How To Recognize And Avoid Phishing Scams

KINDSEY: Davin, if you’re ready, I’m going to hand the show over to you.

DAVIN: Yes. Thank you so much, Kindsey. I love hearing those introductions. Kindsey always does such a great job. I’m excited to be here today. Of course, like Kindsey said, we’re doing another deeper dive. We previously went from weekly and now we’re going to be doing them once a month, so at the end of every month – I believe it’s on the last Thursdays – you should be able to tune in and catch another topic on cybersecurity.

Today we are going to talk about how to recognize and avoid phishing scams. You all probably get tons of emails every single day, and probably 1 out of 10 is a malicious email or something. So today we’re going to talk about how to avoid falling for one of those scams.

Of course, if you have questions, feel free to put them in the chat. I’ll try to answer them all at the end. We’re going to keep it short, 30 minutes, but let’s go ahead and get started.

First, what is a phishing email? I like this picture because after you click on a phishing email and find out that it’s a phishing email, this is usually the face you make. There are different types of phishing email. Basically, a phishing email is a spin on words, “fishing.” It’s a cybercriminal trying to lure you in or dangle a fake lure to get you to click on a link or give them information such as credit card numbers, bank account numbers, passwords, credentials, usernames, anything valuable to them. They’re trying to bait you to latch on and give that information up.

Of course, you’ve heard of phishing emails. Phishing is where someone is basically impersonating another person in the organization or another organization trying to get you to click or download malware onto your computer or give them information. There’s different types.

Phishing emails are sent out en masse. There’s a cybercriminal probably sending out 100,000+ phishing emails to everyone they can. The way cybercriminals are working, they are looking for conversion rates. If they get 1% of that 100,000+ phishing emails that result in ransomware, they’re a millionaire in a couple of days or a week or two. That’s how cybercriminals are thinking when they’re talking about phishing emails. But there’s also spear phishing. That’s a very targeted attack, a very targeted phishing email, and for example, it often happens to new employees.

For example, you get a new employee and they put on LinkedIn, “Happy to be working at (blank-blank-blank).” Well, if a cybercriminal sees that, they see it as an easy target because that new employee most likely hasn’t gone through cybersecurity training or has no cybersecurity training or doesn’t really know how the organization operates yet, so they can send them a very targeted, specific cyberattack to try to lure them into becoming a victim or statistic or a phishing email or a successful cyberattack.

There’s also vishing (voice phishing) or a malicious caller – someone calling you trying to impersonate someone else. There’s also compromised emails: actual, legitimate emails from within your company that have been compromised. They’ve most likely been compromised because that person themselves has fallen for a cyberattack, for a phishing email, and they may have given their credentials to their personal email or their business email. From there, you get an email from them and everything looks great. Everything looks fine. You trust that source.

So there’s multiple different types of phishing emails, but we’re going to learn how to really avoid all of them.

Why is it so important? What’s been going on in cybersecurity? Well, in 2021, 83% of organizations – that’s a huge number, first off – 83% of organizations experienced a successful email-based phishing attack. That means a user got a phishing email and they either did something risky, such as clicking on that link, clicked on a bad link, downloaded an attachment that had malware, downloaded malware, and they may have provided credentials, gave someone their login and their password, or even in some cases sent money. You think, “That’s crazy. Oh my goodness, I would never do that.” But it happens every single day, and cybercriminals are getting rich off of it. So you have to be prepared and you have to know what to look for.

But what’s crazy is that from 2020 to 2021, we saw a 46% increase in successful phishing attacks. So there’s a problem. Something’s going on. Where did this come from? It didn’t come out of the blue.

Such phishing emails and the increase in phishing emails really started when COVID took off. Of course, because we were working from home, maybe even had hybrid work models, we had to rely on social media or different chat resources, Slack, or we had to rely on emails to connect and interact with one another. Basically, that opened the door for cybercriminals because we had to blindly trust that the person we were talking to, because we couldn’t see them face to face. So phishing emails took off.

But we’re not hopeless, you’re not hopeless, your employees aren’t hopeless because there’s things that you can do to prepare your employees, your organization, and everyone else to not become a victim of a phishing email.

Today we’re going to talk about a process called S.L.A.M. SLAM stands for sender, link, attachment, and message. You get an email, you go through these four easy steps – easy to remember, SLAM – sender, link, attachment, message. You go through those and you’ll find red flags through each stage. If you don’t find a red flag in the sender stage, maybe a link is another red flag. So you go through this and this gives you a better chance of avoiding a phishing scam.

Sender. This is the first step. Of course, you get any email, you look at who it’s from. You look at the sender. Do you know this person? Do you maybe recognize the name, or do you even know the company it’s coming from? When you do that, you need to make sure that their email address is correct. Is their domain verified? Is it a domain that you recognize?

When we talk about domain, like Gmail, Yahoo, or our personal, @irontechsecurity.com. Do you recognize that? But even if you do, sometimes those email address domain names can be spoofed or fake, so they’re faked to be made to look like a real one. They could have maybe one simple letter change or they could add a word in there or they could even add a letter. Just for my personal sake, the end of mine is @irontechsecurity.com. It could be @ironandtechsecurity.com or @irontechandsecurity.com. It would look normal, but that one little change can make a difference.

Next is, were you expecting an email from that person? Of course, you get emails randomly all the time, but if they’re asking for something specific or asking to click a link or something like that, were you expecting that? That’s something to think about. We talk about emails becoming compromised; well, when you get an email, make sure it’s from someone you trust. But don’t stop there. If there is the possibility of it being compromised, that happens usually from poor password management, which is something we can talk about down the road. We’ve done webinars about password management. But when you share your credentials, that mix-up can happen where email becomes compromised.

You have to go through these short simple steps when getting an email from someone, a possible phishing email. Main thing, do you know the sender? We’re going to look at an example quick.

This example, this picture right here, this is actually a simulated phishing email that we send to all of our clients. It’s sporadic. We have multiple different phishing emails. But it’s an amazing training tool that we use not only for our clients, but for our employees as well at IronTech Security. We’ll just focus real quick on the sender. You can see in this specific example it says “Human Resources.” Well, you get an email from Human Resources in your organization, “That’s legitimate; I should check it out.” But first you go through the sender stage.

You can hover over a name or wherever it’s coming from, so Human Resources. If I hovered over this, the actual email address it would say is from hr@onlinehr.net. For my specific organization, that domain name, I have no idea what that is from. That is no affiliation to IronTech Security. So that’s the first red flag. But also, I’m not expecting an email from Human Resources, so that’s the second red flag just by going through the sender stage.

But that’s not where you stop. SLAM, you got to S, now you go to L, link. Links are one of the most common ways cyber attackers will try to lure you and bait you. This is easy because all it takes is one click. If you just click on the link, it could either download something malicious to your workstation, to your network, or it can take you to another website, a fake website, to extract more information out of you.

For example, say the specific email that we just looked at, click on the link, it actually took you to a website asking for your bank information. If I’d fallen for the phishing email and put in my bank information, that’s how easy it is to fall for that phishing attempt. Some advice: if you get an email and you see the link and you’re not too sure, you can hover over it and it’ll show you what the full link is. Multiple times in phishing emails, you’ll see a link, but it may just be the word of “link” underlined, highlighted in blue. It doesn’t show you where it’s going to take you. Or it may just say “click here.” That’s an easy way because curiosity killed the cat – okay, click here, click on it, and now either you have something malicious on your device that could result in ransomware or it’s taking you to that other website.

But if you hover over it, it should show you the full link or exactly where it’s wanting to take you without you having to click. Even if you’re still not sure, when you’re in doubt, do not click. You don’t have to. Just do not click.

We’ll look at this example from that same phishing attempt. We went through sender. If I didn’t see any red flags, let’s keep going through the message. There’s a link. If I hovered on that link, it would show me that it’s trying to take me to the website for more bank information. That is the step I would take. First off, in my personal experience, because I’ve had training, I wiould know now to click on that link. But if someone didn’t and they hovered over it, that would be a step they could take to understand that this is at least something I’m not comfortable with; I should send this to my information security team – if you have one – to check it out.

That’s another important aspect of the infosec team that we’ll get into later. But sender: check out the name, make sure it’s someone you trust and you know, domain’s correct. Link: hover over it. If you’re in doubt, do not click.

Keep going through SLAM. You go to attachments. Attachments are another way cyber hackers can get malware on your device resulting in multiple different things, but of course, everyone knows ransomware. The reason cyber attackers and cybercriminals use attachments to bait you, to lure you in, is because curiosity. Like I said, curiosity killed the cat. Usually they use enticing names of that file or that attachment to make you click on it. Maybe if you’re an accountant, it could say “Financial report from (blank).” Maybe a client of yours. It could be a spear phishing attempt, so they know your new employee – “He doesn’t have training yet. We’ll send hi this. He probably thinks it’s a client of theirs. He’ll click on it. We got one.”

There’s things you can do, of course, to look for those red flags. One, if you’re not expecting an attachment, why would you get one? People most likely are not going to send you one out of the blue. Curiosity killed the cat, but it can also save it. If you’re curious, if you’re not too sure about the attachment, like I said, you don’t have to click on it. Ask someone or send it to your infosec team, and they can check it out. They can tell you. But don’t risk your device, your workstation, your network, just because you’re curious. If you get an attachment from an untrusted source that you’re not sure, that’s a red flag.

I briefly want to talk about another tool. It’s an EDR tool. Say you clicked on that attachment. You messed up, oh no. Well, if you had EDR (endpoint detect and response) – we’ve done a webinar regarding that, but that’s a tool that would be able to help you. It’s a preventative cybersecurity measure that would be able to help you in the instance “oh no, you clicked on this” and maybe now it’s trying to access another folder or create a folder in the background. The EDR will be able to stop that.

There’s multiple cybersecurity tools that you can do to add to your layers of security, but in this specific case, you open an attachment, EDR is a good tool. I’d love to talk to you all about it, but we’re going to continue with the SLAM method. When in doubt, do not click, and ask your infosec team.

The next is one of the most important parts of SLAM, and that is the message, the actual content of the phishing email. The first thing you do, you look at the sender. “I trust them. I think it’s someone I can trust.” You see a link, “That’s not too important.” There’s no attachment, “All right, we’re good.” Let’s really analyze this message. In my personal experience, I analyze the message first because that’s usually where you can catch some mishaps.

Usually – I say usually; nowadays, cyber attackers are getting very, very good – but sometimes you’ll see possible misspelled words or bad grammar. Those are things that can give away a phishing email. But like I said, nowadays, cybercriminals understand this. They are looking for those conversion rates, so they’re trying to make it look as legitimate as possible just to get you to click or to open that attachment or to give them the information they’re asking for. You still have to look for those little red flags, but there might not be any in that message.

So next you move on to the call to action. Usually in a phishing email, they’re going to try to create a sense of urgency or try to get you to do something, as in open the file or click the link or even you’ll see, in the message coming up, “act quickly” or “we need this asap” or “your account will expire if you don’t put in your login and password.” Things like that. Those are red flags. First off, that should catch your attention. That’s not normal. Your employee from down the hall wouldn’t send you, “Hey, I need your bank information asap. Can you please send this to me?” He’d call you – “Hey, can I get this real quick?”

Those little misspelled words, bad grammar, calls to action, and that sense of urgency are red flags you need to watch out for that will give away an actual phishing attack.

You can see in this message, the same phishing attempt that we’ve been reviewing through this presentation, you can see the sense of urgency that it’s trying to create. Let’s dive through the message. You can see it says “updating our direct deposit,” asking for bank information, “please click on the link to confirm or update your bank information,” “we need to submit the paperwork asap.” It had Human Resources, the sender, first red flag; the link, second red flag; now we’re down to the message, and it’s creating that sense of urgency that “we need you to give us your information immediately.” Third red flag.

So this is a perfect example. You may have gotten an email like this today. Hopefully you didn’t click on it. You see all those red flags in that one message, that’s something that you need to let your other employees know, “Hey, this message is going around. I know it’s a phishing link. Please stay away,” or you need to inform your infosec team. If that’s IronTech Security, you would send that over to us and we would analyze it, make sure it’s okay. If it’s not, we’d tell you and all your other employees, “This is going on. Be wary of this phishing attempt.”

But if you don’t have that security team, at least do your part. You’ve gone through SLAM, you’ve identified it’s a phishing email; do your part by helping your other employees out as well.

Say you went through the whole process and you’re like, “I still think it’s all right,” click on it, and it’s actually a phishing attempt. What could happen?

First, of course, the big ones: lost data and ransomware. Most phishing emails’ aim is to infect your computer or your network, lock up those files, that data, basically everything you need to operate, and the ransomware is trying to lock those up. Of course, in turn, you must pay a ransom, and then they’ll give you the encryption key or release the files, things like that. But the main thing is even when they’re asking for the ransom and you pay the price, $50,000+ – of course it’s going to be more than that, but you go ahead and pay it. Most of the time, the cybercriminals could delete the information anyways or they give you the encryption key but they don’t release all of the data that you need. So you’re still in the hole and you lost all this money.

When we talk about money, the financial aspect, the financial loss of what could happen by simply clicking on a link, opening an attachment – that’s what should really open your eyes. Doubled in the past year from 2020 to 2021. The average financial loss of a total cyberattack ranged from about $750,000 to almost $2 million. That’s just the average in 2021.

This is the cost including downtime, actually paying the ransom, the time for people, getting new devices, repairing devices, repairing your network, opportunity loss – all of these financial aspects that you have to think of when your employee could simply click on a link and you could possibly be out of business because of this financial loss, just by clicking on a link. That really opened my eyes, and I know it probably opens a lot of business owners’ and employees’ eyes as well.

But that’s not all that could happen. Reputation loss as well. I know reputation is a huge factor in all business. Business runs off of trust and relationships, and when you lose that trust from your current clients, from prospects, that’s when basically your business is useless. No one can trust you, and what are you supposed to do now? During a ransomware attack or a data breach or overall cyberattack, of course your business is at risk. Your clients’ information is at risk. There’s laws coming, and some are already in motion and already actual laws – if you have a ransomware attack or a cyberattack or if you have a data breach, you have to report that. You have to make it known to your employees and clients and let everyone know that this has happened.

There’s no hiding an attack or a ransomware attack anymore. Your reputation is at risk without having the proper training to prepare your employees to know not to click on a link or to know “I’m not too sure about the sender; maybe I should ask someone about this.” Simply clicking on that attachment could either put you out of business financially or could ruin your reputation for years, because trust takes a long time to build back. And it all could be lost by simply clicking on a link.

Last thing is the personal impact. Of course, it impacts your clients’ and your prospects’ lives, but also, it doesn’t just happen to businesses. It also happens in your personal life – say Facebook, Instagram. Reputations and things have been ruined because of – let’s keep it simple to social media hacks, or say your credentials were compromised. You fell for email, you get one from Facebook, you think it’s from Facebook, you didn’t follow SLAM, you give them your credentials; now your Facebook account is compromised and they have the keys to the kingdom. They can do whatever they want with your personal life.

Those are things to think about when discussing phishing emails and actual training and understanding what to look for.

This is one of my favorite examples right here. We’re talking about what could happen. This is the absolute best scenario that you could hope for if you’ve gone through SLAM and you still click on that link. This is the number one thing that you would hope and pray that would happen. You clicked on the link and you get this message. Of course, you’d have to be a client of Kirkham.IT or IronTech Security, but this shows that you’ve just fallen for a simulated phishing email. You’ve fallen for a training exercise.

We take your mistakes and turn them into a learning experience. We show you what you fell for, how we got you, what to look out for next time, a short video explaining everything. It’ll probably even go through the SLAM method with you. But it’s very, very, very important training that is needed, that is a necessity, that’s essential to all organizations, to all employees.

That’s because your employees are your first line of defense. Human error is inevitable. Like I said before, how would you learn SLAM, how would you know what to look for? This is where continuous cybersecurity training is essential. It just has to be done. You have to have it for simple reasons such as knowing not to click on a link. That could save your business. You’re a personal entrepreneur, personal business owner, you’ve been building a company for 10-15 years and finally you’re at a good spot – if a new employee fell for a spear phishing attempt, they click on that attachment, and now you have ransomware, you’re $500,000 in the hole, and your reputation is ruined, what do you do?

It all could’ve been avoided with preparing and equipping your first line of defense – your employees – with the proper training and tools that they need to have the best chance to protect your organization. Because human error is inevitable. This is one of the craziest stats that I think regarding cybersecurity: 95% of successful cyberattacks came from human error. That’s not meaning your employees are malicious cybercriminals or they’re cyber attackers. No, that’s simply because we go through the motions of our day to day work, click on a link, see an attachment, open it, and now the successful cyberattack has begun. But this could easily be avoided with training.

“Yeah, I have annual training once a year. That’s usually good enough.” Well, it used to be good enough. That’s the thing. Now cybersecurity training is not one and done. Continuous training once a month or even weekly – that is what’s needed in today’s world. And it’s not something we can just ignore. It’s not like cyberattacks are going to go away. It’s something we have to live with and we have to prepare ourselves for.

So what do you do? “My team, my employees, they need training, or we at least want to figure out where we stand and where our security posture is.” My sole advice is: speak with an infosec specialist. Speak with me. I’m not shoving sales down your throat; all I want to do is we’ll talk about your current organization, what’s going on with your network, what security you already have in place, and then from that, we’ll develop a plan to put the proper security controls in place to make sure you have the best chance regarding a cyberattack, a phishing email, make sure your employees are equipped with the training that they need to overall protect your organization.

Now, you see the meeting.irontechsecurity.com – that’s going to be in the chat. You can click on that, you can schedule a short 30-minute meeting with me. It’ll be real quick over Zoom. We’ll talk about all these things and figure out the best route specific to your organization. Or you can shoot an email to sales@irontechsecurity.com and we can get back to you that way.

But overall, if you want something quick, reach out on that phone, (479) 397-1200. Give me a call and I’d love to talk to you, see what’s going on, talk about cybersecurity training, whatever options would fit best for your organization, and we can go from there.

If you have any questions, I know we’re right at the 30-minute mark from when we started; if you have any questions, feel free to put them in the chat box. I’d love to answer those for you. Let’s see what we’ve got.

KINDSEY: Davin, I do have one for you: “How do you prevent hacking on your Facebook, Instagram, and Snapchat accounts?”

DAVIN: That’s a good question, and that happens all the time. Pretty sure my grandma’s Facebook has been hacked multiple times. But that comes to the simple fact of poor credential management, password management, or a weak password. What I would recommend is, one, do not reuse passwords no matter what. Something as simple as Instagram, Snapchat, those are easy things that a lot of people reuse their passwords, but of course, that results in your social media being compromised.

But also – and Tom put in the chat box – turn on MFA. Wherever you can use MFA, turn it on because if your credentials are compromised, someone tries to log in, the next thing they have to do is reach in your pocket – there we go, I’ve got mine right here – get your phone, and then they have to get the 4- to 6-digit code that is needed to log into your account. So my main recommendations: do not reuse passwords, look for a password manager – we actually have a password manager that we recommend and can provide for you – as well as turn on MFA. It’s needed, it’s essential. Anywhere it can be turned on, use it.

KINDSEY: We have another question. This one’s from Connie. What is MFA?

DAVIN: Oh, yes, good question. Multi-factor authentication. That is where basically you log in – we’ll just keep it simple. Facebook. You put in your login, your password. You click submit or log in. Next it’ll take you to another screen and it’ll say basically “We sent a 4-digit code to your phone. Can you please type that in?” You’ll get a text or email on your phone. It’ll have the 4- to 6-digit code. You’ll type that in, and then you’ll have access to whatever you’re trying to log into. If it’s Facebook, you’ll have access to Facebook. Multi-factor authentication, MFA. That’s what that is.

KINDSEY: It’s also known as 2FA or two-factor authentication. Different platforms call it different things. We do have one more that says when you’re talking about hovering links, just a comment from Bruce, it says: “Yes, hover is your friend. Caution, you can’t often hover when you’re using a tablet.”

DAVIN: Yes, that’s true.

KINDSEY: If you are using a tablet, you don’t have the ability to hover, but you should have the ability to preview the link.

DAVIN: Yeah, you should have the ability. And if you don’t, if you can’t hover, like Tom says, you can long press, hold it down, and it may pop up. But even if that’s not working, when in doubt, do not click the link. Ask someone, refer it to your information security specialist. If there’s other red flags, of course, refer it to your information security specialist. That’s a good point to bring up regarding mobile devices, tablets, things like that.

KINDSEY: Just one comment to add about the password manager. The password manager that we use and resell actually has MFA or 2FA built inside of it. The application does it all for you. You don’t have to use two different things, like the password manager and Google Authenticator. Even just use Keeper for the MFA and your passwords.

DAVIN: It’s very user-friendly.

KINDSEY: Most definitely. If we have any other questions, please feel free to throw them in the chat box, in the Q&A box. We can stay on here as long as we need to. And if we don’t see any come in, I just want to thank everyone for joining us. We will be doing another webinar at the end of the month. Davin, do you have the title of that one pulled up?

DAVIN: I do not, but we will be talking about NIST and the NIST assessment. NIST is a security and risk assessment that you can do for your organization to understand your current security posture, where you’re vulnerable, and of course, from there fill in the gaps that are needed to get your security posture to where it needs to be.

KINDSEY: Alrighty, everybody. Thanks again for attending. Just shoot Davin an email or give him a call if you have any questions. Even if it’s just for a short little chat, he would love to help you. Thanks, everybody. We’ll see you next time.

DAVIN: See you.