Paessler Blog - All about IT, Monitoring, and PRTG

The 3 Levels of Phishing and How You Can Convince Your Colleagues Not to Become Prey

Written by Brandy Mauff | Apr 12, 2017

Back in the day, all it took to lure someone into emptying their pockets was an email from a Nigerian prince. Today, scammers are having a much harder time as people are used to these kinds of emails and most of them land unopened in their spam folder. But don't be deceived, scammers are more active than ever and even keener on tricking you into giving them valuable, personal information by posing as a trustworthy source. This tactic is known as phishing and it has proven to be very successful. So year after year, they up the ante, adding new variations here and there. Let's go over the three levels of phishing.

Also known as:
phishing, deceptive phishing

Description:
A scam where an email that looks like it is from a reputable source is sent to a target with a request for information, a link to click, or an attachment to open. For example, the target should verify their account information, make some kind of payment, or log in to a website.

Characteristics:

  • can have a generic greeting instead of a personalized one
  • warning of some kind telling you that you need to act immediately OR ELSE
  • hyperlink can start with http instead of https
  • clicking the hyperlink takes you to a website that looks and feels like the real deal (but if you hover over the link, you will see that it points to a totally different domain) link in the following example

Example:

Dear Online Banking Customer,
You might be at risk of fraud! Click the link below now to change your password immediately to prevent further damage to your credit score!

https://my bank's website.com

Regards,
Your bank (no, really)

 
 
 

 

Also known as:
spear phishing

Description:
A scam where an email that looks like it is from a reputable source is sent to a target with a request for information, a link to click, or an attachment to open. These emails include personal information about the target such as employer, job title, hobbies, etc. This information is usually gathered from profiles on social media websites.

Characteristics:

  • appear to be sent from within an organization (a coworker, for example)
  • give you the impression that you have some kind of relationship with the sender (posing as a friend or family member)
  • may contain a strange request

Example:

Hey Dan from Sales,
This is Julie from Accounting. I was going over some invoices and found one from one of your clients. There seems to be some kind of discrepancy. My boss will kill me if the numbers don't add up again. Could you pretty please have a look at it? You're the best!

Attachment: Invoice with kinda weird name but hey I'll do Julie a favor.doc

Regards,
Julie

 
 
 

 

Also known as:
whaling

Description:
A scam where an email is sent to C-level managers with the intent of getting them to answer, therefore giving up their email address and possibly other information. The scammer can then pose as the C-level manager, making the scammer look even more credible when spear phishing.

Characteristics:

  • often ask for transaction authorizations
  • give other types of management-level orders
  • often ask for the confirmation of business information
  • may be marked with high importance

Example:

Hi Barbara,
I landed a huge deal at my golf tournament today. Now I need you to make a wire transfer for me ASAP. It needs to be made before the banks close! Let me know if you can do this and I'll send you the details.

Thanks,
The Boss

 

Better Late Than Never

So with what you now know about phishing, how can you use this information to get your colleagues to quit clicking everything? If your company does not have a security plan already, either you can implement one yourself or get the attention of those who can and start preventing phishing attacks in your company today.

  • Prevention
    Protect your company by using preventive measures such as spam filters, antivirus or anti-malware software, and firewalls. These also need to be regularly updated to protect your company against new threats as soon as possible. When implemented properly, these measures will significantly reduce the number of phishing scams that make it into the company and the few that do make it should do less damage.
  • Train
    Start having regular security awareness training on phishing and other scams and how they can affect the company. Show your colleagues that scams can affect them personally as well, in particular if they use the same login information for all of their accounts, for example. (* Source)

  • Report
    Encourage colleagues to report any suspicious looking emails to you (or another designated colleague) so that the threat can be analyzed. If the email is dangerous, you can use it as an example and send an email throughout the company to inform everyone of the newest danger as soon as it is discovered. This way, you won't receive tons of emails from colleagues reporting the same scam.
  • Test
    Send phishing-type emails once or twice a year throughout the entire company and see how many colleagues actually open an attachment or click a link. Use this information to create statistics on the effectiveness of the security awareness trainings and if necessary, have them more often or make them more in-depth. This will show you where your company would stand in the event of a real attack.
  • Reward
    Have some kind of rewards system to motivate your colleagues to keep reporting "phishy" activity. You could create a "Security Employee of the Month" award or plan a team event after X days since last security compromise as a way of showing your appreciation. After all, who doesn't enjoy being rewarded reward for doing the right thing?