What Is a Phishing Email?

Phishing

Nowadays, no one falls for the “Nigerian Prince” email scam! No man, not even my 85-year-old grandmother! After all, we are intelligent individuals who learn from our own (and others’) errors. Phishing scams have become much more complex and advanced in recent years.

Modern phishing emails are carefully designed with extensive analysis and sophisticated hacking strategies that can easily psychologically control the recipient if they are not diligent.

According to the FBI, the total loss from phishing attacks in 2019 was more than $3.5 billion.

We’ll go over the subject of phishing emails in depth in this post. The content includes a range of recent real-life examples, as well as information on the types of scams carried out via phishing emails and how to protect your company (and yourself) from them.

What Is a Phishing Email?

A phishing email is a hoax email sent to defraud the recipient or persuade them to do anything they shouldn’t. To deceive the recipient, attackers send phishing emails impersonating someone else.

Cybercriminals use psychological coercion to convince victims to disclose financial or personally identifiable information (PII), login credentials, trade secrets, sensitive company details, and so on, or to wire money to the attacker’s bank account.

They could send an email posing as:

  • Your employer/colleague
  • A company you trust
  • A reputable educational institute
  • A recruitment agency/job board
  • The local or federal government
  • Friends/relatives/spouse
  • Your bank/financial institution

Phishing can take many forms, including voice phishing (also known as vishing), SMS phishing (also known as smishing), HTTPS phishing, watering hole phishing, and so on. One of the most popular phishing tactics used by attackers to carry out various online scams is email phishing, also known as email spoofing.

5 Phishing Email Examples to Avoid

Let’s look at the various types of scams that are usually carried out using phishing emails now that we know what a phishing email is. We’ve put together a few phishing email examples to help you with this.

Example 1: Charity Scams

The perpetrator of this form of phishing attack sends phishing emails asking for donations for different fundraising efforts, as the name implies. They share tragic emotional stories and graphics of people who are plagued by illness, hunger, famine, or other social issues. Cybercriminals also run fundraising campaigns for natural disasters such as earthquakes, flooding, and cyclones.

Needless to say, all of these promotions are fraudulent, and any funds diverted will only go into the pockets of the scam artists.

These phishing emails may include trojans, viruses, malicious attachments, or links that lead you to a spammy website.

Example 2: Employment and Recruitment Scams

This is a type of scam in which scammers pose as legitimate company recruiters in order to trick you into sharing personal details or transferring funds. Many platforms are used in recruitment scams, such as jobs websites, phone calls, text messages, and so on. However, sending phishing emails is the most common recruitment scam (58 percent).

As part of a bogus recruiting process, the scammers send phishing emails directly to their targets’ email addresses.

They request information from job seekers.

SSN for tax purposes, PII for running a background check/credit check, bank account information for depositing salary in the future, or PII for running a background check/credit check.

The attackers can also request money from the victims for a variety of reasons, such as purchasing online training materials or software.

Since the phishing emails are always well-crafted, using the original company’s logo and text format, job seekers fall into the pit.

Example 3: Customer Support Scams

In this form of fraud, the criminal sends phishing emails impersonating customer service representatives for well-known organisations such as travel industry firms, financial institutions, ecommerce companies, technology companies, or virtual currency exchange companies.

They assist victims in resolving problems such as

  • removing virus on a computer,
  • upgrading their PII on the system,
  • adding new services to their current account,
  • renewing the software licence, etc.

They ask victims to include their PII, login credentials, financial information, etc., or ask them to click on the spammy links or download malicious attachments.

Example 4: Corporate Communication Scams

Attackers can send phishing emails pretending to be your boss, colleague, or any other important company stakeholder, such as a lawyer, tax officer, or accountant.

Company email compromise (BEC)/email account compromise (EAC) scams are the names for these types of communications. In 2019, the Internet Crime Complaint Center (IC3) registered almost 24,000 BEC reports, resulting in a loss of over $1.7 billion for the organisations.

In order to carry out these types of scams, the attacker typically spends time collecting the names, titles, and email addresses of key employees and stakeholders.

Popular BEC examples include:

  • A phishing email that appears to be from the IT department, demanding that you download new apps.
  • When an employee’s email address is compromised, the attackers can request that human resources or the payroll department change the bank account details into which their salaries are deposited. Obviously, the attacker owns the new bank account records. Companies that are heavily involved in online wire transfers of funds are more likely to be affected by such scams.
  • Take a look at this screenshot of an email I recently received. The sender poses as John Tuncer, one of my colleagues, and demands my phone number! However, phishing emails can be easily identified by checking the sender’s email address and noticing their peculiar typing style.

Example 5: Financial Institution Scams

Another form of BEC/EAC attack includes sending phishing emails impersonating a financial institution, such as a bank, credit card company, investment company, brokerage company, pension fund, or mortgage loan company.

The emails are built to look like authentic emails from a company. To make the emails look official, they typically use the company’s logo, font types, and colours.

Usually, these emails will ask you to:

  • If you click on a connection that takes you to a malicious website (which might look exactly like the original institution’s website), you will be redirected to a malicious website.
  • Reply with your PII or financial details, or download an attachment.

So, what are some signs that this email is a phishing scam?

  • The sender’s email address is not one affiliated with Wells Fargo.
  • The email has an odd sense of urgency.
  • Even though the Wells Fargo domain in the email appears to be genuine, hovering your cursor over it reveals that it redirects to an unknown website.

When a hacker impersonating JPMorgan sent out bulk emails in 2014 encouraging recipients to click on a connection to read a secure message, these forms of phishing attacks became common. When users clicked the connection, the Dyreza banking Trojan malware began to download into their computers!

The Motives Behind Phishing Emails

Although it’s easy to believe that phishing emails are sent purely for financial benefit, phishing emails are also used for other purposes. Let’s try to find out what the attackers’ goals are:

  • They’re after your cash. Phishing emails trick recipients into sharing their payment card numbers or bank account information, which is then used to make money. Victims are often duped into sending money to the perpetrator’s bank account via wire transfer.
  • They’re looking for information that can be used to identify you. Phishing emails often persuade recipients to share personal information (PII), such as their phone number, physical address, and social security number (SSN). This PII is used to carry out identity theft crimes (for example, opening a bank account or applying for a loan in another person’s name). Alternatively, the knowledge may be sold on the black market.
  • They want to spread malware. The attacker wants you to click on a connection or download software that will infect your machine with malware. As a hostage, these viruses will lock down the device and files. To regain entry, the intruder requests a ransom. This malware allows an intruder to take control of your computer from afar, invading your privacy and stealing your sensitive files and other information.
  • They’re trying to discredit your name. In some cases, the attacker sends phishing emails in your name (or the name of your company) with the intent of tarnishing your reputation and forcing the victims to take action against you. Joe Job is another name for it.
  • They have a political agenda or a political target in mind. Government-sponsored hackers have been known to send phishing emails in order to obtain sensitive political information, intellectual property, or personally identifiable information (PII) of people from other countries. These phishing attacks are a type of cyber espionage carried out by the government.

OceanLotus, a Vietnam government-sponsored organisation, was one example of such an attack. They send spear-phishing emails containing macros to international diplomats and foreign-owned businesses in Vietnam. Once allowed, the macro runs malicious payloads on the victim’s computer.

9 Tips: How to Stop Phishing Emails & Prevent Yourself from Becoming a Victim

You have no power over who sends you the phishing email. You can cultivate a vigilant attitude and prevent yourself from being a victim by following some of the tips mentioned below.

  • Check the email address of the sender. Always read the email address of the sender. Employees from reputable organisations typically send emails from a domain-name-based email address. It’s a red flag, for example, if anyone claims to be a Wells Fargo official representative but sends you an email from a Gmail/Yahoo/Hotmail email address or some other odd address. Official Wells Fargo emails will be sent from an address that begins with “@wellsfargo.com.”
  • Don’t forget the mistakes. Don’t disregard any spelling or grammatical errors, odd tone, punctuation errors, or a sense of urgency. Legitimate businesses should not send such sloppy emails.
    Take a look at the ties. Always check where any links given in emails are redirecting you by hovering your cursor over them.
  • Before you get recruited, don’t give out any personal details or financial information. Before hiring you, no legitimate organisation can ask for your Social Security number, tax information, physical address, bank account numbers, or payment card information, among other things. So, unless you attended the interview in person or by video call, don’t send any personal information to a recruiter via email.
  • Make direct communication with the contact via official channels. If you suspect an email from someone you know, such as a colleague, parent, or acquaintance, contact them directly before taking any of the actions recommended in the email. Note: To contact them, use alternate contact details (not the one mentioned in the alleged phishing email)!
  • Improve your “human shield” by offering instruction. Cyber-awareness training should be given to your staff.
  • Make use of email signature certificates. To secure your company and its stakeholders from phishing emails, always use email signing certificates. It enables the sender to add a digital signature to all outgoing emails and encrypts the contents of those emails. It assures your recipients that the email is from you/a legitimate company employee, and that it is in the same condition as when it was sent.
  • Set up security protocols for email. Set up email protection protocols including sender policy framework (SPF), domain keys defined mail (DKIM), and domain-based message authentication, monitoring, and conformance (DMARC).
  • Phishing scams should be reported to authorities as soon as possible. If you are a victim of phishing emails, go to www.ic3.gov and ftc.gov/complaint to file a comprehensive complaint. You may also contact reportphishing@apwg.org with your phishing complaint.

Final Thoughts

We hope that in the future, when you hear the term “phishing email,” you don’t think of that “Nigerian prince.” Take phishing emails seriously, be on the lookout for them, and train your staff to spot them.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.