Phishing emails can steal sensitive data and cost companies' their reputation. However, protecting a company from these scammers doesn't need to be difficult.

What Is Email Phishing?

Phishing is when an attacker mimics a trusted person or brand in an attempt to steal sensitive information, or gain a foothold inside a company network. While phishing emails are by far the most popular, these attacks can also be sent through text message, social media, and even phone calls.

What Do Phishing Emails Do?

Phishing emails are a social engineering attack used to steal your personal information like passwords or credit card numbers. The victim receives an email appearing to be from a trusted company but which is actually from an imposter.

These malicious messages are crafted with the goal of the recipient clicking on a link or email attachment that contains malware. Phishing links often redirect to fake login pages that look very similar to legitimate websites. If the victim enters their real login information into the site, the attacker will have a copy of those credentials for themselves.

Email attachments work in a similar fashion, but install malware directly on the PC that tried to open the file. This malware can silently collect data and keystrokes and then send this information back to the attacker. This presents an even more dangerous situation where now the attacker can attempt to move further into the network, or create backdoor access to reinfect the network later.

4 Types of Phishing Emails

Not all phishing attempts are created equal. While most fraudulent messages are sent indiscriminately, some are carefully crafted to look as real as possible. Let’s take a few phishing email examples.

Email Phishing

General email phishing is the most common type of attack you’ll see. It's estimated that nearly three billion phishing messages are sent every day, with a majority of those messages being sent in massive waves to thousands of recipients.

These attacks often impersonate well-known brands, and disguise themselves as shipping updates, password reset requests, and overdue invoice notices from fictitious companies.

Spear Phishing

Spear phishing emails use a much more targeted approach to trick their victims by using company specific information to make their messages even more believable. Information such as phone numbers, email signatures, and staff names are used in these attacks to appear as legitimate as possible. Attackers spend time collecting this information on websites, and sometimes stealing it from other email addresses that have been compromised.

Another common technique is for the attacker to use a cousin domain to send their messages from. For example, if the attacker was targeting Microsoft.com, they would register “Micosoft.com” and send their emails from that domain. When combined with other targeted information spear phishing emails can be tough to spot.

Whaling

Whaling phishing is very similar to spear phishing, but goes an extra step further by targeting specific high level staff within an organization. The goal of whaling is to impersonate a C-level executive and use that authority to pressure staff members into sending sensitive information.

Phishing attacks that use this strategy often target other high level members within a company, putting sensitive information that most staff members don’t have access to at risk. Scams commonly ask for tax information, financial documents, or even wire transfers during whaling attacks.

Business Email Compromise

Business Email Compromise (BEC) is a targeted attack that focuses on companies who frequently conduct wire transfers and have global partnerships. Attackers use keyloggers, spoofed domains, and phishing attacks with the primary goals of tricking the victim into wiring money into the attackers account.

"How to Protect Against Advanced Email Threats"

Common Signs of Spoofing & Phishing

Fraudulent emails can be tough to spot, but if you know where to look, identifying them gets a lot easier. While it’s better to prevent phishing in the first place, here’s what to look for when trying to identify a phishing email.

1) Phishing Emails Often Contain Misspellings

Many email scams originate from countries where English is not the native language, this leaves scammers relying on translation apps that don’t always work as intended. Watch out for multiple misspellings, especially in emails that claim they are from a well-known brand.

Fraudulent messages may also contain words that are grammatically correct, but used in the wrong context. While misspellings don’t prove an email is a phishing scam, they should raise a red flag and signal to the reader that more time should be spent studying the legitimacy of the message.

2) Study the Sending Domain Closely

As mentioned earlier, some attackers will attempt to register domains that look very similar to legitimate companies. Always study the sender and their domain when the validity of an email is in question.

Watch out for misspellings in the domain, or deception in the “From” field of the message. For example, attackers will send a phishing email from the sender “ABC Bank Alert”, so the message ends up looking like it's from [email protected].

3) Is the Message Using Fear or Urgency?

Email fraud is designed to get victims to click links that compromise their machines, or steal their credentials as fast as possible. Attackers use urgency to compel victims into taking action quickly so their scam won’t be discovered until it’s too late.

If an email is threatening legal action, stating you’ve been hacked, or saying you owe significant fees, don’t take action too quickly. Study the email closely to verify the sender, and when in doubt contact the person directly using a verified phone number if you think it may be real.

4) Be Cautious of Links & Attachments

Even seemingly innocuous attachments can contain a malicious payload hidden inside. Links inside of emails can contain redirects, which immediately send you to another site when the link is clicked. This makes taking a proactive approach to stopping these attacks the most effective way to keep a staff inboxes safe. Only click on links or download attachments from trusted senders that you’re familiar with, and are certain are the person you think they are.

4 Protections to Put into Place

The best way to avoid clicking on a phishing email is to prevent it in the first place. Unlike virus protection, you cannot simply install one program that stops attacks from getting through. To prevent phishing effectively, a series of protections must be put in place.

1) Have a Proactive Phishing Response Plan

Having continuous detection and response can prevent attacks, and streamline the remediation process if an attack does occur. Then it can automatically prioritize incidents, and automate triage and claw-back as soon as an attack is detected.

2) Implement DMARC for Your Domain

DMARC combined the power of SPF and DKIM to stop domain spoof attacks and reduce spam. Together these three records help defend against spam as well as attacks that attempt to utilize spoofed addresses.

As joint founders of DMARC, Agari uses DMARC records combined with AI-powered phishing detection to completely prevent spoof attacks, and pivot our protection methods based on new threat data.

3) Train Staff to Identify Phishing Attempts

Email training can help drastically reduce the number of fraudulent emails opened, and work to consistently reduce exposure to email-based threats. Outside of standard educational content, organizations can test their staff with internal phishing campaigns that measure email open rates, link clicks, and responses.

4) Turn On Two-Factor Authentication

Two factor authentication (2FA) provides an extra layer of protection that goes beyond login credentials. Even if credentials are stolen, 2FA prevents that information from being used to access systems without the owners consent.

How to Report a Phishing Email

If you believe you have been phished, change your password immediately from a secure machine. If you believe your credit card information or bank details are at risk, contact your provider immediately to prevent further compromise. If you’ve fallen victim to an email scam or received a phishing email, there are a few simple steps you can take to report them. If you’ve received a malicious email, you can forward it directly to the FTC at [email protected]. If the message was a text message, you can forward it to SPAM (7726). You can then report the attack by visiting http://ftc.gov/complaint.

The Advanced Fortra Advantage

Fortra's Cloud Email Protection combats email threats by stopping phishing attempts before they ever reach the inbox. The solution utilizes DMARC Protection, as well as its core Identity Graph to identify new threat trends as they emerge by proactively scanning trillions of messages. As new threat patterns are identified, they are automatically applied to your threat database, ensuring even the newest types of attacks are thwarted. And even if the phishing emails make it in, PhishLabs' Suspicious Email Analysis can remediate them and even automate claw-back.

No matter where your email is hosted, Fortra offers a wide variety of integrations into platforms like Microsoft 365, Microsoft Exchange, and Google Workspace. Setup is simple, and doesn’t require any downtime, meaning no missed emails during setup.

If you’re looking to protect your company from phishing emails and prevent data loss, Fortra's Advanced Email Security solutions can help.

SCHEDULE A DEMO

What Is Email Phishing? Protect Your Enterprise