Email Phishing Scam

Some of you may have received an email that appeared to be from Eric Elnes asking you to do some type of task involving the purchase of gift cards.  Please know that this is a SCAM. Please delete the email and do not reply.

Countryside’s staff often get phishing emails.  Typically they are trying to impersonate Eric or another church leader.  They can get quite sophisticated and even use the church logo.  The most common sign of a phishing email is that the email address of the “reply to:” is not the correct email for the person being impersonated. Below is a document about Phishing Awareness that I have shared with the church staff and am now sharing with you.

Please note Countryside staff will not ask members individually to purchase gift cards for any reason.  If you have any concerns or questions, feel free to contact me or the church office.

Daniel Loven-Crum
Director of Administration and Communications | Countryside Community Church
Phone: 402.391.0350 ext. 226 | danl@countrysideucc.org

Phishing Awareness Training: 8 Things Your Members and Employees Should Understand

Not long ago, phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to businesses. Today, phishing is the top social attack on businesses, responsible for more than 90 percent of security breaches. Because no cybersecurity solution can block 100 percent of attacks, your employees and members need training to understand what to look for to protect themselves from phishing attacks.

Phishing is becoming more sophisticated, and although there are dozens of techniques phishers can use to trick your employees and members, there are a handful of methods they rely on most. Below are just eight things your employees and members should understand about phishing:

1. Phishing Explained

Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. A common example of this is the Office 365 phishing attack: A hacker sends an email that appears to come from Microsoft asking the user to log in to their Office 365 account. When the user clicks on the link in the email, it takes them to a fake Office 365 login page, where their credentials are harvested. With Microsoft branding and logos both in the email and on the phishing page, an untrained user will not recognize the email as a phishing attempt.

2. Email Addresses Can Be Spoofed

Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the email is really coming from a malicious source. The most common types of spoofing are display name spoofing and cousin domains. With display name spoofing, the phisher uses a legitimate company name as the email sender, such as microsoftsupport@microsoft.com, but the email underneath is a random address like xyz@yahoo.com. Display name spoofing is most effective when a user views the email on a mobile device because the sender’s email address is hidden. Phishers are counting on the fact that most mobile users will not expand the sender’s name to view the email address.

A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an Apple.com email, the hacker might use Apple.co. In other cases, hackers will use extensions to trick users. Some examples include apple-support.org, apple-logins.net, and apple-securities.com. We’re also seeing an increase in lengthy, confusing subdomains, such as icloud.accounts@apple.it.support.zqa.ca.

3. Subject Lines and Emails Often Include Enticing or Threatening Language

Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond emails that indicate potential financial loss or that could result in personal or financial gain.

Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should be considered a potential scam. This technique is often used to scare people into giving up confidential information. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.

In some spear phishing attacks, personalized emails from purported colleagues are designed to evoke fear of consequences at work. A classic example of this is an urgent email from a CEO requesting gift cards or a wire transfer. Receiving such a request from a top executive creates pressure for the employee and makes them more likely to respond quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an HR employee into changing direct deposit information.

4. Attacks Are Becoming More Targeted—and Personal

Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. The emails would often address a user with a generic term like “customer,” “employee,” or “patient.” Your employees should be cautious of these terms, because professional organizations commonly address users by their first name in email, but a personalized email is not a sure sign of a legitimate email. Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage.

5. Phishing Emails Are Getting Better and Better

Employees need to read their emails carefully, not just skim them. Many phishing attacks and spear phishing attacks are launched from other countries, and although this can result in glaring grammar and stylistic issues, phishers have become more sophisticated. They have the resources to compose clean emails in their target language, and they make fewer mistakes. Employees should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable. In a recent Office 365 phishing page discovered by Vade Secure, there was only one discrepancy between the real Office 365 page and the phishing page: an extra space between “&” and “Cookies” in the “Privacy & Cookies” link in the footer of the phishing email.

6. Links Aren’t Always What They Seem

Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Go to Office 365 account,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.

It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org. Additionally, phishers use URL shorteners, such as Bitly, to bypass email filters and trick users, so be cautious of clicking on shortened URLs. IsItPhishing.AI can determine if a URL is legitimate or a phishing link. If you or your employees are in doubt of the legitimacy of a website, IsItPhishing can tell you.

7. Phishing Links Can Be Sent via Attachment

All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.

8. Hackers Use Real Brand Images and Logos in Phishing Emails

Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source. While most email filters can spot a known phishing URL, they cannot spot a counterfeit image unless they have machine learning and computer vision capabilities.

An Employee or Member Received a Phishing Email—Now What?
Dealing with the repercussions of a phishing attack is not only time consuming but costly.  Delete the offending email.