Click or Treat? How not to fall for phishing emails this Halloween

Spooky season is upon us. But while we’re busy carving Jack-o-Lanterns, donning witches’ hats, and hanging glow-in-the-dark skeletons, something far more sinister lurks in the shadows. The dreaded phishing email.

Cybercriminals don’t take a break from spamming consumer inboxes with fake  emails at any time of the year, and they’ll likely be using the spooky holiday and hike in Halloween sales as just another opportunity to pump out phishing scams to unsuspecting victims.

So to help you avoid scary scammer scenarios this Halloween and keep your personal information, bank account, credit card, and hardware safe, here’s some advice on what not to fall for in phishing emails this All Hallows’ Eve.

Cybercriminals can wear convincing costumes

Everyone knows that poorly impersonated domains (i.e. face-bo0k.com) are suspicious, but an email that comes from an address that matches a company’s exact domain is always safe, right? Wrong.

Exact domain impersonation – when a criminal spoofs a business’ domain and sends fake emails pretending to be them – accounts for a hauntingly huge percentage of successful phishing attacks. And businesses are wide open to this criminal costuming, unless they have a strong DMARC policy in place. When fully configured, DMARC (Domain-Based Message Authentication, Reporting, & Conformance) is the only email authentication protocol that stops exact domain impersonation.

But terrifyingly, as of May 2021, only 6% of the world’s top global retailers are fully DMARC compliant, meaning the remaining 94% could be impersonated at any time, and a phishing email from their domain could soon crawl its way into your inbox.

So don’t assume that an email is legitimate just because it comes from a business’ exact domain. If you’re unsure, you’re best off flagging the email to your security team. You can also check whether a business is DMARC compliant here.

And if you’re worried about your personal email address being impersonated, you don’t need to. DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), meaning the majority of global consumer inboxes are protected.

Beware! Don’t click suspicious links or attachments

In terms of advice on how to spot phishing emails, this is an oldie but a goodie. Phishing attacks are becoming more sophisticated, with many scammers using ‘social engineering’ and ‘spear phishing’ to trick victims into taking the bait. But most phishing emails will still use a phoney link or malicious file to gain access to private information or money. If in doubt, don’t click, and report the email immediately to your security team. If this is an email to your personal address try to find another way to access the information being shared in the email, for example navigating to the company’s homepage and going from there.

It’s worth remembering that more traditional rules-based file scanners and spam detection technologies can only do so much to stop bad apples dropping into your inbox. So your company should also have security awareness training and – ideally – advanced threat protection in place to help stop employees being tricked to click.

Double, double, toil, and be sure to double check that from address

While many attackers spoof exact domains to send their phishing scams, there are those that still rely on ‘lookalike domains’ to target victims. This form of email impersonation involves using a well-known or reputable brand (i.e. facebook.com) and changing it slightly to trick the recipient into clicking (i.e. facebo0k.com). See the difference? It’s sometimes harder to spot than you might think, especially if you’re in a hurry.

To avoid falling victim to the clutches of these sneaky scammers this Halloween, we recommend always double checking the sender’s domain name and ‘from’ address. If they look suspicious, that’s probably because they are.

Is this a trick?

Business email compromise is a big hit with cyber attackers. This is when the email pretends to be from your CEO, a senior member of staff, or someone else of importance in your business. These will often be bubbling over with urgency. Again, this type of scam is most effective when the business being targeted isn’t DMARC protected, meaning the attacker can impersonate its exact domain and it’s very hard for the victim to tell it’s fake.

It’s amazing how many people fall for an email purporting to be from their ‘CEO’ or ‘bank’ in the heat of the moment. But when you receive one of these out of the blue, it’s important to take a step back and question whether it actually makes sense given the context. Does it relate to any conversations you’ve been having recently? Does the supposed sender usually talk this way? Does it coincide with anything already happening in the business? And what’s the rush?

If you’re unsure, then checking to confirm with the individual it’s supposedly from in person or over the phone – and then reporting it to your IT team if it hasn’t been sent by them – is a good idea.

Leave it to the experts

We hope we’ve provided some useful tips on how to stay safe in the inbox this Halloween. But at Red Sift, we don’t believe it should only be down to the individual to spot the signs of a phishing attack, when technology can help to do the job better. Find out more about our email security products and what we do below.

PUBLISHED BY

Sabrina Evans

28 Oct. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more