Hillary Clinton’s presidential campaign put email security on the forefront of the news for much of that year. Clinton’s campaign was targeted by international hackers, and unfortunately some of their tactics worked. The Associated Press deconstructed the incident and found that hackers worked their way around the Clinton campaign’s digital security to steal chairman John Podesta’s emails in March 2016. Future campaign groups recognized this incident as a lesson to button up their security protocols, but that’s still proven to not be enough. During the most recent presidential campaign in 2024, there have been multiple reports of hacking attempts against political parties via phishing scams. Beyond election campaigns, the government still remains a huge target for hackers, with major phishing scams occurring throughout 2024 and into 2025.
Whether a government agency, a manufacturing enterprise, or a local bank, the fact is no one is safe from cyber crime. Phishing has become a huge challenge for small and mid-sized businesses in recent years. Small businesses are often ill equipped to combat cyber criminals and are thus easier targets; demands from hackers can stretch into the millions, even for SMBs.
So what can anyone do about it? Let’s dive deeper and see how the hackers can lure employees with phishing schemes.
3 Clues to Identifying Potential Phishing Scam Emails
- Does the sending address look fishy? If it does not, it can be hard to initially flag as a scam. The googlemail.com domain is one Google uses legitimately and would appear legitimate. A malicious sender can always spoof the sending address, however. This would make the “from” address appear valid. You can’t rely just on the email address.
- What is the content of the email? If an email service provider suspects your account is compromised, you probably won’t receive a link to click to change your password. Instead, you’ll find instructions on actions to take after logging in to your account. This allows you to update your password yourself. Whenever a company asks that you make updates or verifications to your account—whether it’s an email account or a social media login or an online store—it is always good practice to open a new browser window and navigate to the page yourself.
- Can you tell where the email’s link points? If the email directly asks for to click a link, where is that link taking you? In some cases, the link doesn’t look suspicios, like https://bit.ly/2iXYEF7. While the link here is harmless, you can immediately see that before clicking the link, you have no idea where it will take you.
- “Bit.ly” links are what are called URL shorteners. Some common shorteners you’ve probably seen are ly, goo.gl (Google’s own shortener), owl.ly, and tinyurl.com. If you cannot tell where a link will take you, never click it! Even still, the sender can type in one address and send you to another. To combat this, in most software, you are often able to hover your mouse over the link. Either the real address will be shown at the bottom of your browser or, if in Outlook, a tooltip will indicate where you will be taken. Try this on the links below to see how this can differ:
- Click here to change your Gmail password!
- https://www.gmail.com/accounts
Real World Examples of Email Phishing (You Could Encounter Yourself)
Phishing emails can take on all different kinds of forms and appearances. They remain a prime tactic for hackers and the source of many major data breaches each year. Some of the most common phish attacks are through Google Docs, PayPal scams, email account upgrade/reset schemes, and fake invoicing.
Here are some examples of email phishing attacks to be aware of:
- Account Update: Have you ever received an alert from Google or Outlook to update your account credentials? Cyber criminals will craft fake emails that appear to come from a legitimate source, like Amazon customer support, Google, or a legitimate organization you recognize and trust. They will ask you to update your account information using a fake site to gather your real login details.
Message from the “CEO” or Leadership: Another play hackers will try is to your CEO, a bank, or a legitimate organization. Cybercriminals hide their presence in small details like the sender’s email, using a similar naming convention to what the company uses.- Invoice Attachments & Links: This kind of scam relies on urgency and fear to “pay your overdue invoice” or else. Scammers will email you about invoice or payment information in attempts to gather your financial information. Finance departments are a major target for this sort of attack, but many other groups are also targets. Everyone had bills!
- Dropbox: Dropbox is an online file sharing platform and it’s a popular tool for hackers to use for fake file sharing. Cybercriminals lure users by saying a file is too large to attach in an email, so you must use/click the Dropbox link. This fake link can direct you to a fake page or a faulty file within a Dropbox – double whammy! Be cautious of any file sharing via email, especially from untrusted contacts or those outside your organization.
Message from the “CEO” or Leadership: Another play hackers will try is to your CEO, a bank, or a legitimate organization. Cybercriminals hide their presence in small details like the sender’s email, using a similar naming convention to what the company uses.What can Prevent a Phishing Scam Today?
Many people make a simple but very easy mistake when it comes to phishy emails – they should report the email as soon as they suspect it’s malicious.
Email scams in these recent elections came down to a single email and human error. It was all it took to kick off a firestorm of media coverage, government sanctions, and enough finger pointing to last us a lifetime. Email phishing scams are simple and criminals can send them to thousands of companies, organizations, and people. It’s not a grand security intelligence technique with custom software that masterminds these hacks. It’s one of the easiest and most effective methods known, using what everyone already has on their computers and exercises each day.
Training your team about the dangers of fake emails schemes is important protect them and the business. Security awareness training can empower teams with knowledge about the online dangers that lurk under every corner, including their inbox. Educate people on what to look for and how to report suspicious emails to their IT team. Criminal tactics are getting trickier and we must stay ever vigilant in the fight to protect ourselves from digital cybercriminals.
Interested in Security Training for Your Teams?
Contact NetGain today for more information on how we can educate about cybersecurity and protecting their inboxes!
NetGain’s Cybersecurity Awareness Training is a complimentary, live session designed to equip employees with essential cybersecurity knowledge and tools to combat cyber threats. DOWNLOAD the data sheet for more information!
