Staying Frosty: How to Keep Calm and Stay Alert Against Spoofing and Phishing

By Micah Ulrick, vCIO

IN THIS ARTICLE: 

• • • Understanding Spoofing & Phishing: What You Need to Know
    • How to Spot Spoofing and Phishing Red Flags
    • Advanced Threats to Be Aware Of
    • Remember These Best Practices

We’ve said it before, but I’ll say it again, cybersecurity is more critical than ever. As a vCIO, I advise my clients on cybersecurity daily. While ransomware, DoS (Denial of Service), and Brute Force attacks are still a thing, phishing and spoofing are still two of the most common and dangerous threats today. These are the primary causes of compromises.

The problem is there’s no magic bullet that will 100% protect you from these attacks. So, understanding these threats and how to identify them can make all the difference in protecting both you and your organization from significant harm.

Every time you venture into your inbox or out onto the web, remember these tips to stay frosty (a.k.a. cool and alert) against the dangers of phishing and spoofing.

Understanding Spoofing & Phishing: What You Need to Know

Spoofing is when a threat actor masquerades as a trustworthy company or contact by faking their email, caller ID number, or website. Spoofing is effective because it manipulates your confidence in well-known companies or acquaintances and relies on the human habit of quickly scanning messages and missing signs that it’s a fake.

Spoofing is typically used in phishing, a technique used by cybercriminals to trick you into willingly handing over sensitive information, such as passwords, credit card and banking information, or personal and corporate data. These attacks often come in the form of emails or texts that appear to be from legitimate sources, such as banks, vendors, or even colleagues.

In simple terms: spoofing is the faking of “who” you’re talking to, and phishing is “how” they engage with you to take action. Like actual ‘fishing’, they’re trying to hook you with deceptive bait so they can reel you in.

How to Spot Spoofing and Phishing Red Flags

Identifying Spoofs

Email Spoofing

Signs of Spoof: Inconsistencies like slight misspellings in email addresses, domain names, and display names, or emails that come from a different domain name than usual.

• Always scrutinize email addresses, domain names, and display names.
• Talk to your IT provider about adding an “external” banner to flag emails coming from outside your organization to enhance awareness.

Caller ID and Text Spoofing

Signs of Spoof: Unexpected calls or texts from both familiar and unfamiliar numbers claiming to be someone you know. Scammers can manipulate caller ID information to make calls or texts appear as though they are coming from a trusted contact or organization.  

• Look out for links in text messages (don’t click them) 
• Be wary of abnormal requests. 
• If you receive an unexpected call or text from a colleague, stop engaging and re-initiate contact in person or using a verified number or communication source you can trust.

Website Spoofing

Signs of Spoof: Spoofed websites may look identical to legitimate ones but have different URLs. They may also be missing “HTTPS” in the URL. The security padlock symbol in the address bar of the browser may also be missing.

• Always double-check the URL spelling.
• Check the name for familiarity. For example, “https://your-company.com” versus “https://yourcompany.com”.
• Look for HTTPS and the padlock symbol in the address bar. If these are missing it’s not a good sign.

Avoid Falling for Phishing

• Scrutinize Sender Addresses: Always check the sender’s email address. Phishing emails are often spoofed and come from legitimate-sounding addresses. Look for those slight alterations in the domain name, display name, and sender address. For instance, an email from “support@closolutions.com” instead of “support@ciosolutions.com”. Did you catch the difference at first glance? That’s how subtle they are. Look closely!

• Beware Generic Greetings: Be cautious of emails with generic greetings like “Dear Customer” instead of your name. This is usually an indication that it’s a mass email blasted to many recipients and is a warning sign that something’s not right.

• Resist Being Rushed: Look out for “account closure” notices, “unauthorized transaction” warnings, “password update needed”, or phrases like “Your account will be locked in 24 hours” or “Immediate action required”. Phishing emails often try to rush you into a mistake by creating a sense of urgency. Take a breath, and if you’re concerned, log into the questionable account as usual (not from any links in the email) to make sure everything is as it should be.

• Note Unusual Requests: If an email is requesting information such as passwords, social security numbers, or credit card details via email, especially out of the blue, it’s likely a phishing attempt. Remember that legitimate organizations will never ask for sensitive information like this via email. Put your antennae up for these and note the strangeness of the request.

• Don’t Click That Link or Attachment: Hover your cursor over the link text to see the actual embedded URL destination before clicking. Opening your email on a phone? Avoid the risk altogether and go directly to the website instead of clicking on a link. Phishing links often present themselves as one thing but really lead to malicious URLs. Similarly, be wary of attachments, especially if you weren’t expecting them. When in doubt: Don’t. Click.

Advanced Threats to Be Aware Of

Now that we’ve covered the basics of phishing and spoofing, there are several advanced threats that pose significant risks. Understanding these can further enhance your cybersecurity posture.

Whale-Phishing Attacks: Watch Out, C-Suite

Whale-phishing, or whaling, targets high-profile C-Suite individuals such as CEOs or CFOs. These attacks are highly personalized and sophisticated, aiming to steal sensitive corporate information or execute fraudulent transactions. Due to the high stakes involved, whaling emails often appear very legitimate and may reference actual company projects or executives by name, or ask for a change in payroll accounts. Bad actors typically gather this data by compromising lower-level employees with the phishing and spoofing tactics above.

Spear-Phishing Attacks: We Know You. No Really.

Unlike regular phishing, which is sent to a broad audience, spear-phishing emails are targeted and customized to the recipient, making them harder to detect. Bad actors often use information gathered from social media (LinkedIn, Facebook, etc.) and other online sources to spoof effectively and build convincing requests. These typically flow from the top down. For example, a threat actor may gather information about a CEO and will impersonate them to request a wire transfer from someone on the Finance team at their company.

Man-in-the-Middle (MITM) Attacks: You’ve Got Company

In an MITM attack, a cybercriminal first gains access so they can then intercept communication between two parties, for example between an Accounts Receivable rep at one company and an Accounts Payable rep at another. Once the attacker has access, they then “lie in wait” and eavesdrop to steal data or interject themselves into the communication chain to ask for a change in bank routing and account information or payroll information to steal money.

This is often done by compromising someone’s email, but unsecured Wi-Fi networks are also a common culprit, letting an attacker intercept data transmitted between your device and the network.

Remember These Best Practices

• Be Skeptical: Always question unsolicited emails and calls. If something seems off, it probably is.

• Slow Down: Don’t rush to respond, and don’t impulsively click on unknown links or attachments.

• Keep Learning (and pass it on): Cybercriminals constantly evolve their strategies, so staying up-to-date and informed is crucial. Share this information with colleagues and loved ones to create a network of aware and cautious individuals.

• Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to gain access to your accounts. This typically involves a second form of verification in addition to your password, such as a code sent to your phone or an authenticator application. Enable this whenever possible!

• Keep Software Updated: Regular updates patch fixes for identified security vulnerabilities, making it harder for cybercriminals to exploit your system. This includes operating systems, browsers, and any other software applications you use (even your phone and apps).

• Report Suspicious Activity: If you receive a suspicious email or call or think you may have clicked on a sketchy link, report it to your IT department or service provider. Prompt reporting can prevent widespread damage and help authorities track and stop cybercriminals.

It’s up to everyone to stay informed and vigilant. The most important things you can take with you when you venture online every day are patience and suspicion. Don’t be trigger-happy with your clicks and responses, and take the time to look at emails, texts, and websites a bit closer. Trust little and verify when possible.

Stay safe, stay aware, and stay frosty out there.

An Additional Note For Business Leaders:

With compromises on the rise, Cyber Liability Insurance has become an essential part of protecting your business in the event of an attack. All companies, big and small, can benefit from Cyber Liability Insurance and we highly recommend acquiring it.

Did you know that CIO Solutions offers automated phishing awareness training and simulated user phishing campaigns? Reach out to your vCIO or Customer Success Manager to learn more about including Knowbe4 in your monthly service agreement at no additional cost!

Not a client yet? Contact us today to talk through your options for enhancing your IT management and security.