Click or Treat? How not to fall for phishing emails this Halloween

Spooky season is upon us. But while we're busy carving Jack-o-Lanterns, donning witches' hats, and hanging glow-in-the-dark skeletons, something far more sinister lurks in the shadows. The dreaded phishing email.

Cybercriminals don't take a break from spamming consumer inboxes with fake  emails at any time of the year, and they'll likely be using the spooky holiday and hike in Halloween sales as just another opportunity to pump out phishing scams to unsuspecting victims.

So to help you avoid scary scammer scenarios this Halloween and keep your personal information, bank account, credit card, and hardware safe, here's some advice on what not to fall for in phishing emails this All Hallows' Eve.

Cybercriminals can wear convincing costumes

Everyone knows that poorly impersonated domains (i.e. face-bo0k.com) are suspicious, but an email that comes from an address that matches a company's exact domain is always safe, right? Wrong.

Exact domain impersonation - when a criminal spoofs a business' domain and sends fake emails pretending to be them - accounts for a hauntingly huge percentage of successful phishing attacks. And businesses are wide open to this criminal costuming, unless they have a strong DMARC policy in place. When fully configured, DMARC (Domain-Based Message Authentication, Reporting, & Conformance) is the only email authentication protocol that stops exact domain impersonation.

But terrifyingly, as of May 2021, only 6% of the world's top global retailers are fully DMARC compliant, meaning the remaining 94% could be impersonated at any time, and a phishing email from their domain could soon crawl its way into your inbox.

So don't assume that an email is legitimate just because it comes from a business' exact domain. If you're unsure, you're best off flagging the email to your security team. You can also check whether a business is DMARC compliant here.

And if you're worried about your personal email address being impersonated, you don't need to. DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), meaning the majority of global consumer inboxes are protected.

Beware! Don't click suspicious links or attachments

In terms of advice on how to spot phishing emails, this is an oldie but a goodie. Phishing attacks are becoming more sophisticated, with many scammers using ‘social engineering' and ‘spear phishing' to trick victims into taking the bait. But most phishing emails will still use a phoney link or malicious file to gain access to private information or money. If in doubt, don't click, and report the email immediately to your security team. If this is an email to your personal address try to find another way to access the information being shared in the email, for example navigating to the company's homepage and going from there.

It's worth remembering that more traditional rules-based file scanners and spam detection technologies can only do so much to stop bad apples dropping into your inbox. So your company should also have security awareness training and - ideally - advanced threat protection in place to help stop employees being tricked to click.

Double, double, toil, and be sure to double check that from address

While many attackers spoof exact domains to send their phishing scams, there are those that still rely on ‘lookalike domains' to target victims. This form of email impersonation involves using a well-known or reputable brand (i.e. facebook.com) and changing it slightly to trick the recipient into clicking (i.e. facebo0k.com). See the difference? It's sometimes harder to spot than you might think, especially if you're in a hurry.

To avoid falling victim to the clutches of these sneaky scammers this Halloween, we recommend always double checking the sender's domain name and ‘from' address. If they look suspicious, that's probably because they are.

Is this a trick?

Business email compromise is a big hit with cyber attackers. This is when the email pretends to be from your CEO, a senior member of staff, or someone else of importance in your business. These will often be bubbling over with urgency. Again, this type of scam is most effective when the business being targeted isn't DMARC protected, meaning the attacker can impersonate its exact domain and it's very hard for the victim to tell it's fake.

It's amazing how many people fall for an email purporting to be from their ‘CEO' or ‘bank' in the heat of the moment. But when you receive one of these out of the blue, it's important to take a step back and question whether it actually makes sense given the context. Does it relate to any conversations you've been having recently? Does the supposed sender usually talk this way? Does it coincide with anything already happening in the business? And what's the rush?

If you're unsure, then checking to confirm with the individual it's supposedly from in person or over the phone - and then reporting it to your IT team if it hasn't been sent by them - is a good idea.

Leave it to the experts

We hope we've provided some useful tips on how to stay safe in the inbox this Halloween. But at Red Sift, we don't believe it should only be down to the individual to spot the signs of a phishing attack, when technology can help to do the job better. Find out more about our email security products and what we do below.