THE ANATOMY OF A PHISHING EMAIL
It's the start of February…and that means for this month's Security Awareness theme we'll focus on everything you need to know about "phishing" in order to stay safe. Namely, our news articles, infographics, videos, webinars, and contests will teach you how to identity and avoid phishing scams throughout 2021.
The importance of recognizing phishing emails cannot be stressed enough. Several of the high profile cyber-attacks and data breaches we see in the news have originated from a phishing email that has fooled an employee into sharing their username and password; which ultimately allowed the bad guys to wreak havoc on their company's computer systems.
Phishing emails are scams designed to trick us into sharing sensitive information with a cybercriminal, such as our username and password or downloading malicious software (i.e. malware).
Did you know?
Cybercriminals are sending bogus phishing emails, texts and robocalls offering BC residents an opportunity to sign up for a COVID-19 vaccine. This is a scam designed to steal your personal and financial details! For accurate and up-to-date information on the vaccine rollout throughout BC, please refer to: http://www.bccdc.ca/health-info/diseases-conditions/covid-19/covid-19-vaccine.
Check out this infographic to see the six signs that an email is a phish!
The themes of phishing emails vary, but the anatomy of a phish often follow the same pattern. Here are five (5) tactics cybercriminals use to trick us into clicking on a link or opening an attachment via a phishing email.
- Complete an Action: "Download this critical security update!" This language directs us to click on a link or open an attachment in order to perform a "critical" action. However, the cybercriminal's real goal here is to trick us into installing malicious software onto our device in order to take control of it. If the install is successful, they will have access to our device and all of our data.
- Time Constraints: "I need this completed by 2pm TODAY!" The language used here can incite panic causing us to open that attachment or click on that link in fear of missing the "deadline". This email may even appear to come from our direct manager, making the demand "complete it by 2PM TODAY" more plausible.
- Emotional Appeals: "Reserve Your COVID-19 Vaccine Today". Language like this can cause alarm and panic in our minds, encouraging us to react without thinking. The cybercriminal may provide a link within the body of the email that, if clicked, takes us to a login page of a fake website that looks very similar to a site that we visit on a regular basis.
Normally that would be out of the ordinary. Why would we have to log into our email to reserve a vaccine? Unfortunately, when we are in a heightened state of anxiety, we do not think logically. But, if we do enter our email credentials (i.e. username and password), they will be sent directly to the cybercriminal.
- Asking for help: "Please help baby Jayden get a heart transplant!" This language appeals to our human traits of compassion, guilt, or social responsibility. Emails like these often ask us to make a charitable donation. If we proceed and provide our credit card information, not only does the cybercriminal have our "donation" but our credit card number as well. Double whammy!
- Enticing Curiosity: "Here's the updated 2019 Employee Salary List". Language like this can pique our curiosity and tempt us to click on a link or open an attachment; especially if we believe we have lost or gained something of importance (e.g. our salary).
As you can see, cybercriminals use an array of tactics to fool us into falling for a phishing email. The first preventative step is to identify the suspicious email when it arrives in your inbox. To see what other phishing emails are out in the wild, check out the latest COVID-19 scams.
Next week, we will discuss steps you should take to protect yourself from falling for these malicious emails. We'll also have a contest you can enter to win prizes. Stay tuned!
And the Winner is???…
Last week, dozens of names were entered into a prize draw "Password New Year's Resolution Challenge". Thank you to all of you who participated. Great job! The winner of that draw is...
If this is you, firstly, CONGRATULATIONS and secondly, please email us your work address so we can mail your prize there. More contests to come, so stay tuned!
Written by Joseph Tesoro, education awareness specialist, security awareness program and Sabrina Young, education awareness specialist, information security.
If you need to reach PHC’s Infection Prevention and Control Team (IPAC), please call local 69357. Do not contact individual IPAC team members.