Phishing – When Scams Hit Your Inbox

In Compliance, Cyber Security, Financial Services Technology by Amaya Swanson

The best phishing email I’ve ever seen was to a CFO and “from” a CEO, with a simple request to send over wire information for a new vendor. The email header was flawlessly spoofed (i.e. the sender appeared to be the CEO), and the request was not wildly unusual for this company. And yet… something felt off. The CEO used his first name rather than his nickname (think “Robert” rather than “Bobby”), and the CFO didn’t know of any new vendors. The CFO did the right thing – he contacted Matsco and sent over the email as an attachment. We confirmed it was a phishing attempt and performed a full investigation.

While the aforementioned example is rare, phishing emails are shockingly common. SPAM protection products will block a great deal of obvious SPAM and some phishing attempts, but not all. A good Anti-Virus and Anti-Malware software will provide some safety from malicious downloads, but they can’t protect you from yourself, which is to say you need to be very careful providing sensitive information.

Below are a few examples of common phishing emails:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
  • “We noticed numerous attempts to access your account. Click here to reset your password.”
  • “Below is your order confirmation, to view this order, click here.”
  • “Your healthcare benefits will expire in 3 days if you do not confirm your insurance choices on this link.”
  • “You’ve been selected to receive a free iPhone from Apple, simply confirm your address and pay the shipping fee.”

An effective phishing email will tap into a fear that you’re losing something (e.g. access, money) or the desire to gain something (e.g. a refund, a free product). Most phishing emails will also have something slightly off, be it a typo, a peculiar choice of words, an email template that looks different than the usual communication from the company in question. The scammers will hope you’re too busy / in a rush to notice whatever is not quite right. Below are some tips to protect yourself from the sophisticated and not-so-sophisticated phishing emails:

  • Be cautious about clicking links or opening attachments – even from trusted sources because they may have been hacked.
  • If an email from someone you know looks suspicious, look at the email header to check if the email address was spoofed. You can also call or text the sender to ensure the email is legitimate.
  • Never reveal PII such as birthdate, your social security number, banking information, or the street you grew up on (all common security questions) to unknown sources, especially if they contacted you rather than vice versa.
  • Before entering credit card information online, ensure the website has the padlock or a “S” after the “HTTP” in the URL.
  • Don’t click links in emails, instead type the URL directly into your browser – this is especially true for banking.
  • Hover over links and images in emails to check for redirection – often the redirection is subtle and only missing a character or two.
  • Keep your security up to date – ensure your technology provider has installed Anti-Virus and Anti-Malware on your computer, and that Security Patches are rolled out monthly.

Check back on Monday for Part Two of Staying Safe Online!

Share this Post