Email Phishing Attacks: The Hits Keep on Coming
                    
			
By: Jim Stickley and Tina Davis
 January 15, 2019
			
			
	
The tactics are too many to count, but some email phishing attacks are bigger than others. Hackers pretend to be well-known and trusted entities like Microsoft, Dropbox, PayPal, Netflix, and many, many others. Part of the phishing lure is posing as those companies you trust and use on a daily basis. Over time, hackers learn from success and failure. They use this history to sharpen their tools going forward – laser-focused on finding the best ways to gain your trust and fool you into taking the bait. In many ways it doesn’t seem fair to dupe unsuspecting users into providing sensitive data like financial account numbers, logins, passwords, and other information you’d never normally share with total strangers. You’d be right, it’s not fair, but then hackers don’t have much of a conscience. Their only goal is taking advantage of users and then capitalizing on that stolen personally identifiable information (PII) to fatten their bank accounts.

Looking into two high profile email phishing attacks – Microsoft Office and Dropbox – helps shed some light into new hacking tactics. It uses the two services to play off each other and taking the bait for one provides access into the other account. Once that happens, credentials are stolen, and hackers are off to the races with your PII. Millions of unsuspecting users at work or at home use these two services on a daily basis; both familiar and trustworthy sources holding your PII. As a result, users typically don’t take a closer look into their domain names and web page formats. In this case, sub-domain names are used for the phishing attack. Sub-domains are easy to create – think of them as sub-categories of a filing system on a particular subject. In this case, the email from the primary domain (Microsoft or Dropbox) sends users to a bogus sub-category of the website that is loaded with malware. The bottom line is if you’re not paying close attention to the URL you’re being redirected to – game on.

These two email phishing attacks expose a newer sub-domain hacking tactic, but plenty of the “old” tactics still work incredibly well. This past year, internet giants Facebook and Google lost a combined $100 million due to a hacker using email phishing to pose as a computer parts vendor. Even during the recent soccer World Cup championship in Moscow, Russia, email phishing cons promised users won tickets or a prize to attend the event. Even property rentals, vacation or residential, can be risky. Bargain prices for vacation and other rentals that sound too good to be true – are. But not before countless victims are duped into providing payment information as a down payment on the property.
The fight against email phishing may seem hopeless, but it’s not. Informed and aware users are the best weapons, and the more they know about scam tactics, the safer they’ll be. Ongoing education for employees may have indeed stopped many successful phishing attacks. Knowing what to look for and not fall for is vital for individuals and employees not taking the bait. Always make sure emails are from senders who really are who they claim to be – picking up the phone is a great way to verify the sender. Never open emails or click on attachments unless you’re 100% sure the sender is legitimate. Not falling for “too good to be true” offers can also save a lot of headaches. Education and awareness are tops on the list of avoiding email phishing scams – make sure you’re one of the “in the know” crowd.