Phishing is probably one of the most common and well-known social engineering fraud schemes today. Social engineering fraud refers to scams that rely on psychological manipulation to convince the victims. Google is reportedly blocking 18 million coronavirus scam emails every day and registered a record 2 million phishing websites in 2020. Even though phishing attacks are constantly evolving and becoming more sophisticated, there is still the basic laws that apply at the heart of an attack strategy.
Imitate, Motivate and Act
A phishing message will always strive to look like it originates from a trusted organization or individual. Most cyber criminals try hard to make their messages look legitimate and convincing, using the same fonts and copying colors, logos and branding to fool people.
Scammers tailor messages for one single reason — to motivate people to take action such as a click, reply, download, or tweet. Attackers exploit human instincts by crafting phishing messages that get victims upset, curious, infuriated, or anxious, in the hopes of provoking a response.
Act is the final step or the invisible hook that is lurking in a phishing attack. This could be a form that a user can fill out, a click on a social media post or instant message, or simply a visit to a site that could cause a drive-by download. After a successful click or download, the victim might be stuck with malware that can evade detection for a long time.
Even a carefully crafted phishing attack displays revealing signs that the email is neither legitimate nor trustworthy. Listed below are six common signs to watch for.
Suspicious Senders Address
One of the trademarks of phishing is that hackers create fake sender addresses that appear authentic. Many hackers use generic email domains like gmail.com or yahoo.com which makes them relatively easy to spot. Some might even use email spoofing to create fake email addresses where only the sender’s name is visible while the email address itself is hidden. As you might expect, many recipients of these emails don’t go above and beyond to check a spoofed sender’s address, especially on mobile devices.
Subject Lines That Raise Alarm
Creative attackers often use scare tactics in hopes that readers will click on malicious links, download attachments, or fill out forms due to worry, urgency, or confusion. The common message in these types of emails is that action is immediately required, payment is urgently needed, or sign-ins must happen now. For example: “New sign-on to your account,” “Suspicious activity detected,” “Password Expired,” and “Account closure” are all common subject lines one may find in a phishing attempt.
Use of URL Shorteners
URL shortening is a common technique used by social media giants like Twitter, LinkedIn, and Facebook that reduces the size and complexity of longer website addresses (URLs) by replacing longer links with a shorter link. Hackers often disguise rogue URLs by using these shorteners, which prevents easy detection of known malicious sites or destinations. For example, instead of seeing an obvious URL that indicates a website in Ukraine, Romania or France, a shortened URL link does not reveal where a link will take them or what they will find when they get there. Readers must immediately recognize this red flag and avoid clicking on a shortened URL.
Social Engineering Red Flags
Because the underlying principles of manipulation remain constant, cyber criminals are known to apply similar techniques to other forms of communication. Sophisticated scammers are quick to target alternate channels like social media, telephone, or SMS.
How Insurance Can Protect You
Companies submitting social engineering claims have often faced coverage denials under their crime and cyber insurance policies. Crime policies can contain exclusionary wording that prohibits coverage for the voluntary parting of property or funds to a third party. Which means if an employee was deceived via an email or phone call though to be authentic and released funds, no coverage is provided.
Coverage under a Cyber Liability policy will only apply if the network was breached or compromised. This inherently means that fraudulent email or phone instructions do not constitute a computer system breach by definition. Therefore, it is crucial to discuss coverage details with your broker. Properly crafted cyber liability and crime polciies should indemnify your organization for any financial loss stemming from social engineering attacks.
At Hawley & Associates we pride ourselves on our unique approach to insurance. Our broad access to specialty markets and strong relationships with insurance carriers and underwriters gives us an unparalleled advantage in aggressively negotiating policy terms & premiums, with your best interest in mind. Contact us today to learn more about our risk mitigation and insurance solutions.