Click or Treat? How not to fall for phishing emails this Halloween

Spooky season is upon us. But while we’re busy carving Jack-o-Lanterns, donning witches’ hats, and hanging glow-in-the-dark skeletons, something far more sinister lurks in the shadows. The dreaded phishing email.

Cybercriminals don’t take a break from spamming consumer inboxes with fake  emails at any time of the year, and they’ll likely be using the spooky holiday and hike in Halloween sales as just another opportunity to pump out phishing scams to unsuspecting victims.

So to help you avoid scary scammer scenarios this Halloween and keep your personal information, bank account, credit card, and hardware safe, here’s some advice on what not to fall for in phishing emails this All Hallows’ Eve.

Cybercriminals can wear convincing costumes

Everyone knows that poorly impersonated domains (i.e. face-bo0k.com) are suspicious, but an email that comes from an address that matches a company’s exact domain is always safe, right? Wrong.

Exact domain impersonation – when a criminal spoofs a business’ domain and sends fake emails pretending to be them – accounts for a hauntingly huge percentage of successful phishing attacks. And businesses are wide open to this criminal costuming, unless they have a strong DMARC policy in place. When fully configured, DMARC (Domain-Based Message Authentication, Reporting, & Conformance) is the only email authentication protocol that stops exact domain impersonation.

But terrifyingly, as of May 2021, only 6% of the world’s top global retailers are fully DMARC compliant, meaning the remaining 94% could be impersonated at any time, and a phishing email from their domain could soon crawl its way into your inbox.

So don’t assume that an email is legitimate just because it comes from a business’ exact domain. If you’re unsure, you’re best off flagging the email to your security team. You can also check whether a business is DMARC compliant here.

And if you’re worried about your personal email address being impersonated, you don’t need to. DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), meaning the majority of global consumer inboxes are protected.

Beware! Don’t click suspicious links or attachments

In terms of advice on how to spot phishing emails, this is an oldie but a goodie. Phishing attacks are becoming more sophisticated, with many scammers using ‘social engineering’ and ‘spear phishing’ to trick victims into taking the bait. But most phishing emails will still use a phoney link or malicious file to gain access to private information or money. If in doubt, don’t click, and report the email immediately to your security team. If this is an email to your personal address try to find another way to access the information being shared in the email, for example navigating to the company’s homepage and going from there.

It’s worth remembering that more traditional rules-based file scanners and spam detection technologies can only do so much to stop bad apples dropping into your inbox. So your company should also have security awareness training and – ideally – advanced threat protection in place to help stop employees being tricked to click.

Double, double, toil, and be sure to double check that from address

While many attackers spoof exact domains to send their phishing scams, there are those that still rely on ‘lookalike domains’ to target victims. This form of email impersonation involves using a well-known or reputable brand (i.e. facebook.com) and changing it slightly to trick the recipient into clicking (i.e. facebo0k.com). See the difference? It’s sometimes harder to spot than you might think, especially if you’re in a hurry.

To avoid falling victim to the clutches of these sneaky scammers this Halloween, we recommend always double checking the sender’s domain name and ‘from’ address. If they look suspicious, that’s probably because they are.

Is this a trick?

Business email compromise is a big hit with cyber attackers. This is when the email pretends to be from your CEO, a senior member of staff, or someone else of importance in your business. These will often be bubbling over with urgency. Again, this type of scam is most effective when the business being targeted isn’t DMARC protected, meaning the attacker can impersonate its exact domain and it’s very hard for the victim to tell it’s fake.

It’s amazing how many people fall for an email purporting to be from their ‘CEO’ or ‘bank’ in the heat of the moment. But when you receive one of these out of the blue, it’s important to take a step back and question whether it actually makes sense given the context. Does it relate to any conversations you’ve been having recently? Does the supposed sender usually talk this way? Does it coincide with anything already happening in the business? And what’s the rush?

If you’re unsure, then checking to confirm with the individual it’s supposedly from in person or over the phone – and then reporting it to your IT team if it hasn’t been sent by them – is a good idea.

Leave it to the experts

We hope we’ve provided some useful tips on how to stay safe in the inbox this Halloween. But at Red Sift, we don’t believe it should only be down to the individual to spot the signs of a phishing attack, when technology can help to do the job better. Find out more about our email security products and what we do below.

PUBLISHED BY

Sabrina Evans

28 Oct. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more