BLOG

Email Phishing Scams and How to Avoid Them

5 minute read

Phishing attacks have spiked dramatically. While nothing new, the sophistication of phishing attacks has continued to evolve. These types of attacks provide a wealth of opportunities for threat actors. The simplicity of phishing attacks, combined with tools like phishing kits that make them accessible and easy to deploy, are likely contributors to this spike. But one of the most tried and true methods of phishing focuses on email scams. Let’s take a closer look at what exactly qualifies as an email phishing scam and the steps you can take to tackle this growing and prevalent risk.  

Email Phishing Scams Defined

Phishing is a type of social engineering attack that uses fraudulent communications to trick the recipient into sharing sensitive data, financial details or business access credentials. More specifically, a phishing email is a type of phishing attack where cybercriminals send a deceitful email message to the target organization’s executive team members, managers, employees, customers and more. These emails can leverage various malicious tactics to trick the recipient into sharing their sensitive information, including spoofed email addresses, fake websites, malicious links and delivering false information.

Email is just one route cybercriminals use to carry out phishing attacks. Others can include social media, SMS text messages, telephone calls or even digital advertisements. Furthermore, almost any industry can find itself as a target.

Email Phishing Scam Most-Targeted Industry Sectors – 1st Quarter 2021
Source: APWG 1st Quarter 2021 Phishing Activity Trends Report
Most-Targeted Industry Sectors for Phishing Attacks – 1st Quarter 2021
Source: APWG 1st Quarter 2021 Phishing Activity Trends Report

The APWG 1st Quarter 2021 Phishing Activity Trends Report tells us, “January 2021 was a high in the APWG’s records, with an unprecedented 245,771 attacks in one month.” The report goes on to highlight business e-mail compromise (BEC) scams “are becoming more costly with average wire transfer requests in BEC attacks increasing to $85,000, up from $48,000 in Q3 2020.” Aside from the constant stream of media updates highlighting another attack, this alone paints the picture as to just how prevalent phishing and its related tactics continue to be.

Phishing Scams Remains at Historic Highs
Source: APWG 1st Quarter 2021 Phishing Activity Trends Report
Phishing Remains at Historic Highs
Source: APWG 1st Quarter 2021 Phishing Activity Trends Report

What Does an Email Phishing Scam Do?

Cybercriminals create phishing emails to trick the sender into sharing sensitive information. Still, the information being targeted and the techniques used to capture it can vary substantially between cases. With that in mind, here’s a basic overview of what phishing emails do once they hit the recipient’s inbox:

  1. Gain the Recipient’s Trust – The first goal of every phishing email is to gain the recipient’s trust, or at least to avoid appearing suspicious. This is often accomplished by impersonating a trusted sender through email spoofing or copying the email layout of a trusted source. 
  2. Deliver a Call to Action – Phishing emails contain a call to action, encouraging the recipient to take steps that will ultimately compromise their information or deprive them of financial assets. In addition, phishing emails often include a made-up story that creates a false pretense for the recipient to take urgent action. 
  3. Steal the Recipient’s Data – The ultimate goal of a phishing email is to steal something from the recipient – either their secure data, access credentials, money or something else. This objective may be realized when the email recipient takes the action described in the email, such as clicking a malicious link or visiting a fake website.

Three Types of Phishing Emails to Know

#1 Email Phishing Scams that Link to a Fake Website: Some phishing emails link to a fake website set up by cybercriminals to capture access credentials or financial information from the unsuspecting target. Fake websites are designed to mimic sites that are trusted by the recipient, such as a business Intranet login page or the recipient’s bank. When the target enters their access credentials on a fake website, the information is shared with cybercriminals who can use it to drain their bank accounts or access sensitive personal or business data.

Email Phishing Scam Example
Source: phishing.org
Example of an Email Phishing Scam
Source: phishing.org

#2 Email Phishing Scams that Send Malicious Attachments: Some phishing emails contain malicious attachments, including trojan viruses, malicious scripts or ransomware. The attachment may be disguised as a different type of file (PDF, image, audio, etc.) and may have an intriguing name that encourages a curious target to open it. When the target opens the attachment, the email’s payload is activated, and the consequences may be severe. Cybercriminals can use malicious attachments to install viruses, steal or destroy critical data, obtain remote access to computers or networks, set up a ransomware attack, start an Advanced Persistent Threat (APT) attack and more.

#3 Email Phishing Scams that Impersonate an Executive: Some phishing emails work by impersonating an employee of the target’s organization, often someone in a position of power or authority over the target. For example, a cybercriminal might spoof their email to impersonate an executive leader within an organization, then send phishing emails to their employees with urgent instructions to share secure access credentials or send money to the criminal’s bank account. When the target believes they are receiving job-related instructions from an executive leader within their organization, they may be more likely to take action without considering the message’s authenticity.

While these types of phishing emails can be helpful to familiarize with, they are not extensive and threat actors are constantly inventing new ways to carry out these attempts. You may be surprised to know YouTube and other video-sharing websites contain many tutorial videos for these phishing and spamming campaigns, including detailed videos on how to create emails that will pass spam filters.

Avoid Getting Hooked: Report and Protect

The first step is understanding an email phishing scam attempt, so you don’t fall victim. The next step should include alerting the right contacts of an attempt so that it can be investigated and mitigated immediately. Everyone can report phishing emails to enhance their organization’s cybersecurity and help in the fight against cybercriminals. 

The Anti-Phishing Working Group (APWG) is an industry association focused on supporting a unified global response to cybercrime. Phishing emails can be reported to the APWG by sending an email to [email protected] They can also be reported to the United States Federal Trade Commission (FTC) at https://reportfraud.ftc.gov/. Most email providers have a feature that allows users to report phishing emails. These reports enable providers like Gmail and Outlook to investigate and block emails from malicious domains, disrupting the activities of cybercriminals. Phishing emails received at work should be reported to your company’s IT or security team. Your report will allow these teams to block the malicious domain and share information about the attack that could prevent your colleagues from falling victim.

Going after phishing attempts can sometimes feel a bit like a game of whack-a-mole. Once one attempt is mitigated, another one can pop up in a different way. Defending against phishing attacks should be an approach that protects against an ecosystem rather than just a link in an email. 

Your third step should include a partner or platform that can afford your security team the opportunity to spot these risks quickly. ZeroFox leverages AI-powered technology to quickly identify and remediate phishing, fraud campaigns and malware-based attacks. Whether through email, social media or malicious domains, ZeroFox quickly spots phishing links, sites and posts. We work on your behalf to not only stop phishing campaigns but dismantle the infrastructure behind them.

Get
Started

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.