email or text message from someone they don’t know; especially if they ask for any type of personal or sensitive information. Cyber criminals will go so far as to copy the exact font and images from a legitimate company’s website to make their phishing emails look real, as you will see below.

ANY time you are asked for confidential personal, healthcare, financial, employee or customer information, you should:

  • Call the company directly. Don’t click on any links or use the phone number included in the email or text. Instead, call the customer service number found on the back of the membership/ credit card or go to the company’s official homepage to find their help desk or customer service number.
  • In cases where you feel confident enough to click the link in the email – make sure the landing page’s URL is a secure Web address (as indicated by the ‘S’ in https: in front of any Web address).  HTTPS (Hypertext Transfer Protocol Secure) provides authentication of the web site and the associated Web server you’re communicating with, which protects against man-in-the-middle attacks (a.k.a. eavesdropping).
  •  If you click through a link within an email, be sure to check the spelling and format of the URL and landing page. Cyber criminals often invert one letter or an entire word in a Web address (e.g. vs.  Many times, the landing page is missing Terms of Use, Privacy Policy and Contact Information links at the bottom of the page.
  •  If you happen to click a link and are immediately asked to download something- coupon, application update, authorization form- close the window immediately and delete that email from your inbox.

It’s important for small business owners to realize their employees are prime targets for these scams and they are vulnerable. Educate and train workers on the importance and practices used to ensure safe online behavior and how to recognize phishing attacks.

Again, the rule of mass numbers plays in favor of cyber criminals. Of the billions of phishing emails sent each year, it only takes one employee to visit a compromised site for the entire company – and its confidential information – to be exposed.