December 5, 2018
Tips and tricks

What is Phishing?

Phishing is a social engineering tactic where a malicious actor uses online communication (Email, txt, or instant messaging) to deceive you into giving out sensitive information, banking information or your passwords to access it. Typically, the messages pretend to come from well-known and trustworthy web sites or high-ranking authority figures.

  • Do not click on links, download files, or open attachments from unknown senders.
  • Always confirm abnormal requests with the sender via an alternative method of communication.
  • Always follow company procedures for guarding sensitive information or supplying payments no matter who is requesting. Don't have a policy already?
    • Consider implementing a policy that all money transfers and payments must be confirmed via telephone.
    • Consider prohibiting the sending of any sensitive information like employee or customer information via email.
  • Be cautious of email that:
    • Comes from unrecognized senders
    • Asks you to confirm information
    • Tries to frighten you into acting quickly.
  • Identify suspicious messages by looking for the following:
    • The sender’s email address is similar to, but not identical to yours or a partner organization’s (like @scy11agroup.com instead of @scyllagroup.com or @linkeIN.com instead of linkedIN.com). It is often something small that just may not be noticed at first glance.
    • The email contains an external link where the address is suspiciously similar, but not identical to one you use. (like https://outlook.micrsoft365.com instead of https://outlook.office365.com). When in doubt, use your favorites to access a website instead of clicking the link.
    • The sender claims to be an executive or an employee, but the email is sent from an external email address (like @gmail.com or @outlook.com).
    • The email contains attachments and is from an individual you are not acquainted with.
    • A message appears to be an internal company announcement, but is sent only to you instead of groups of people or distribution lists (i.e. allstaff@scyllagroup.com)
  • Enable TWO-FACTOR AUTHENTICATION on your banking, email and personal accounts. That way just getting your password isn't enough to access your accounts. We can help you set this up.
  • It is OK to ask if you aren't sure that something is right. It is always better to reach out to your IT Support group or colleagues when in doubt.

Examples of Phishing

  1. This email is specifically targeted at an employee and asking for information on electronic wire transfers. On closer inspection, you can see that the email is sent from ev.achen@yahoo.com instead of an official email address of your organization. You should confirm the request with the sender via another means of communication (not email).
    phishing email example
  2. This email claims to be a system message warning you of suspicious activity on your account. It is carefully crafted to look like a valid message and even includes a fake banner that says the message is from a trusted source (circled). However, there are two things to notice in this message that are immediate tips that this isn't valid (highlighted in yellow).
    1. The from email address is clearly not from a real company address
    2. The address that the "Reconfirm Password" link points to does not go to a company server.
      If ever in doubt, confirm with your IT Support group (540-773-3570 option 1).
      phishing email example verification
  3. This email contains an attachment that claims to include updated settings for Microsoft Outlook. However, the attachment is actually malware designed to compromise your computer and steal your passwords. You should confirm the request directly with your IT Support (540-773-3570 option 1).
    phishing email example attachment fraud
  4. Sometimes those malicious actors will take additional steps to convince you into slipping up. For instance, they may send an email similar to those above and wait. If you do not respond in a couple of days, they may call you pretending to be a part of the IT department and reference the email sent previously to encourage you to open it and unknowingly install malware on your computer. When in doubt, please tell the caller you will call them back and dial your IT Support group.

You can read more on how to recognize email scams at https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf.

This material is provided by The Scylla Group, Inc. for use by our clients and customers of Trend Micro Antivirus and Security products. Some content was supplied from Trend Micro provided Phishing Awareness Training via a corporate partnership.