Recently, we’ve been on the receiving end of several phishing attacks. Thanks to the vigilance of our Ducks, none have yet succeeded.
But it’s been a welcome reminder of the danger of phishing, and a good test of the process and security we have in place to defend ourselves. The attempts have included:
Emails that look like collaborative documents shared by colleagues. Emails that are apparently from me, asking team members to purchase gift vouchers on my behalf. Emails that are apparently from me, asking for people’s mobile numbers.
Some of them are pretty creative and they can also be quite convincing. Until you look more closely:
A spoof email from Danny
This email wasn’t from me and I don’t call him Rick🥲
Another fake email from Danny
This wasn’t from me and it doesn’t sound like me either.
With phishing attacks, the first line of defense for many businesses, including Cyber-Duck, is some form of email security software. In many cases, good software, properly configured, will block and trap phishing attacks before they get to your mailbox. That’s certainly the case here at Cyber-Duck. But the system is not infallible, and in many cases, it may only give you an 80% success rate.
This inevitably means that some phishing attacks will still get through and will land in people’s mailboxes.
And… another fake email from Danny
We train our team to check the ‘From’ field and to be careful clicking on links.
This is why employee training is a vital component of any businesses' defense. Ideally, training is given through a layered approach as part of the induction and competency plan. Then, it should be reinforced via company-wide refreshers and regular reminders in weekly meetings.
Phishing emails aren’t that hard to spot. Here are four red flags to look out for:
- Frequently the actual sender’s address will be inaccurate. An email purporting to be from me may well use my name, but the email address will usually be some random Gmail/Yahoo or other made-up address. This is a significant indicator that we’re encouraging people to check.
- The language used in phishing emails will be out of character too, for example calling a staff member by a different nickname or using a new tone of voice.
- The request may be unusual. Asking for money to be transferred to an account, or for you to hand over a personal mobile number or other information with no real explanation of why.
- Finally, it may request you to click a link or log in to a webpage — something you should never do as a result of an email.
This time its a spoofed phishing email from our HR team
Never log in to a webpage or service by clicking on an email — unless you’ve checked it’s legit.
One of the most important things we’re training our Ducks to do is ‘stop and check’. If they are at all unsure, get back in touch with the sender by starting a new email (don’t hit reply!), or phone them to ask. This check will quickly reveal if the email is a scam and could save the business from financial loss and embarrassment.
While security software offers some protection, there is no substitute for well-trained, vigilant staff — they’re a critical line of defense.
Also published on https://danny-bluestone.medium.com/phishing-attacks-watch-out-for-these-four-red-flags-e0a6634be976