Phishing Emails, Montgomery County Police Dept., Montgomery County, MD

Phishing Email Attacks

A phishing email attack is a type of cyberattack in which malicious actors send deceptive emails to individuals or organizations to trick recipients into revealing sensitive information, such as usernames, passwords, financial data, or personal details. The FBI’s Internet Crime Complaint Center (IC3) received 298.878 reports of phishing in 2023, with losses nearing $19 billion. These emails often impersonate legitimate sources, such as banks, government agencies, or reputable companies, to gain the recipient's trust.

Phishing attacks can take various forms and may involve multiple tactics, including:

Email Spoofing: Attackers forge the sender's email address to make it appear that the message comes from a trusted source.
Deceptive Content: Phishing emails typically contain urgent or enticing content to provoke an immediate response. This may include fake invoices, security alerts, or offers.
Malicious Links: Phishers include links that lead to fake websites that mimic legitimate ones. These sites capture login credentials or install malware on the victim's device.
Attachments: Some phishing emails contain malicious attachments, such as infected documents or executable files, which can compromise the recipient's system.

Cybercriminals are utilizing AI to create highly persuasive and personalized phishing content. This poses an increased risk, especially during the holidays when online activities peak.

The FBI has issued an advisory about compromised US and foreign government email addresses used to conduct fraudulent emergency data requests to US-based companies, exposing personally identifying information (PII). One should look for doctored images on the document. In addition, the FBI recommends looking at the legal codes referenced in the emergency data request, as they should match what would be expected from the originating authority. A request from a country outside of the United States should not appear to be copied and pasted language from the U.S. Title Code. Similarly, a foreign country’s law enforcement would not be attaching a U.S. subpoena. If the message is suspicious, contact the originating authority (but not using contact information in the message) to verify the request.

This FBI advisory notes the increasing threat of callback phishing, a sophisticated cyberattack tactic. Unlike traditional phishing, callback phishing doesn't include a malicious link in the email. Instead, it features a prominent phone number, urging the recipient to call for an urgent matter. The email typically contains a convincing phishing message, like a fraudulent charge, designed to alarm the user into calling the number provided. These phishing emails usually contain a single, unclickable picture that displays the phone number multiple times to encourage a callback. When victims call, they are often directed to an overseas call center where operators handle multiple callback scams. In cases linked to ransomware groups, the call center is prepared explicitly for the scam, aiming to install ransomware or other malicious software on the victim's computer.

In a catfishing attack via email or SMS, the attacker impersonates a trusted entity, crafts a compelling story, and manipulates emotions or urgency to coax the recipient into divulging sensitive information. The attacker may begin by impersonating a trusted entity, such as a colleague, friend, or legitimate organization, using details gleaned from social media or previous interactions. They build rapport, request information subtly, and employ persistence and follow-up tactics. By exploiting human vulnerabilities, they aim to compromise their victims without using malicious links or attachments. See Romance Scams.

Signs of a Phishing Email

Misspelled domain names or suspicious variations in the sender's email address.
Urgent or threatening language.
Hover your mouse pointer over links without clicking to see the URL. Ensure it matches the expected domain.
Use of generic greetings like "Dear User" instead of your name.
Pressure to divulge sensitive or compromising information that can be used to manipulate the target into further actions against their interests or against their organization.

Prevention Tips

Don't open attachments from unknown or unverified sources. Confirm the legitimacy of the sender before opening any files.
Education and Training: Provide cybersecurity awareness training to recognize phishing attempts.
Use Email Filters: Employ advanced email filtering solutions to auto-detect and block phishing emails automatically
Enable Multi-Factor Authentication (MFA): Implement MFA wherever possible to add an extra layer of security.
Keep Software Updated: Regularly update operating systems, browsers, and antivirus software to patch known vulnerabilities.
Verify Requests: Independently verify any unusual requests for sensitive information or funds transfers, especially if received via email. Contact the supposed sender through official channels.
Use Strong, Unique Passwords: Encourage unique passwords for all online accounts and consider using a password manager.
Scrub Emails on the Web: Removing your email addresses from websites because attackers will harvest them and use the website context to craft tempting phishing lures.
See Cyber Crime Prevention for more information.

Recovering from the scam

Contain the Breach: If an organization has been targeted, isolate affected systems to prevent further damage.
Change Credentials: Immediately change passwords for compromised accounts and enable MFA if available.
Report the Attack: Report the phishing incident to your organization's IT or security team and the proper authorities.
Notify Affected Parties: If customer or user data is compromised, inform affected parties promptly and transparently.
Implement Security Measures: Strengthen security measures to prevent future attacks, such as enhancing email filtering and employee training. See Cyber Crime Prevention
Regularly Monitor Accounts: Continuously monitor accounts and systems for suspicious activity.

References:

Computer Weekly. (2023, January 26). Nine in 10 enterprises fell victim to successful phishing in 2022. Retrieved December 21, 2023, from https://www.computerweekly.com/news/365532100/Nine-in-10-enterprises-fell-victim-to-successful-phishing-in-2022.
Dumas, B. (2024, February 6). Real estate fraud risk is on the rise, and victims are sounding the alarm1. Fox Business. Retrieved from https://www.foxbusiness.com/real-estate/real-estate-fraud-risk-is-on-the-rise-and-victims-are-sounding-the-alarm.
Federal Trade Commission. (2023). How to Recognize and Avoid Phishing Scams. https://www.consumer.ftc.gov/articles/0003-phishing.
Federal Trade Commission. (2023). Report Unwanted Email https://www.youtube.com/shorts/YHaBmhjgtgo
Federal Bureau of Investigation, (2023). "Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools," https://www.ic3.gov/Media/News/2023/231108.pdf
Federal Bureau of Investigation. (2023, March 17). Internet Crime Complaint Center Releases 2022 Statistics. Retrieved December 21, 2023, from https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics.
Grimes, R. "FBI Warns About Callback Phishing," (2023, November 10). KnowBe4. Retrieved from https://www.knowbe4.com/phishing
Hunt, T. (2024, February 23). Thanks, FedEx, This is Why We Keep Getting Phished. Retrieved from https://www.troyhunt.com/thanks-fedex-this-is-why-we-keep-getting-phished/
Kron, Eric. (2024 August 19). Five novel email phishing attacks – and what to do about them. SC Magazine. Retrieved from https://www.scmagazine.com/perspective/five-novel-email-phishing-attacks-and-what-to-do-about-them.
National Institute of Standards and Technology (NIST). (n.d.) Phishing Publications. Retrieved from https://csrc.nist.gov/projects/human-centered-cybersecurity/research-areas/phishing
NBC News' Tom Costello. (2024 May 23). Government says more Americans becoming victims of email scams. Retrieved from https://www.nbcnews.com/nightly-news/video/government-says-more-americans-becoming-victims-of-email-scams-211534405881.
SANS Institute. (2022). Phishing Attacks Are Getting Trickier. OUCH! Security Awareness Newsletter. Retrieved from https://www.sans.org/newsletters/ouch/phishing-attacks-getting-trickier/.
Sinch Mailgun. (JANUARY 30, 2024). Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program. Retrieved from https://www.mailgun.com/blog/deliverability/gmail-and-yahoo-inbox-updates-2024/
Tomasic, M. (2024, March 6). Messaging Do’s and Don’ts, OUCH! Newsletter. https://www.sans.org/newsletters/ouch/messaging-dos-and-donts/
Trend Micro. (2023, April 14). Worldwide email phishing stats & examples 2023. Retrieved December 21, 2023, from https://www.trendmicro.com/en_vn/ciso/23/e/worldwide-email-phishing-stats-examples-2023.html

Phishing Email Attacks

References:

POLICE CONTACTS

FOR CRIME SOLVERS

DISTRICTS

RESOURCES

STAY INFORMED

FOLLOW US