Email Phishing is not a new type of scam. Phishing is internet slang for “fishing” and in this context, it means fishing for information.
Online criminals are looking for your information with the vast majority of that information being on-sold on the dark web. Why do people want your information? Well, that information could include your bank details, email system logon or your Facebook details.
Why do scammers want your Personal Information?
- Bank details – self explanatory
- Email system logon – once a scammer has access to your email system they can trick your colleagues easily and coerce them to do things, such as make bank transfers or send you data
- Facebook details – they don’t want your pictures, but they do want your information. If you’re an Executive you could be targeted specifically via a Spear Phishing campaign. A scammer could use data they find in your Facebook account in order to trick you into clicking on a link.
Why email phishing works
Email phishing works on a very simple premise of straight up deception. The email will be disguised to look like that of a legitimate organisation. A threat will normally be contained that lures the user into clicking on the email.
“Your bank account will close”
“You have an overdue balance”
“Your password has expired”
“You’re running out of space”
etc.
Clicking on links in the email are often not the final part of the scheme. A typical phishing email will then present the user with a legitimate looking logon screen for a particular service. The user will need to provide their username and password in order for the scam to be completed.
Why some email phishing attempts are written so poorly
We wrote an article on this particular phenomenon and the results were rather surprising. It turns out that there’s a huge labour overhead to complete some scams, so writing a perfect email actually attracts too many potential victims.
Zoom email phishing must be different
The 2020 trend in Zoom email phishing isn’t different at all. The COVID-19 crisis saw a massive increase in Zoom usage – 200 Million daily users in April 2020 compared to just 10 Million in December 2019.
Scammers are just following where the bulk of users are. With such a rapid explosion in users, many not knowing how to secure Zoom in the first place, there’s a huge chance that people (who became so heavily reliant on Zoom so quickly) will hastily click on a Zoom-themed email phishing attempt.
However, there’s not much for a scammer to gain from stealing the credentials of a Zoom user though.
What’s the secret behind going after a Zoom user’s password?
It’s not about Zoom at all. Zoom is just the lure that the scammers will use to get you.
Your Zoom password, like so many passwords, is actually the same password you will use across multiple accounts. If you’re not really paying attention then you’ll probably find yourself on the Most Common Passwords lists each year. You will also suffer the same fate as many Disney+ users, who had their accounts breached as soon as the service went live in 2019 due solely to having used previously breached passwords.
Put simply: if you use the same username/password combination across multiple sites, a breach on one system is a breach on all systems.
The solution to email phishing (part 1)
The solution to email phishing is actually really simple.
If you have a unique username and password for every single one of your online accounts, one breach only affects one system.
Your email system is imperative to keep safe because of this: what happens when you click “forgot password”? Most of the time the system will email you a reset password link. If your email system is compromised then anyone can reset your passwords.
Use a Password Manager to help you keep unique passwords for each account.
The solution to email phishing (part 2)
In addition to having a unique password per account, also implement Multi Factor Authentication (MFA) across as many systems as possible.
Your password can still be breached with any online system. If the online system has poor security protocols, it won’t matter if you have a super-duper password – the password will be known.
MFA provides another hoop for attackers to try and jump through, but they will give up at this point. It’s hugely unlikely that an attacker will have access to your mobile phone and/or finger print in addition to your password.
Conclusion
Don’t be the low hanging fruit like so many others.
- Use a Password Manager to create unique passwords for all of your online accounts
- Got kids? Get them started early with a Password Manager. One of the main reasons why people don’t adopt Password Managers is that they have too many online accounts by now.
- Implement Multi Factor Authentication