A nearly ubiquitous reliance on networks in the business world has made companies more prone to cyberattacks than ever. Yet, hostile actions are not always high-tech.
Phishing is one of the most common forms of social engineering attacks. In this article, we discuss the SLAM method for implementing processes to defend against phishing attacks.
Check out our free eBook on how to protect yourself from cyberattacks in 2024 for more information.
What is Phishing?
Phishing is the attempt to get individuals to reveal compromising info through emails that pose as actors that are in some way affiliated with an organization.
Phishing is a common hacking method simply because it’s fairly easy to do, inexpensive and low-tech, and because emails can be sent to an organization from anywhere in the world.
Organizations need a system in place to educate employees so they can identify phishing attempts, rather than falling for them and sharing critical login information with hostile actors.
It’s worth considering basic training for employees in identifying phishing emails. At a quick glance, there are many subtle and also not-so-subtle indications of phishing.
The SLAM method is one way of quickly identifying phishing emails.
What Does SLAM Stand For?
SLAM stands for sender, links, attachments and message.
The SLAM system involves quickly double-checking each of these aspects of incoming emails to verify their legitimacy.
Identifying an Illegitimate Sender
There may be signs of illegitimacy in the sender’s email address. Emails that purport to be from an employee of a company are rarely sent by a personal email address, although this is not always the case. If the email ends in ‘@gmail.com,’ the sender is using a personal address.
Occasionally, phishers may attach other random company email addresses.
Misspellings in the names of individuals or companies are a red flag.
Scanning for Suspicious Links in Incoming Emails
Links in phishing emails can be particularly risky.
Technology now exists that allows hackers to get login information simply by clicking on a link.
Employees can scrutinize links by checking that the URL matches the anchor text and that it makes sense in the context of the email.
Employees can also check for misspellings in the anchor text. Suppose the link purports to be to a company website. In that case, it’s often better to just go directly to the company website rather than using the link, especially if the email requests login information.
Double-checking the link and anchor text may reveal signs of an email’s illegitimacy.
Identifying Suspicious Attachments
Attachments in emails are a normal part of doing business. This could include sending documentation, contracts and deliverables back and forth, but employees should be aware that downloading a file can be the first step in bringing in a virus.
Sometimes, attachments come in formats that look semi-official and with graphics or images that mimic other companies. If there is any doubt, it’s better to proceed with caution before proceeding with downloading anything from an email.
However, something will usually look a bit ‘off,’ especially with unsolicited emails.
If there is any question about an email’s legitimacy, employees should check with their vendors to ensure that the email is of legitimate origin.
Researchers note that companies that have a wide array of services are often more susceptible to phishing, simply because they have quite a few incoming requests from vendors.
In one recent fraud case, Facebook and Google sent over $100 million to a scammer who was sending fake phishing invoices. These emails mimicked the style of another vendor with whom they were doing business.
This could have been prevented if the companies had simply verified the origin of the emails with the vendor. It also could have been stopped earlier by tracking their outgoing cash versus services rendered.
Large companies that have millions of dollars in transactions per week may be more susceptible to paying out smaller fake invoices without much forethought, but these amounts do add up.
In the end, this scammer, in particular, was caught. However, it seems very unlikely that all or even most of the cash will be recovered.
Message: Strange Wording or Phrasing
Phishing attempts often come with bad misspellings, grammatical errors or vaguely unprofessional wording. Occasionally, the tone will be slightly off, or they will call for urgent action.
Companies should train their employees to recognize when the contents of an email seem ‘off.’
It is better to wait and verify that the sender is legitimate than to rush through any process.
What to Do When you Recognize a Phishing Email
Here are some steps to follow when you recognize a phishing email.
- Mark the email as spam.
- Document the sender’s name and email address, along with a description of the message sent in the email.
- Ensure employees are instructed to tell a manager about it or document it somewhere so others can be warned about the scammer and its seriousness can be taken into account.
- Also, look into informing the IT department about the phishing attempt. Doing this across a department may help them establish profiles.
- After gathering information, it will help to update employees occasionally with information about different phishing attempts so they have specific ‘tells’ to look for.
Researchers have documented the effectiveness of company-wide training in the attempt to thwart phishing attempts.
While it’s important to avoid scams, employees should also take care not to be overzealous and end up causing communication issues by screening out emails from legitimate parties.
Sharing the email with others could help get a second opinion before taking any irreversible action.
Common Phishing Scams
There are several recognizable patterns used in phishing scams.
One is to pretend to be a platform or service that requires login information or a password reset. Any email that requests login information deserves scrutiny, especially if the recipient has yet to initiate an attempt to do a password reset.
These are furthermore dangerous because individuals often use similar passwords for multiple services, including banking.
Companies can help employees avoid this by sending out official notes ahead of time when requesting login or password information so employees are aware of it beforehand.
Smishing attempts are short texts, generally with a link that asks for personal information.
Vishing is similar to phishing, but through voice calling. This is more often seen in the B2C market, where scam outfits target older people, posing as accounts from banks or utilities.
Spear phishing involves specifically targeting a member of an organization with honed language. It may contain information that pertains to the role’s duties and obligations, so these can be difficult to identify without verifying the claims made in the email with other parties.
Whale phishing is similar to spear phishing, but targets those in c-suite roles, like CEOs, CFOs, CTOs, etc.
Organizational Risk Avoidance
While it’s important to have some basic guidelines, it may require a more systematized approach to get the staff of an entire company on board. This could start with a company-wide email notice or by dedicating time to staff training.
Check out our free eBook for more information about how to protect yourself from cybersecurity threats in 2024.
Feel free to contact us if you need a hand marketing your cybersecurity solutions.