Have you ever signed into your email only to find a flood of unread emails? Silly question, of course you have. Some of those emails probably get deleted immediately, while others might sit idle in your inbox for weeks. Then there are those emails from your mom, your bank or your boss that require a prompt response… especially the ones from your boss (sorry mom). Have you ever had the feeling that maybe the email labeled as from your boss actually isn’t from your boss at all? This may seem a little far-fetched, but it does happen, and it happens quite often.
Phishing emails are seemingly harmless emails that are meant to trick the reader into providing information or clicking on a malicious link or attachment to collect sensitive information. “Phishing” is a play on the word “fishing,” because hackers are fishing for your personal information.
Phishing emails appear to be so authentic that people fall for them all the time. Large companies have also fallen prey to these scams. We’ve rounded up some of the most recent phishing examples to give you an idea of how easy it is to fall for these tricks.
Snapchat: The Fake CEO
Snapchat is a popular app used to send pictures and videos that disappear within seconds of viewing them. In February 2016, Snapchat learned that not all things are so short-lived. Targeted by an email phishing scam, the company inadvertently disclosed its payroll information, and a number of its employees, both current and former, had their identities compromised. A cybercriminal impersonated Snapchat Chief Executive Officer, Evan Spiegel, and sent an email asking for the information. One Snapchat employee did not recognize the email for what it was (a scam) and sent the desired information to the email impersonator.
While Snapchat has not revealed specifics, payroll information could include salary information, Social Security Numbers, direct deposit bank data, addresses and so on. Snapchat apologized for the breach and stated, “we will redouble our already rigorous training programs around privacy and security in the coming weeks,” with the hope they will never have to apologize for the same mistake again.
The Tredyffrin Police Department: “Officer, It Wasn’t Me”
Three Philadelphia residents received emails from what appeared to be the Tredyffrin Police Department notifying them of speeding violations. However, the Tredyffrin police said they had nothing to do with sending those citation emails. As it turns out, they were sent by a cybercriminal.
It is suspected the hacker behind the phishing emails was not interested in collecting fines from the victims; but rather hoping the recipients would click on the email attachment, which would automatically download and spread malware to the individual’s computer. As soon as the police department caught wind of what was happening, they notified the public that citations are never emailed or sent in the form of an email attachment.
Magnolia Health Corporation: CEO Gone Phishing
Here’s another example of a hacker fraudulently posing as a company’s CEO. Magnolia Health Corporation (MHC) is a rehabilitation and nursing home healthcare provider, and now, a phishing scam victim.
In February 2016, an unknown cybercriminal gained access to CEO Kensett Moyle’s email account. With access to Moyle’s account, the hacker sent an email to an MHC employee asking for a spreadsheet with a list of sensitive employee information. The employee replied with the names, Social Security Numbers, salary details, job titles and departments, employee numbers, home addresses, birth dates, and hire dates of all MHC employees. The phishing email was sent on February 3rd and the scam went unnoticed until February 10th, when MHC sent an apology letter to its employees.
How to Identify a Phishing Email or Phishing Website
Phishing emails are very misleading. What may seem like a harmless email from your boss could potentially be an invitation to your company’s next data breach. So how can you avoid being deceived?
1. Learn to identify a phishing email. Most companies and professionals take spelling and grammar pretty seriously. If you receive an email from “your boss” asking for sensitive information and it’s filled with typos, you may want to consider checking the source. If the email looks even remotely suspicious, it’s safe to assume you’re being set up.
2. Now that you know how to identify a phishing email, learn to identify a phishing website. It is fairly easy for hackers to create spoof websites that look genuine. Phishing emails will often direct recipients to phishing websites. These phishing sites attempt to steal your account password and any other information the hacker can get their hands on. If you think a site is sketchy, do not sign in. Instead, close your browser and manually type the URL in a new browsing window.
3. Make sure your website isn’t the culprit. It’s quite possible phishing emails are being sent on your behalf, directing individuals to your website. If your site has been hacked, it’s bad news for you and your visitors. So how do you know if you’re hosting a phishing site? One option is to use a website scanner that continuously scans your site for vulnerabilities and malicious activity. As soon as it finds something, it will alert you.
At the end of the day, always use your best judgment. If you find an email in your inbox from your boss asking for sensitive information to be sent electronically, think before you act. If you are at all skeptical, it is best to clarify (either in person or on the phone) before sending the information.
You can protect your website from phishing scams with the SiteLock Website Scanner. Call 877.798.5144 to learn more.