British security firm Sophos produces software that companies need to understand if their employees are skilled enough to avoid the traps and deceptive emails of hackers. The practice of sending a deceptive email is called “phishing” and is very common: the victim receives a seemingly harmless email – often resembling emails from their bank or company – in which they are forced to click on a text link or an image. The link leads to a page where the victim is convinced to enter their sensitive data, or directly downloads a malware, i.e. a computer program that damages the computer or steals important data.
For some time now, companies, especially the larger ones, have been trying to prevent phishing and ask security experts to send deceptive emails to their employees without warning (obviously without malware) to understand how they behave and evaluate whether they are ready to recognize the dangerous ones. As in a fire drill, a hacker attack is simulated to understand if the company is ready to react.
Sophos develops one of the many software that sends fake phishing emails to company employees, and a few days ago on its blog Naked Security listed the ten types of email that in 2020 most often misled victims. The list is interesting because we are used to thinking that phishing emails are exuberant and ungrammatical: ads for miracle pills and romantic encounters. In fact, phishing done right is often hard to spot.
The new code of conduct. An email from the human resources office invites all employees to click on a link to read the company's new code of conduct, just updated. Usually the personnel department is very insistent on these issues, and employees are led to click without reading carefully.
We are late with the tax return. This email tells employees that the tax documentation to file the tax return may not arrive on time, and they are invited to click on a link to know when it will arrive.
Servers must be maintained. An email from IT support explains that in the next few days there will be an extraordinary maintenance of the servers: to avoid problems, click on a link and see the complete calendar with all repairs. Now that you often work remotely, everyone clicks.
You have a new thing to do. Many companies use automated systems to allocate tasks between employees. Hackers find out which system each company uses and simulate an email that says something like: your boss has given you a new assignment, click here to understand which one.
We have changed the email system. IT technicians write to employees to say they are changing the email system. Could you click here to tell us if everything works?
We have updated the holiday calendar. If the company changes your vacation days and tells you to click on a link to find out what happens, you click.
You left the car lights on. The administrator of the building where the office is located writes to all employees because there is a car in the parking lot with the lights on. Attach photo of the car. Click on the link to see it.
We were unable to deliver your package. Click here to reschedule the delivery. Often these emails are customized to resemble those of couriers.
You have a new message on LinkedIn. This is a classic, it always works with all social networks.
On her blog, Sophos gives some good advice to avoid being misled, which is great even if you don't work in a company. First and foremost, never click thoughtlessly, because cybercriminals rely on the carelessness of their victims. Then you have to be careful of smudges: many phishing emails are almost indistinguishable from the original emails they would like to imitate, but there are always details (the sender's address, the fine print at the bottom of the email, some spelling errors) that reveal the 'deceit. Finally, don't be afraid to check. If the personnel department sends a strange email, it is better to ask the personnel department directly for it.
