There’s a fine line between customer engagement techniques and those deployed by fraudsters. Here’s how to avoid being caught in the spam net
We are constantly urged to stay vigilant to spam and malicious emails. Threat actors’ increasingly sophisticated tactics and mimicry of organizations poses a serious problem for businesses attempting to engage with their customers without appearing to be scammers.
Humans are often the weakest link in cybersecurity defenses, and one of the most popular ways to gain a foothold in a victim’s network or PC is to craft a phishing email, which may contain malicious content, links, or exploit kits.
These emails can range from spam messages proclaiming that you have an inheritance waiting from a long-lost relative to more sophisticated, crafted emails that masquerade as coming from legitimate banks, payment providers, loan companies, and more.
Social engineering can make malicious emails appear authentic. This includes reconnaissance on victims to learn about their relationships and work status, as well as what tactics may be the most successful in phishing attempts – such as playing on professional or family connections, fear, or interests, or by emulating trusted sources.
Cybersecurity firms are constantly warning consumers to be on the alert for suspicious messages landing in their inbox.
However, some of the tactics employed by phishers are also used by genuine companies to promote consumer engagement or simply within the workplace between teams, which can lead to confusion and legitimate emails being reported as fraudulent.
It’s all about psychology
Successful phishing, just like marketing and company messages, is rooted in the human psyche.
Speaking to The Daily Swig, UK psychotherapist, hypnotherapist, and body language expert Nick Davies said that successful phishing messages are “designed to trick the primitive hardwiring in your brain to engage you in behaving against your better judgment”.
The five main ways this is achieved are below:
- Moving away from pain: The wish to avoid something unpleasant, such as a jail term, fine, or censure for a missed deadline.
- Moving towards pleasure: If we respond, our lives will be better – think windfalls, tax rebates, or improved status.
- Short time frame: You only have a small window to take advantage of something, a prospect that can trigger anxiety or fear.
- Authority: The email is from a position of authority and must be responded to and complied with. This could include the taxman, a bank, or your boss.
- Scarcity: If you don’t respond now, an opportunity will end and there will be negative consequences.
At first glance, many of these psychological tricks may not be immediately apparent in genuine corporate communications. However, marketing and sales messages exploit not our desires to own a product, but the fear of missing out – thus tactics like time-sensitive sales events are commonplace.
In business, colleagues may communicate with messages deemed ‘urgent’, they may be letters or statements signed off by a prominent executive, or they may urge you to download attachments as they contain ‘key’ information, a tactic being employed currently in Covid-19 phishing campaigns.
Psychology aside, there are other factors that may flag up corporate communication as a phish or threat to personal security.
Poor grammar, typographical errors, and unprofessional layouts can all indicate that all is not what it seems.
The use of HTTP links rather than HTTPS is now frowned upon, but emails sent from domains other than official company addresses, and the emergence of marketing trackers, too, can lead to company emails being blocked by spam filters.
A recent example flagged up by SANS Fellow Johannes Ullrich on Twitter shows how an email sent from healthcare.gov not only used a different domain but also implemented a long-winded tracking link that did not reveal the real URL to users, a prospect likely to arouse suspicion.
“Although tracking codes can be a great tool for marketers, they can often cause problems as they allow fraudsters to use these same tools to measure the efficacy of their attacks,” Alan Blaney, managing director of Focus Training, told The Daily Swig.
Another emerging issue is attachments. Large, archived, and document attachments can appear suspicious as they are so often used to deliver malicious payloads and exploit kits.
Corporate best practices
These are our recommendations that organizations should follow to reduce the risk of legitimate emails being flagged up as phishing attempts.
- Use authentic business emails and domains: The most sure-fire way to ensure legitimacy. Cybersecurity vendor Red Sift told us that domain fraud prevention standards including DMARC and BIMI can improve email deliverability and help prevent spoofing.
- Transparency in trackers: Tracking links should keep numbers of characters to a minimum and be as authentic-looking as possible.
- Use correct grammar: Phishing emails often originate from non-English speaking countries and removing typos can indicate legitimacy.
- Attachments: As common attack vectors, these should be avoided whenever possible, especially if they are archived file types.
- Avoid urgency: Fear and anxiety about time pressures and fear are commonly exploited human weaknesses so organizations should not emulate scammers in this regard.
Keep signatures up to date: Broken social media links and URLs, as well as outdated telephone numbers, can make emails appear fraudulent.
Tonia Dudley, security solutions advisor at phishing education provider Cofense said that flexibility is also key to companies preventing inaccurate phishing reports.
Speaking to The Daily Swig, Dudley said staff should also be encouraged to change how communication emails are crafted according to internal standards.
“Organizations have been training their users to look for suspicious emails for years and users are getting good at reporting these,” Dudley said.
“Often times they are hypersensitive to reporting emails that are legitimate. Allowing this flexibility to customize the necessary notifications can help curb over-reporting.”