While the internet is a powerful tool that connects us with one another and helps us share information, it’s also a perfect tool for criminals to conduct phishing scams.

Phishing remains the top social-engineering infection vector, according to IBM’s 2022 Cost of a Data Breach Report. But what cybercriminals are after might surprise you.

It used to be your credit card information they’d try to steal most often, and they still want that. But more and more, it’s your email addresses and names they’re going to try to get from you.

“Emails grant easy access to cast a wide net for phishing,” said 360 Advanced’s Penetration Testing Practice Manager, Bryan Martin. “The more you have, the more potential targets there are. Having the end user’s name that is associated to that email can help them to gain trust.”

How Does Phishing Work?

When attackers send an email, they’re trying to get people to click in an attempt to see who takes the bait.

“In some cases, the attacker will interact directly with the end user to gather as much information as possible or to send additional malicious content once trust has been gained,” Martin said.

Attachments in a phishing email are the top access vector, according to IBM’s report. While links are still used to gain access to your systems, attachments have gained steam and are 11% more common.

Martin shared some easy ways to spot if it’s a legitimate email or a phishing scam.

Signs it’s a Phishing Scam

• Emails with a sense of urgency that you weren’t expecting, such as requests for information, requests for document review, attachments that require authorization to view, etc.
• Emails that do not line up with the account you are signed in under, such as social media alerts or updates for which you never used that email address.
• Sender is not someone that would normally email you this type of content or even interact with you, such as a CEO contacting a lower-level employee when there is a valid chain of command in place.
• Sender is unknown, sender email does not match the sender’s name, sender email domain does not match where it is saying it is coming from, and the signature blocks are missing.
• Formatting or grammatical errors in the email.

“Phishing can lead to something as simple as showing an attacker you will in fact click on anomalous emails, all the way to credential compromise, full system takeover, malware, or ransomware,” Martin said.

Top Tips to Safeguard Against Phishing

“It’s very common to get in a mode of checking emails, clicking through, and getting on with our day,” Martin said, “but diligence and attention to detail are the two best security features an end user can apply.”

Martin’s best practices for protecting against phishing include:

• Review the email sender, subject, and body preview for discrepancies.
• If you are unsure of the sender, contact IT and let them know you have received a suspicious email.
• Never respond to or forward a suspected phishing email because that can lead to additional interactions and put others at risk.
• Never try to retaliate with the attacker; if you attempt to make it personal, they will do the same.
• Always report phishing attacks immediately.
• Consider penetration testing, a simulated attack against your systems’ infrastructure and security controls to target, identify, and provide clear steps to remediate vulnerabilities

Penetration Testing

360 Advanced’s team of ethical hackers assess the security of your IT systems with simulated real-world attacks and identify security risks so you can improve the risk posture of your organization. Penetration testing with 360 Advanced helps protect against the ever-evolving threat of phishing scams.

Watch our webinar “How Penetration Testing and Simulated Phishing Thwart the Bad Guys” to gain insights for effective phishing and social-engineering countermeasures.