Email Phishing, Part 1: An Overview
Every day, an estimated 30,000 Americans and 80,000 Canadians fall for an email phishing scam.
Email Phishing, Part 1: An Overview
Every day, an estimated 30,000 Americans and 80,000 Canadians fall for an email phishing scam.
Share article:
Tyler Adams
2 mins
Scams
Jul 18, 2021
Every day, an estimated 30,000 Americans fall for an email phishing scam — and experts believe the number would be even higher, if it weren’t for superior filtering technology in today’s email servers. Most of us like to think we’d never fall for something like this, but the statistics don’t lie: for every person who falls for one of these carefully-crafted cons, nine more at least opened the email or even clicked on the links within.
These are just the individual numbers. Believe it or not, over 85% of corporations, large and small, have been targeted by scammers at some point. In 2014, over 70% had suffered a breach of security as a result of these attacks, according to a report from CyberEdge Group.
In other words, even intelligent and discerning people fall for these tricks. How can you protect yourself—and your company? In this case, knowledge really is power: only by learning to recognize different types of email phishing can one consistently avoid the trap.
What is Email Phishing?
Phishing is the process of obtaining personal information from someone—such as credit card numbers, social security details, or login credentials to a protected system—via fraudulent emails meant to look authentic. They can appear to be sent from a person’s school, bank, personal doctors, etc. Within companies, they often look like they’re from the CEO or another higher-up, or the organization’s technical support department.
These emails contain fake links that take users to submission forms, where they’re asked to enter their information. This is then sent to the scammers, who use it to hack employees’ accounts, steal credit card info, carry out identity theft, and more.
Types of Phishing
There are two main types of email phishing:
- Spear phishing is a targeted attack at a specific individual (like spearing one fish), in the hopes of obtaining their information for identity theft, credit card use, etc.
- Whaling refers to scams targeting people within a business or government office, with the hopes of using that person’s credentials to hack the system and obtain several users’ or consumers’ data at once (like fishing with a net). Business Email Compromise (BEC) which we covered in an earlier article usually falls into this category
To defend yourself against either, you can take some simple precautions such as shredding personal documents, setting your privacy settings on social media to include only people you know in real life, and observing emails carefully to gauge their authenticity.
Voice or phone phishing is still widely used, as well, and can be even harder to identify. Attackers will often call pretending to be from your company’s tech support. If possible, keep a list of the tech department’s employees and extension numbers nearby, so you can verify your caller before divulging information.
What Does Email Phishing Look Like?
The main reason people fall for email scams is that they can look incredibly real. Consider the following example from a Knowledge Base entry on phishing provided by Indiana University:
Notice that the sender’s address, at a quick glance, looks like the support team from an accredited university. It warns the user that his or her saved emails and entire account will be deleted, unless they divulge their user name, password, and date of birth.
So, what’s the problem? There are actually quite a few warning signs in this email, all of which could be difficult to spot if one doesn’t know to look for them:
- Address is supportteam01@indiana.edu. There is no need for the “01,” as presumably, there would only be one support team for the institution, so the email address should be simply supportteam@indiana.edu. Even more likely, it would come from one identifiable person in that department.
- The email is not addressed to the user by name, but rather “subscriber.” It’s not even addressed to a specific body, such as “Dear Students” or “Dear Faculty.”
- “…to inform all our {INDIANA.EDU} users….” Notice that the institution name is in brackets, which suggests this email is a form letter.
- Arbitrary capitalization of words like “Subscriber” and “Email.”
- Strange sentence structure and grammar/word choices overall.
This is hardly a meticulous list of possible red flags one might find in a phishing email; there are thousands of variations, some of which are almost impossible to spot. Warning signs can even be unique to a particular scam, depending on the company or individual the scammer is impersonating, what information they’re after, and the platform they utilize to contact you. For a more thorough catalogue of real-life scams, stay tuned for our follow-up article on phishing examples.
High-Profile Losses
If you think it’s just individuals and small companies taking the bait, think again: large corporations are frequently the victims of fraud, even with high security measures in place:
- Ethereum, an electronically encrypted currency company (similar to Bitcoin), lost over $32 million in July.
- In April, Google and Facebook fell victim to a $100 million scam when a man posed as an Asian manufacturing company.
- The University of California Davis Health Center compromised the privacy of and violated HIPAA laws for over 15,000 patients in May of this year, when an employee fell for a phishing email requesting their login credentials.
Companies of any size can (and should) evaluate their employees’ collective and individual risk by testing their ability to recognize and avoid phishing scams. For more information on how to decrease your company’s susceptibility, stay tuned for our article on phishing testing and readiness.
Your Biggest Mistake: Thinking You’re Immune
Email phishing has existed almost since the advent of the internet itself (though the term wasn’t coined until the 1990s); we’ve all heard about the infamous Nigerian prince scam. Most of today’s tricks, however, are far more subtle and convincing. Attackers have access to so much information via social media and company websites, it’s easy for them to sound credible—and easy for people to buy into them. As statistics and history have shown us, anyone can take the bait.
Thinking you’d never fall for a phishing scam can be just as dangerous as opening emails or clicking links from unconfirmed senders in the first place: it’s important to accurately gauge your own vulnerability, so you can take measures to improve it as soon as possible.
Continue reading: Email Phishing, Part 2: Tests and Readiness
Co-founder & CEO
Tyler brings a decade of leadership experience developing and launching technology businesses. Before co-founding CertifID, Tyler led new product development at BCG Digital Ventures for Mercedes-Benz, First American Financial, Boston Scientific, and Aflac.
Every day, an estimated 30,000 Americans fall for an email phishing scam — and experts believe the number would be even higher, if it weren’t for superior filtering technology in today’s email servers. Most of us like to think we’d never fall for something like this, but the statistics don’t lie: for every person who falls for one of these carefully-crafted cons, nine more at least opened the email or even clicked on the links within.
These are just the individual numbers. Believe it or not, over 85% of corporations, large and small, have been targeted by scammers at some point. In 2014, over 70% had suffered a breach of security as a result of these attacks, according to a report from CyberEdge Group.
In other words, even intelligent and discerning people fall for these tricks. How can you protect yourself—and your company? In this case, knowledge really is power: only by learning to recognize different types of email phishing can one consistently avoid the trap.
What is Email Phishing?
Phishing is the process of obtaining personal information from someone—such as credit card numbers, social security details, or login credentials to a protected system—via fraudulent emails meant to look authentic. They can appear to be sent from a person’s school, bank, personal doctors, etc. Within companies, they often look like they’re from the CEO or another higher-up, or the organization’s technical support department.
These emails contain fake links that take users to submission forms, where they’re asked to enter their information. This is then sent to the scammers, who use it to hack employees’ accounts, steal credit card info, carry out identity theft, and more.
Types of Phishing
There are two main types of email phishing:
- Spear phishing is a targeted attack at a specific individual (like spearing one fish), in the hopes of obtaining their information for identity theft, credit card use, etc.
- Whaling refers to scams targeting people within a business or government office, with the hopes of using that person’s credentials to hack the system and obtain several users’ or consumers’ data at once (like fishing with a net). Business Email Compromise (BEC) which we covered in an earlier article usually falls into this category
To defend yourself against either, you can take some simple precautions such as shredding personal documents, setting your privacy settings on social media to include only people you know in real life, and observing emails carefully to gauge their authenticity.
Voice or phone phishing is still widely used, as well, and can be even harder to identify. Attackers will often call pretending to be from your company’s tech support. If possible, keep a list of the tech department’s employees and extension numbers nearby, so you can verify your caller before divulging information.
What Does Email Phishing Look Like?
The main reason people fall for email scams is that they can look incredibly real. Consider the following example from a Knowledge Base entry on phishing provided by Indiana University:
Notice that the sender’s address, at a quick glance, looks like the support team from an accredited university. It warns the user that his or her saved emails and entire account will be deleted, unless they divulge their user name, password, and date of birth.
So, what’s the problem? There are actually quite a few warning signs in this email, all of which could be difficult to spot if one doesn’t know to look for them:
- Address is supportteam01@indiana.edu. There is no need for the “01,” as presumably, there would only be one support team for the institution, so the email address should be simply supportteam@indiana.edu. Even more likely, it would come from one identifiable person in that department.
- The email is not addressed to the user by name, but rather “subscriber.” It’s not even addressed to a specific body, such as “Dear Students” or “Dear Faculty.”
- “…to inform all our {INDIANA.EDU} users….” Notice that the institution name is in brackets, which suggests this email is a form letter.
- Arbitrary capitalization of words like “Subscriber” and “Email.”
- Strange sentence structure and grammar/word choices overall.
This is hardly a meticulous list of possible red flags one might find in a phishing email; there are thousands of variations, some of which are almost impossible to spot. Warning signs can even be unique to a particular scam, depending on the company or individual the scammer is impersonating, what information they’re after, and the platform they utilize to contact you. For a more thorough catalogue of real-life scams, stay tuned for our follow-up article on phishing examples.
High-Profile Losses
If you think it’s just individuals and small companies taking the bait, think again: large corporations are frequently the victims of fraud, even with high security measures in place:
- Ethereum, an electronically encrypted currency company (similar to Bitcoin), lost over $32 million in July.
- In April, Google and Facebook fell victim to a $100 million scam when a man posed as an Asian manufacturing company.
- The University of California Davis Health Center compromised the privacy of and violated HIPAA laws for over 15,000 patients in May of this year, when an employee fell for a phishing email requesting their login credentials.
Companies of any size can (and should) evaluate their employees’ collective and individual risk by testing their ability to recognize and avoid phishing scams. For more information on how to decrease your company’s susceptibility, stay tuned for our article on phishing testing and readiness.
Your Biggest Mistake: Thinking You’re Immune
Email phishing has existed almost since the advent of the internet itself (though the term wasn’t coined until the 1990s); we’ve all heard about the infamous Nigerian prince scam. Most of today’s tricks, however, are far more subtle and convincing. Attackers have access to so much information via social media and company websites, it’s easy for them to sound credible—and easy for people to buy into them. As statistics and history have shown us, anyone can take the bait.
Thinking you’d never fall for a phishing scam can be just as dangerous as opening emails or clicking links from unconfirmed senders in the first place: it’s important to accurately gauge your own vulnerability, so you can take measures to improve it as soon as possible.
Continue reading: Email Phishing, Part 2: Tests and Readiness
Co-founder & CEO
Tyler brings a decade of leadership experience developing and launching technology businesses. Before co-founding CertifID, Tyler led new product development at BCG Digital Ventures for Mercedes-Benz, First American Financial, Boston Scientific, and Aflac.
Sign up for The Wire to join the conversation.
Latest articles
