Phishing scams can do a lot of damage, allowing attackers to gather sensitive information that can compromise critical systems and data. By learning about newer, sneaky phishing scams, you can reduce your likelihood of falling victim. In recognition of Cybersecurity Awareness Month, here is a look at a few more recent phishing scams and tips on how to avoid falling victim.
Sneaky Phishing Scams to Watch Out For
Conversation Hijacking
With conversation hijacking, attackers use compromised employee credentials to gather information about the person and their relationship to others. Then, they usually attempt to impersonate that compromised account’s domain, allowing them to send a message that closely resembles the compromised person’s email.
Additionally, they may use a segment of a real email the compromised account sent to the attack target. That way, it looks like the same conversation is simply moving forward, making their phishing attempt less obvious.
By also mimicking the person’s word choice, tone, and other communication characteristics, they’re increasing the odds that the recipient of the communications will trust them and hand over sensitive information, download malicious code, or otherwise complete a specific action.
URL Open Redirects Sending Victims to Malicious Sites
One common piece of cybersecurity advice is to hover over any links to see if they are legitimate. However, some attackers have found a way around this recommendation, using URL redirects to send someone away from a legitimate site and to a malicious one.
While many browsers show warnings when a person is being redirected, if they go unnoticed, a person might unwittingly enter sensitive data – like login credentials – into a malicious site. Once that occurs, the information has been captured by the attackers.
Fake SharePoint and Office 365 File Shares
One of the more recent phishing scams that’s particularly sneaky is one based on fake SharePoint sites and Office 365 file sharing.
The emails appear to invite the recipient to access a shareable file, such as an Office 365 document or spreadsheet, using a display name that mimics SharePoint notifications. However, the link doesn’t take the recipient to their employer’s SharePoint or a legitimate shared Office 365 file. Instead, it sends the recipient to an outside form, document, or phishing page, one that scammers use to collect sensitive data, such as user names and passwords, on those who click through thinking the shared file is legitimate.
Protecting Yourself Against Phishing Attempts
Protecting yourself against phishing attempts requires a bit of savviness. If you receive an email, look for signs that it might not be legitimate. This can include poor grammar and spelling, requests to follow links, unexpected attachments, and name and email address inconsistencies.
Additionally, it’s best to treat all requests for sensitive information as if they are scams until you can confirm otherwise. If you receive an email requesting sensitive data, don’t reply to the message or use any contact details in the email for confirmation. Instead, reach out to the sender using a known contact method outside of that message.
If employees believe an email was a phishing attempt, they should also follow all company procedures regarding the reporting or handling of the message. Inform the appropriate IT team, don’t click suspicious links, and don’t forward it anywhere unless IT requests a copy. If IT tells you to delete the message, delete it from your inbox and trash, ensuring you can’t click on it by mistake later.
We Can Help You Protect Your Company
Ultimately, vigilance and caution are the keys to avoiding cyberattacks. If you’d like to learn more about cybersecurity best practices, the team at Selectek wants to hear from you. Contact us today.
