You receive an email that looks like it’s from your coworker, uses a real company domain, and passes all security checks—so what could go wrong?
Information Security specialists and IT departments cannot account for all the ways a bad actor might attack. Bad actors are people who attempt to cause harm to computer systems and networks to achieve their agendas, usually involving the theft of information or money. Their primary method of attack is social engineering by the process of phishing. The best remedy is to educate end users on what to look for so they can avoid the pitfalls of phishing attacks.
For anyone who does not know the term, phishing is when a bad actor impersonates someone else to try to get information, like passwords, credit cards, or finances. Emails, texts, phone calls, or video calls can be used to conduct a phishing attack. When the attack is tailored to specific individuals it is known as spear phishing. This article will discuss email based phishing attempts on Google-based emails and the new method bad actors are using.
Social engineering targets you personally. Phishing emails often impersonate coworkers or trusted organizations and rely on urgency to prompt quick reactions. Messages like “I need this done immediately” or “Legal action will be taken” are designed to bypass critical thinking and pressure you into acting fast.
Email impersonation is often detected by anti-spoofing tools that analyze message headers. However, attackers now use visual manipulation and legitimate domains to make emails appear internal without altering headers, enabling phishing attempts to bypass traditional anti-spoofing protections.
Attackers use legitimate email domains obtained through previous account compromises. Because the domain is legitimate, it passes authentication checks, while visual alterations prevent security tools from flagging the message as spoofing. This results in a phishing email in your inbox instead of getting blocked.
What can you do to reduce your risk? Ask questions.
- Am I expecting this email?
- Does it make sense for this person to email me?
- Is this email trying to make me act urgently?
- Does this email ask me to click a link or provide sensitive information?
If you are unsure about an email, perform out-of-band communication. Reach out to the sender by a trusted method. A phone number you already know, a face-to-face meeting, or a direct message through apps like Slack or Teams are all good communication options to verify if an email is genuine. If something feels off, trust that instinct.
As always, NGT is here to help!
Contact ngthelp.com with questions.