Helpful and Important Information about Spoofing, Phishing, and Spear Phishing
There are a few different types of spoofing that spammers have been using. With the growing problem of phishing and spear-phishing, we wanted to offer some helpful information that will hopefully keep your mail server, network, and customers safe.
1. (Legit FROM name here (legit-user-email-here@legit-domain.com)] - To prevent spoofing from your domain, set up SPF / DMARC / DKIM on each of your domains using DNS.
2. [Legit FROM name here (spammer@spammer-domain.com)] - To prevent FROM name spoofing from another domain is problematic because, as in this example, how would software know that this is an invalid address? Below are some solutions:
A. Add another layer of Security. Message Sniffer will catch most of these, but the ones that get through are because Message Sniffer did not have the spoof signature. This is the problem with all signature-based security products. Adding layers means that the second security product will catch the unwanted email. If you were to make this, our first suggestion would be CYREN antispam as it is signature-less and works on traffic patterns. Again, an extra layer helps, but the question becomes cost vs. return.
B. We can use Declude to block terms or similar.
C. User training. At the end of the line, the user is the weak part of the chain. To fix this, users need to be able to identify fishing attempts. Here are some companies that help with that:
www.knowbe4.com
www.ataata.com
www.wombatsecurity.com
https://www.webroot.com/us/en/business/security-awareness
Here is some additional info you can use or share with your customers:
What’s the difference between Phishing and Spear Phishing?
Phishing emails are sent to the general public. They often impersonate a government agency, bank, the IRS, social networking site, or store like Amazon.
Spear Phishing emails target specific individuals. They are personalized with facts about you or your business to draw you in. Do they appear to come from a company or person you do business with? It could come in the form of an email from your CEO.
A Phishing or Spear Phishing Email:
• Is the one that you didn’t initiate.
• May contain strange URLs and email addresses.
• Often uses improper grammar and misspellings.
• Typically contains attachments that you don’t recognize as legitimate.
• Contains a link or email address that you don’t recognize.
• May use language that is urgent or threatening.
• Phishing and Spear Phishing are popular among cybercriminals because they usually succeed.
Ten messages have a better than:
• 90% chance of getting a click.
• 8% chance of users clicking on an attachment.
• 8% chance users will fill out a web form.
• 18% chance that users will click a malicious link in an email.
• Even high-level executives get spoofed and share usernames and passwords.
The average cost of a Phishing Scam is $1.6 million. It s a top security concern for businesses today:
• 1 in 3 companies are affected.
• 30% of Phishing emails get opened.
• Phishing is now the #1 vehicle for ransomware and other forms of malware.
Prevent being a victim of phishing or spear phishing. He e are eight essential things to remember:
1. Stay informed about phishing techniques. Different phishing scams are being sent out every day. On-going security awareness training should be a top priority for your organization.
2. Think before you click a link. Do ’t click on links from random emails or text messages? Please hover your mouse arrow over a link to see who sent it. Most phishing emails begin with “Dear Customer,” so watch out for these. Verify the website’s phone number before placing any calls. Remember, the secure website always starts with “HTTPS.”
3. Never divulge personal information requested by email, such as your name or credit card number. Typically, phishing emails will direct you to a web page to enter your financial or personal information. When in doubt, visit the main website of the company in the email and give them a call. (A secure website always starts with “HTTPS”.) And never send sensitive information in an email to anyone.
4. Consider installing an anti-phishing toolbar and security tools. So e Internet browsers offer free, anti-phishing toolbars that can run quick checks on the sites you visit. If a malicious site shows up, the toolbar will alert you. They will drastically reduce the chances of hackers and phishers infiltrating your computer or your network.
5. Never download files from suspicious emails or websites. Double-check the website URL for legitimacy by typing the actual address into your Web browser. Check the site’s security certificate. All, beware of pop-ups as they may be phishing attempts. Your browser settings allow you to block pop-ups, where you can allow them on a case-by-case basis. If one gets through, don’t click on the “cancel” button, as this is a ploy to lead you to a phishing site. Click the small “x” in the upper corner of the window instead.
6. Get into the habit of changing your passwords often. You can also use a password manager like Dashlane or Last Pass that will automatically insert new, hard-to-crack passwords for you.
7. Regularly check your online bank and credit card accounts. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
8. Update your browsers to the latest version. Security patches are released in response to the vulnerabilities that phishers and hackers exploit. Don't ignore messages to update your browsers and download the updates as soon as they’re available.