Despite obvious errors, email scammers still manage to reel in victims.
Given the comical levels of poor grammar and spelling in many phishing emails, one might say those taking the bait are falling hook, line, and stinker.
“We wanted Automatically,” a recent email, purportedly from PayPal, urgently announces. It claims that there is a problem with the recipient’s account and wishes to determine “if your cheeks exchange agreement with the thesis.” Recipients are asked to click on a link to gain details about “our exchange Updates Regulations.”
Cybersecurity experts say there are several reasons for the notoriously high level of mistakes in spoofed emails. For one, most originate in countries where English is not the native language — particularly Eastern Europe and China. Scripts are written in the phisher’s native language and then run through online translation engines with predictably peculiar results. However, researchers also say that some of these errors are actually deliberate attempts to slip past spam filters and attract only the most gullible.
Whatever the reason, it would be a mistake to assume that all phishing attacks are clumsy and easy to spot. Recent headlines indicate that phishing lures can actually be quite sophisticated. Phishers mimic the logos and websites of legitimate organizations and pose as friends, business partners, clients, bank officials or IT staff. They hook their targets by fooling people into clicking malicious links or opening attachments that automatically engage and activate viruses and malware. Then, these criminals can use these compromised accounts to spread the misery to others.
Staying off the Hook
With indirect phishing attacks, cybercriminals use a series of emails to gain the organizational information needed for a broader phishing campaign. For example, an employee using a personal Apple device might be tricked into revealing iTunes credentials, which would give the attacker access to the contact information of other staff. Or by successfully phishing an employee using a cloud-based company email (such as Office 365 or branded Gmail accounts), an attacker would gain access to a platform for sending malicious emails that appear safe.
Cybercriminals use direct phishing attacks to gain login credentials for actual business systems such as Microsoft Outlook. Because these credentials are frequently used for domain logins as well as email access, this could enable the attacker to access far more than just email. Credentials for cloud-based services such as Dropbox or Salesforce can also provide an attacker with direct access to company data.
There are simple ways to protect against phishing attacks:
- Never email personal or financial data. Financial institutions and government agencies will never request this information by email.
- Don’t click links or open attachments from unknown or suspicious senders, and don’t click suspicious links from anyone. Hovering the mouse arrow over a link will reveal the true destination of the link.
- Educate employees about what types of emails are dangerous.
- Make sure all security software is automatically updated.
- Use centralized management tools for monitoring email threats.
Poor grammar, bad spelling and faulty logic are telltale signs of a phishing scam. Unfortunately, not all cybercriminals provide such obvious clues. With phishing attacks reaching epidemic proportions, it is clear that scammers are getting smarter and more sophisticated. Vigilance, common sense and a healthy dose of skepticism combined with properly managed security systems are key to being the one that gets away.