Phishing is rife, and they’re forever getting smarter
Hackers won’t stop and will try numerous ways to get access to our personal & sensitive data. Email is a popular means of access for cyber criminals, with it often being the weakest point of entry to a computer network, therefore being the most used and abused.
Emails can of course be filtered, but unlike other network entry points, can’t be blocked entirely, otherwise you wouldn’t be able to receive anything from anyone!
Phishing… is the phrase, (pardon all the ph’s!), to explain hackers masking their malicious emails as genuine via a few clever tricks. Their goal is to lure you into clicking embedded links to websites that may download viruses, malware, or worse, tracking software that’ll collect your key data, such as your bank account login details.
How is it done?
Masking emails as though they were sent from someone else’s mailbox is worryingly easy to do. Beyond that, (to ensure a greater chance of success), they may well hack into a businesses mail server or an individual’s mailbox, to send the emails directly as that user.
The email itself, (in the majority of cases), isn’t dangerous. It can simply be checked & then deleted from your inbox forever.
If you’ve clicked the link & downloaded the file or opened the document, your PC is then exposed to the ‘hack’ & whatever dodgy software they intended to hit your machine.
We have embedded an example situation below, (with the victim sender’s details omitted), to which we refer to through this blog article. This email looks very realistic, given the correct sender’s full name, email address and even their full email signature & disclaimer being present.
What does it look like in my inbox?
You’ll receive it just like any normal email, the tricky part is identifying if it’s real or fake. It’ll be among all of your other genuine emails. It’ll likely appear as though it’s from the sender’s name and match their correct email address. So, at first look, you’ll be none the wiser.
If the email is masked as though it is from a government department, it may well contain badly written language, poor quality logos, or be sending you / requesting from you information that would normally be sent via the post or submitted via their secure websites.
The email is most likely to contain an attachment or a link, which is the lure to draw you toward their means by which they can enter your PC & steal your data. Until you’re sure, don’t click on any links.
What can I look out for?
When you receive any email there are a few key things to check, even if you know & trust the sender.
1. The sender’s name & email address. Is it genuine? Has it actually come from their mailbox or does something about the name or email address not look right?
2. Does the email contain an attachment?
If it is a PDF, there’s a good chance that you’re safe.
If it is a Word or Excel document, it may be programmed to contain a virus that can take over your machine as soon as you open it & activate any “macros” set to run. Always question and be wary of Word & Excel documents that you aren’t expecting. Invoices are often a personal favourite trick of the fraudsters – always ask your suppliers to send their invoices as PDFs, that way you can have a rule to avoid opening anything marked as an invoice that arrives as an Excel or Word doc.
The downside is, you cannot tell from looking at the file whether it is genuine or malicious before you open it – then it’s usually too late.
3. Does the email contain any links?
Links are a little easier to check. Hover over the link and you can see where it’ll take you.
If it’s an email claiming to be from HMRC or your bank, and the link wants to take you to a completely different gobbledygook website, don’t click on it!
If the link appears to be the real website or where you would expect to land, like in the example below, then it may well be genuine, but that is no guarantee.
With this example, the link takes you to a file hosted on Microsoft OneDrive. The email makes it look like this user genuinely wanted to send you this file, which is hosted in a reputable place. If the link appeared to be an un-trusted source, it would appear to be more suspicious, but on face-value this appears to be legitimate.
Clicking the link to visit the website, which shows to be a real Microsoft OneDrive file share, you can see an overview of the document, a PDF.
Upon further inspection, placing the mouse over the preview shows the Microsoft branded box with the “Open” link to just be an image, overlaid with a hyperlink to a shortened website URL via tinyurl.com. This cleverly masks the ultimate website address, likely a malicious website.
Had the “Open” button highlighted, like a normal website button would, and the document been able to be viewed within the browser it would have been genuine. However, clicking this link does actually take you through to a virus riddled website, leading to my email accounts likely vulnerable to being hacked & sending out the very same email I received, claiming to be me.
In Summary
Be very, very wary. Even if you believe to know the person that sent you the email.
Follow our straight-forward 3-step check list – sender’s name & email address, attachments and links. Checking these three key things before taking any action with the email will help you remain protected.
Who are EverythingTech?
For well over a decade we have partnered with clients across Manchester and the wider-North West as their outsourced IT department – covering all needs from IT Support, to Cloud, to Connectivity and Communications.
We are incredibly proud of our commercially-sound, technology solutions that drive efficiency, cost savings and performance for the businesses we support.