Cybersecurity Awareness Month: Recognizing Phishing Attacks

October brings to mind three things: busting out the fall wardrobe, Halloween and, last but not least, cybersecurity awareness. If you read that list and thought to yourself, “Cybersecurity awareness? Not me!” then congratulations, you are our target audience.

In conjunction with the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance (NCA), SonicWall is participating in Cybersecurity Awareness Month this October to spread awareness about key issues in cybersecurity.

In our last blog, we mentioned that while password hygiene and multifactor authentication are both crucial, they can be easily foiled by a successful phishing attack. Today, we’re going to cover the basics of recognizing phishing attempts and what to do if you spot one.

Phishing Frenzy

Phishing attacks are not a new phenomenon. They’ve been a favorite attack vectors of cybercriminals across the board for many years now. But every time cybersecurity tools get better at spotting them, they get better at hiding. That’s why knowing how to recognize phishing is more important than ever.

How to Spot a Phishing Attack

Hackers or scammers will often use emails or text messages to try and steal your login credentials, account numbers or even Social Security numbers. Once they have the information they want in hand, they can perform a multitude of nefarious deeds, such as accessing your email account or stealing money from your bank account. They may even be using you to access an organization you’re a part of, such as your workplace.

These cybercriminals are constantly updating their tactics to keep up with the latest news and trends, but they often exhibit some common characteristics that you can spot to avoid being their next victim.

These include the types of email or message phishers like to use. They’ll often be posing as your bank or a credit card company. It could be an email that looks like it’s from a coworker or your boss.

Oftentimes, these messages will say something like:

  • There’s been some suspicious activity with your account, and they need you to log in to verify.
  • You’ve missed an important payment or deadline and direct you to a link to rectify the situation.
  • You need to confirm some sort of personal information, like your Social Security number.
  • You must download an attachment or document, or login to your work email.

While some phishing emails have definite “tells,” the messages can also look quite convincing. They may look similar to emails you’ve received from real organizations in the past, even going so far as to use the official logo of the company in the header or a clone of it.

Some telltale signs of a phishing email include:

  • The message uses a generic greeting such as “Hello user” or “Hi dear.”
  • The message asks you to click on a link to update your payment details.

While real companies will sometimes communicate through email or text message, they will never email or text you asking for important financial or personal information.

What to Do When You Spot A Phishing Attack

If you receive a suspicious email or message that matches some of the criteria above, always leave the email or message and go to the company’s website directly to contact someone. (The links and numbers in phishing messages will always direct you back to the phisher themselves.)

By going to the company’s official website or calling their official phone number, you can ensure that you’re speaking with someone at the actual company and not a cybercriminal.

If you receive a suspicious email at work, you should report it to IT so they can be aware someone may be trying to infiltrate the company. If you received it in your personal email, you can forward the email to the Anti-Phishing Working Group at Suspected phishing via text message can be forwarded to SPAM (7726).

Protecting Yourself from Phishing

While phishing attempts can be scary, there are a number of tools and strategies that can help protect you and your organization. You can:

Taking just a few steps towards protecting your important information and accounts could be the difference in staying protected or becoming a victim of phishing.

Further Learning

While we’ve covered the basics, the more you learn about phishing, the better protected you’ll be. You can watch our School of Phish webinar series on-demand and learn about the different ways our cybersecurity experts handle real-world phishing incidents.

If you feel like you’re prepared to spot some phishing attacks, you can test your mettle against our phishing quiz, which will gauge your ability to identify phishing emails.

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out!

Sometimes you realize it just a split-second too late. A wave of terror passes over you as you wonder, What did I just click? I think I’ve really messed up!

If this sounds familiar to you, don’t beat yourself up. Being duped by a good phishing scam can happen to the very best of us, and you’re joining millions of innocent victims worldwide who have done the same.

But it’s also important to take immediate action and to know what you need to do to avoid repeating the mistake. The human element contributes to 82% of breaches, according to the 2022 Verizon DBIR. Besides employing security technologies to prevent phishing attacks, companies must also take a hardline approach to educating people on how to spot phishing emails.

To help avoid email scammers continuing to get the better of us, SonicWall is thrilled to announce our new online Phishing Quiz. This quiz is designed to help educate users on how to recognize common signs of a phishing email. And because it’s interactive, it’s more engaging and informative than a simple email or handout would be.

Email is often the first attack vector.

Based on the lessons of past data breaches, those successful attacks involve using multiple tactics, techniques and procedures (TTP) to compromise the user. Moreover, in those events, email was the first to deliver at least one of the following:

  1. The initial URL, in the form of a link to an exploit kit or phishing website
  2. The malicious attachment, in the form of a dropper or payload
  3. A pretexting message that becomes the starting point for a social engineering attack, manipulating users into giving up their credentials, sending money, disclosing sensitive data, etc.

Today, we’re seeing targeted phishing and pretexting attacks that are very well developed. The genuine appearance of these emails sent from stolen or fake identities can trick even the most security-conscious users. In addition, security practitioners we spoke with said they still see users clicking on phishing emails because they are unable to discern legitimate emails from fake ones.

Phishing tactics, techniques and procedures (TTP) are too clever.

As security vendors create new capabilities to protect users from phishing emails that bypass pre-delivery filters, attackers are equally devoted to creating more clever ways to reach the inbox. An example of these attacks is a low-volume, high-quality targeted phishing email that appears to come from Microsoft 365 or Gmail, as shown below.

Phishing emails are now more advanced. Attackers can replicate MFA screens to steal credentials.

This fake email renders professionally and is personalized for specific users, as opposed to the traditional high-volume spray-and-pray campaigns of the past. These attacks are sophisticated in both their ability to reach the inbox and the user experience on the back end. Each link brings up the login window of the second page of the account challenge, which pre-populates the user’s email address. It already knows who you are.

The phishing innovation curve is now happening post-delivery, as in the above example. In other words, instead of putting the malicious URL in the email, phishers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. In contrast, queries coming from the intended victims are directed to the phishing server.

The obfuscation methods developed over the years include identity deception, multiple redirections, URL splits, HTML tag manipulation, polymorphic malware, and dynamic obfuscated scripts, to name a few. We have seen skilled hackers combine numerous obfuscation techniques inside targeted phishing campaigns to hide the true intent of the target page, which is often a credential-harvesting page.

People are not perfect.

“Human beings are not creatures of logic; we are creatures of emotion. And we do not care what’s true. We care how it feels,” said Will Smith, a famous actor, rapper and perhaps even philosopher of our generation. These words have a deep connection to those who live and breathe cybersecurity. The notion that as long as human emotions can be manipulated, someone will likely make a bad mistake underscores one of many complex challenges for security practitioners to fix, but it cannot be addressed through technology alone. While phishing prevention technologies are necessary, it is also essential to establish a cybersecurity awareness program.

Raise employee awareness with the SonicWall Phishing Quiz.

Aside from advancing artificial intelligence and machine learning technologies inside security tools, SonicWall investments in training humans to resist human deception is part of a more significant effort to help people become part of the solution instead of being part of the problem.

The belief that security rests only on security practitioners and their technologies is dangerous, because when a phishing email invariably does make it to the inbox, there is no further line of defense. To reduce this human risk factor requires a culture and a mindset adjustment at the corporate and the individual level, aimed at getting everyone consciously thinking and proactively involved to become a key stakeholder in an organization’s security.

In a simple but effective way, the SonicWall Phishing Quiz encourages people to stay aware and exercise healthy suspicion when checking and responding to emails. The quiz lets you interactively examine a series of sample emails, including embedded links, to test your intuition and knowledge in distinguishing legit versus phishing emails.

The Phishing IQ Test evaluates your ability to identify fraudulent emails using real examples of common phishing attacks.

To measure your own ability to spot phishing emails, take the SonicWall Phishing Quiz today.


Think Before You Click: Spotting and Stopping a Phish

It’s nearly 3 p.m. and, despite three cups of coffee, you’ve barely made a dent in the massive backlog that didn’t even exist when you got in this morning. You decide to steal a precious few seconds between meetings and messages to check your email, hoping none of the four notifications you’ve just received are more requests.

One in particular catches your attention: Someone has successfully logged into your email account from thousands of miles away. “If you don’t recognize this login,” the email warns, “change your password immediately.” Between worst-case thoughts of identity theft and ruined credit, and the promise of something quick and easy to check off your to-do list, you can’t mash that button fast enough. You enter and confirm your old password, enter and confirm your new password, then sigh with relief — your account is safe for another day.

Except it isn’t: Unbeknownst to you, the email was a phish, and your credentials have just gone from “confidential” to “commodity,” available to anyone for a few bucks on the dark web.


While phishing has been around for nearly 30 years, it’s still growing: According to IC3 data, phishing attacks have increased 182% since 2019. Today, one in every 99 emails is a phish.

Worse, your email service provider’s security measures may not be as much help as you think: A quarter of phishing emails are able to sneak by the default security measures included with Office 365, and more than 10 percent are able to bypass both Microsoft Exchange Online Protection (EOP) and Microsoft Advanced Threat Protection.

From there, the success of a phish just depends on whether they’ve used the right kind of bait: Nearly one in three phishing emails is opened, and when referring to spear-phishing, that number jumps to 70%.

The most successful hooks share two common characteristics: They appear to come from a known contact or organization, and they use a problem or issue to inspire a sense of urgency. Common examples include warnings that your payment information has expired, your account is on hold due to a billing issue, an order you never placed is set to be shipped, etc.


So how do criminals get you on the line? The three most common techniques involve malicious attachments, malicious URLs and fraudulent data entry forms.

Malicious Attachments
These attachments may look like ordinary PDFs, Word docs or Excel sheets, and may even include legitimate-sounding data to help maintain the ruse, such as an invoice or a receipt. But in the case of a phish, they’re infected with malware that can infect your device and spread throughout the network — to servers, external hard drives/backups, and even cloud systems.

Malicious URLs
That link you may think is taking you to to clear up an account issue may instead be taking you to — an imposter homepage designed to launch malware. If you notice that the URL looks a little odd once you get to the page, however, it may already be too late: In the case of a drive-by download attack, simply visiting a site is enough to begin download of malicious code to your device. These sites are a moving target for the IT admins attempting to block them: 84% of them are live for less than 24 hours, with some up for as little as 15 minutes.

Fraudulent Forms
Not all phishing sites deploy malware, however. Some are just seeking information, often in the form of fake data-entry forms. Often this takes the form of a phony login page, such as a popup window imitating the login prompts for Office 365 and other services. Another common scam is an email alerting you that your payment information has expired. After clicking on the link in the phishing email, you’re taken to a fraudulent URL asking you to reenter your credit card information or other data such as your social security number, full name, address and more. The goal of these attacks is to collect credentials to launch further attacks, often spearphishing or Business Email Compromise (BEC) attacks, or to collect personal information that can be exploited or sold for a profit.

… And sinker.

If you’ve fallen for a phish, you and others on your network could be sunk. 91% of cyberattacks start with a phish, and 66% of malware is installed via malicious email attachments.

Unfortunately, despite being alarmingly common (83% of organizations reported suffering successful phishing attacks in 2021), phishing is the second most-expensive attack vector to remediate, costing organizations an average of $4.65 million.

More than half of organizations that experienced a successful phishing attempt reported experiencing data loss or compromised accounts/credentials, and over 40% experienced subsequent ransomware infections.

Don’t Take the Bait!

But despite an increase in prevalence and sophistication, you can still avoid falling for a phish. Here are a few ways to stay safe:

  1. Implement Dedicated and Regular Security Awareness Training: Training employees on security awareness significantly decreases the odds that someone will fall for a phishing attack, and can reduce the cost of a successful phishing attack by over half.
  2. Learn the Hallmarks of a Phishing Email: Poor spelling and grammar in an otherwise professional-looking email, logos that are low-resolution or look a bit “off,” a sender address that is similar to but different from one you’re accustomed to seeing and a sense of urgency are all reliable indicators of a phishing email.
  3. Be Leery of Links: Don’t ever click on embedded links in an email, even from a trusted contact, and avoid clicking on any link in an email from a sender you don’t recognize. Ensure the URL of any site you visit begins with https, not http. And watch out for subdomains — is not a part of Hulu’s website just because Hulu is in the URL.
  4. Upgrade Your Browser and OS Regularly: Most modern browsers are equipped with phishing protection, which is upgraded as attackers introduce new techniques.
  5. If You’ve Been Caught, Act Quickly: Report the incident to your IT department immediately, and find out whether you’ll need to notify other departments, such as Finance or Legal. In the case of malware infections, a service like SonicWall’s Capture Advanced Threat Protection (ATP) should protect you — otherwise, disconnect the endpoint from the internet and network immediately until a scan can be run. If your personal information has been compromised, set up a credit freeze and fraud alerts through your financial institutions to ensure no new accounts are opened in your name.

Identifying a phish will go a long way toward keeping your organization safe — but if you aren’t regularly updating and patching, your network could still be vulnerable to cyberattack. In next week’s Cybersecurity Awareness Month blog, we’ll offer tips on how to stay safe by staying up to date.

BEC Attacks: Can You Stop the Imposters in Your Inbox?

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

Image describing BEC Importance


Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.


Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?

2018 Holiday Cyber Threat Data: Final Analysis Shows Big Ransomware Spikes in US, UK

It’s no secret that consumers flock to online retailers during the holiday shopping season between Thanksgiving and the New Year.

Last month, SonicWall provided deep cyber threat data for the nine-day window that included Black Friday and Cyber Monday in the U.S. Over this specific period, SonicWall Capture Labs threat researchers found that SonicWall customers faced 91 million malware attacks (34 percent decrease over 2017) and 889,933 ransomware attacks (432 percent increase over 2017).

But cyberattacks are hardly static. And they definitely don’t cease once Cyber Monday comes and goes. For this reason, SonicWall collected and analyzed threat data from the full December holiday shopping season to complement its Cyber Week threat analysis.

In the U.S., ransomware and phishing volume more than doubled compared to 2017, while malware was slightly down. In December alone, SonicWall Capture Labs threat researchers recorded:

  • 2.7 million ransomware attacks (up 177 percent)
  • 276.4 million malware attacks (down 27 percent from 2017)
  • 797,607 phishing attacks (up 116 percent)

In the U.K., ransomware spiked four-fold while malware and phishing attacks were relatively flat. For December, SonicWall Capture Labs logged:

  • 527,734 ransomware attacks (up 432 percent)
  • 52.1 million malware attacks (down 2 percent from 2017
  • 30,740 phishing attacks (no increase over 2017)

SonicWall will soon publish additional global December cyber threat data across all attack types, including encrypted threats, intrusion attempts and web application attacks.

Real-Time Threat Intelligence with SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Capture Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins.

The SonicWall Capture Security Center provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Exclusive Video: SonicWall CEO Bill Conner & CTO John Gmuender

SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks.

May 2018: Cyberattack Volume Continues to Rise, Ransomware Attempts Jump 299 Percent

The very latest cyber threat intelligence for May 2018 depicts increases in a number of attack areas, particularly when comparing against 2017 cyber threat data. Through May 2018, the SonicWall Capture Labs threat researches have recorded:

Global Cyberattacks — May 2018

  • 2 million malware attacks (64 percent year-over-year increase)
  • 9 million ransomware attacks (78 percent year-over-year increase)
  • 238,828 encrypted threats (142 percent year-over-year increase)

Global Cyberattacks — Year to Date

  • 5 billion malware attacks (128 percent increase )
  • 2 million ransomware attacks (299 percent increase)
  • 2 million encrypted threats (283 percent increase)

To put these numbers in a more practical light, it’s helpful to break them down by customer. In May 2018 alone, the average SonicWall customer faced:

  • 2,302 malware attacks (56 percent year-over-year increase)
  • 62 ransomware attacks (69 percent year-over-year increase)
  • Almost 94 encrypted threats
  • Over 14 phishing attacks per day

With each passing month, cybercriminals continue to perpetrate cyberattacks at an ever-accelerating rate. It is interesting to note that although encrypted traffic is actually down slightly when compared with last year, encrypted threats have more than doubled. This points to cybercriminals who are more aware of the efficacy of encrypting their attacks.

In addition, phishing attacks have increased by almost 40 percent since last month. To better educate your end users and follow secure email best practices, use the phishing IQ test to increase their suspicions when opening emails, particularly from unknown senders.

As the cyber war continues between threat actors and security professionals, arming your organization with the latest cyber threat intelligence is critical to implementing or improving a sound security posture. As long as vulnerabilities exist, there are threat actors working to exploit them.

Find Threat Metrics When You Need Them

Would you like to keep up-to-date on threat metrics, security news and worldwide cyberattacks? The SonicWall Security Center has all of this and more.


Phishing Threats – How to Identify and Avoid Targeted Email Attacks

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.