10 ways to spot phishing attacks on your practice

July 24, 2018

Phishing is big business - don't take the bait.

In the last year, phishing attacks have seen a meteoric rise as attackers continue to refine tactics and share successful types of attacks.

In particular, they’ve taken advantage of the malware-as-a-service offerings on the dark web in order to increase the efficiency and volume of attacks. In fact, 91 percent of cyberattacks and their resulting data breaches now begin with what’s known as a spear phishing email message. As a result, dental offices should take the time to learn to recognize phishing to protect critical data.

Related article: Why cybersecurity is critical for dental practices

We often associate phishing with cybercrimes that relate to online banking: crooks send an email luring you to a website that’s a visual clone of your bank’s login page, where you enter your credentials into a phony form and drop them right into the criminals’ laps.

But phishing covers more than just fake banking sites and links to life-enhancing pills or package deliveries: it’s really just about dangling bait in front of you and waiting for you to swallow it, providing them with useful and valuable information.

Phishing campaigns are generally more successful when they use contextually relevant lures, and between 2013 and 2015, phishing attack trends followed consistent and predictable patterns. During each of these three years, phishing attacks tended to increase from month to month before finally surging in the fourth quarter of each year, during the holiday seasons.

However, this wasn’t the case in 2016. Instead of peaking at the end of the year, phishing attacks crested in the middle of the year, with localized spikes in attacks that took advantage of regionally specific events or periods of fear and anxiety. For example, uncertainty around the United Kingdom Brexit vote was exploited to target government departments in May and June 2016. In the United States, tax return season saw IRS-themed attacks increase by 400 percent over previous years.

As mentioned, phishing covers more than just fake banking emails and package delivery alerts; it’s about convincing you to provide something valuable to the attackers. And what started off as simply “phishing” has now developed into three branches of attacks: the classics, mass phishing and spear phishing, and the recently emerging trend of the Business Email Compromise tactic acting as a subset of spear phishing.

Related article: 6 myths about data encryption

Mass phishing

These attacks are largely opportunistic, taking advantage of a company’s brand name to try and lure the brand’s customers to spoofed sites where they’re tricked into parting with credit card information, login credentials and other personal information that will be later resold for financial gain.

  • Targets the assets of individuals

  • Typically consumers of a brand’s products or services

  • Impersonal batch and blast

  • Focused on stealing personal data, such as login credentials

Up next: How to spot phishing attacks

 

Spear phishing

The other kind of threat is of the spear phishing variety, where emails impersonating a specific sender or trusted source are sent to targeted individuals within organizations to try to get them to take certain actions, like sending money to spurious accounts.

  • Targets the assets of a specific organization

  • Typically an individual or specific group in an organization

  • Spoofed (look-a-like) email addresses to aid conversion

  • Impersonates trusted sources and senior executives

10 tell-tale signs of phishing

The “tells” you can look for to help suss out potential scams are:

Related article: Are you vulnerable to exploits?

  • It just doesn’t look right. Is there something a little off with a particular email message? Does it seem too good to be true? Trust your instincts.

  • Generic salutations. Instead of directly addressing you, phishing emails often use generic names like “Dear Customer.” This use of impersonal salutations saves the cybercriminals time.

  • Links to official-looking sites asking you to enter sensitive data. These spoofed sites are often very convincing, so be aware of what personal information or confidential data you’re being asked to reveal.

  • Unexpected emails that use specific information about you. Information like job title, previous employment or personal interests can be gleaned from social networking sites like LinkedIn and is used to make a phishing email convincing.

  • Unnerving wording. Thieves often use unnerving wording (such as saying your account has been breached) to trick you into moving fast without thinking and in doing so, revealing information you ordinarily would not.

  • Poor grammar or spelling. This is often a dead giveaway. Unusual syntax is also a sign that something is wrong.

  • Sense of urgency. “If you don’t respond within 48 hours, your account will be closed.” By creating a sense of urgency, the thieves hope you’ll make a mistake.

  • “You’ve won the grand prize!” These phishing emails are common, but easy to spot. A similar, trickier variation asks you to complete a survey (thus giving up your personal information) in return for a prize.

  • “Verify your account.” These messages spoof real emails asking you to verify your account. Always look for signs of phishing and always question why you’re being asked to verify - there’s a good chance it’s a scam.

  • Cybersquatting. Often, cybercriminals will purchase and “squat” on website names that are similar to official websites in the hopes that users go to the wrong site (e.g., google.com vs. g00gle.com). Always take a moment to check out the URL before entering your personal information.