Click or Treat? How not to fall for phishing emails this Halloween

Spooky season is upon us. But while we’re busy carving Jack-o-Lanterns, donning witches’ hats, and hanging glow-in-the-dark skeletons, something far more sinister lurks in the shadows. The dreaded phishing email.

Cybercriminals don’t take a break from spamming consumer inboxes with fake  emails at any time of the year, and they’ll likely be using the spooky holiday and hike in Halloween sales as just another opportunity to pump out phishing scams to unsuspecting victims.

So to help you avoid scary scammer scenarios this Halloween and keep your personal information, bank account, credit card, and hardware safe, here’s some advice on what not to fall for in phishing emails this All Hallows’ Eve.

Cybercriminals can wear convincing costumes

Everyone knows that poorly impersonated domains (i.e. face-bo0k.com) are suspicious, but an email that comes from an address that matches a company’s exact domain is always safe, right? Wrong.

Exact domain impersonation – when a criminal spoofs a business’ domain and sends fake emails pretending to be them – accounts for a hauntingly huge percentage of successful phishing attacks. And businesses are wide open to this criminal costuming, unless they have a strong DMARC policy in place. When fully configured, DMARC (Domain-Based Message Authentication, Reporting, & Conformance) is the only email authentication protocol that stops exact domain impersonation.

But terrifyingly, as of May 2021, only 6% of the world’s top global retailers are fully DMARC compliant, meaning the remaining 94% could be impersonated at any time, and a phishing email from their domain could soon crawl its way into your inbox.

So don’t assume that an email is legitimate just because it comes from a business’ exact domain. If you’re unsure, you’re best off flagging the email to your security team. You can also check whether a business is DMARC compliant here.

And if you’re worried about your personal email address being impersonated, you don’t need to. DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), meaning the majority of global consumer inboxes are protected.

Beware! Don’t click suspicious links or attachments

In terms of advice on how to spot phishing emails, this is an oldie but a goodie. Phishing attacks are becoming more sophisticated, with many scammers using ‘social engineering’ and ‘spear phishing’ to trick victims into taking the bait. But most phishing emails will still use a phoney link or malicious file to gain access to private information or money. If in doubt, don’t click, and report the email immediately to your security team. If this is an email to your personal address try to find another way to access the information being shared in the email, for example navigating to the company’s homepage and going from there.

It’s worth remembering that more traditional rules-based file scanners and spam detection technologies can only do so much to stop bad apples dropping into your inbox. So your company should also have security awareness training and – ideally – advanced threat protection in place to help stop employees being tricked to click.

Double, double, toil, and be sure to double check that from address

While many attackers spoof exact domains to send their phishing scams, there are those that still rely on ‘lookalike domains’ to target victims. This form of email impersonation involves using a well-known or reputable brand (i.e. facebook.com) and changing it slightly to trick the recipient into clicking (i.e. facebo0k.com). See the difference? It’s sometimes harder to spot than you might think, especially if you’re in a hurry.

To avoid falling victim to the clutches of these sneaky scammers this Halloween, we recommend always double checking the sender’s domain name and ‘from’ address. If they look suspicious, that’s probably because they are.

Is this a trick?

Business email compromise is a big hit with cyber attackers. This is when the email pretends to be from your CEO, a senior member of staff, or someone else of importance in your business. These will often be bubbling over with urgency. Again, this type of scam is most effective when the business being targeted isn’t DMARC protected, meaning the attacker can impersonate its exact domain and it’s very hard for the victim to tell it’s fake.

It’s amazing how many people fall for an email purporting to be from their ‘CEO’ or ‘bank’ in the heat of the moment. But when you receive one of these out of the blue, it’s important to take a step back and question whether it actually makes sense given the context. Does it relate to any conversations you’ve been having recently? Does the supposed sender usually talk this way? Does it coincide with anything already happening in the business? And what’s the rush?

If you’re unsure, then checking to confirm with the individual it’s supposedly from in person or over the phone – and then reporting it to your IT team if it hasn’t been sent by them – is a good idea.

Leave it to the experts

We hope we’ve provided some useful tips on how to stay safe in the inbox this Halloween. But at Red Sift, we don’t believe it should only be down to the individual to spot the signs of a phishing attack, when technology can help to do the job better. Find out more about our email security products and what we do below.

PUBLISHED BY

Sabrina Evans

28 Oct. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more