Aberdeen Cyber Security - Email Phishing Techniques

Top 3 Most Common Email Phishing Techniques

I’m sure you’ll agree with me when I state that receiving scam & phishing emails are almost a daily occurrence in 2019. No matter how good your IT system is, cyber criminals are always finding better ways to bypass IT security systems. As such, email phishing is the new norm.

The following article will outline the top three most common email phishing techniques cyber criminals use so you know what to look out for and are not caught out.

Number three is something you should make your colleagues and associates aware of. Particularly because it’s becoming more common and becoming a victim of this attack is highly likely.

1 – Spoofing

Email spoofing is when a cyber criminal sends out a mass email to an extensive list of email addresses pretending to be from another sender.

An excellent example of this which we see regularly is emails that have been designed to appear to come from well-known technology companies.

These might include:

  • Microsoft Office 365
  • Apple ID Login
  • Amazon
  • Google
  • Adobe

Below you can see a perfect example of a spoofed email from what appears to be Office 365.

Aberdeen Cyber Security - Office 365

The only way to know that this email is legitimate or not is to look closely at the sender’s email address. The example above displays that the sender is office-365.com, this is not a domain owned by Microsoft.

That’s the first error.

The second is the “resolve issue now” button. Hovering over this link will reveal the URL that the link will take you to.  It is essential to check all links manually before you click, by doing this you can avoid following victim to this technique

2 – Cloned Website

A cloned website is usually the 2nd part of a spoofed email.  When you click a malicious URL in an email, it will take you to a page that looks like a genuine login screen for an online service you may use. These cloned websites are easily created by cyber criminals and can be replicated to many website domains. Again, the only real way to know if it is an official website or not is by checking the URL in the address bar. So if you are in doubt, it’s worth raising a support ticket with your IT provider or department.

Many online services now attempt to block malicious websites once reported. Both Google & Microsoft have services which monitor and will warn if you are visiting a malicious website. However, this feature does not detect all malicious websites, so again check with your IT provider.

3 – Manual Phishing / Smart Attack

Smart attacks can come in many forms, and it can leave you second-guessing yourself. An example of a smart attack is an email sent to HR just before payroll was about to be run. The email appeared to be from a senior director in the company.

The email instructed HR to update his personal bank details for payroll. Whilst the email itself looked legitimate, and the only thing that stopped the instruction going through was the HR manager who asked the senior director to confirm. This attack was so smart that there’s no real way for software or systems to overcome it. As such, it’s essential that staff are aware of the threats that can come in many forms from email.

If you would like to schedule cyber awareness for your staff and learn more about common email phishing techniques, please contact Aberdeen Cyber Security on our contact page here.