With the holiday season looming, many shoppers are looking to take advantage of Black Friday / Cyber Monday discounts with their favourite online sellers. But this increase in marketing material and online purchasing also presents an opportunity for malicious actors to trick customers into interacting with phishing emails, which can have a negative impact on their holiday shopping experience.
At Stitch, we work to prevent fraud for the businesses that use our solutions. This often includes card or identity theft, which can be the result of phishing attacks and scams.
To help everyone remain safe during the holiday season, we’ve put together some advice that businesses can share with their customers.
3 common types of email phishing
When searching for “types of phishing,” a lot of results will likely come up. We’ve simplified this into three core types of actions a phishing email might try to force a customer to take:
1. Open a malicious document
This type of phishing aims to achieve some level of remote code execution on someone’s computer, typically by exploiting an outdated version of Adobe or tricking them into running Office macros.
Example of phishing: Microsoft Office
This can be a real problem and a favourite way for attackers to get access to a machine. Customers should be careful when they’re running anything from an untrusted person, and rather, open PDFs in Chrome’s built-in PDF viewer.
2. Inadvertently do something malicious themselves
This is often called CEO fraud–in this case, an attacker spoofs an executive and tries to get money paid urgently into an account. However, technically this could include any attack where someone is social-engineered over email to perform malicious actions, such as sharing confidential documents or revealing sensitive information.
Example of phishing: CEO fraud
These attacks typically target people who have the ability to move money within organisations. As a result, most people do not need to worry about CEO fraud. However, the safest option is to verify sensitive requests through a different communication channel.
3. Enter sensitive information into a malicious website
This kind of attack vector has been around since the mid-90s, and while implementations have become more flavourful, the fundamentals remain unchanged. In this case, an attacker crafts an email masquerading as a reputable company, or a representative of the company. This email is something that requires action: either information needs to be confirmed, or something has gone wrong and needs to be urgently rectified.
Regardless, when you click on the link in the email, you are taken to a fake website that captures your data. These websites will typically look identical and could even redirect you to the legitimate website’s login screen after you enter your details.
Example of phishing: malicious website
Customers are likely to receive an influx of marketing communications around the holiday season, and identifying which might be malicious can be difficult. This may be exacerbated by an increase in potentially legitimate deals that sound a bit too good to be true, or simply the general increase in online shopping promotion. If they’re unsure, there are a few ways customers can verify the legitimacy of an email.
5 ways to identify a phishing email
A bad way to spot phishing
If a sender is using incorrect grammar, an unfamiliar tone or incorrect spelling, there’s a good chance it’s a phishing email. This is no longer a strong signal, as modern phishing emails are increasingly sophisticated (and spellcheckers are everywhere). Additionally, this relies on users having a firm grasp of written English. Most businesses cannot expect a large number of their customers to be able to critically proofread emails.
Better, but still difficult ways to spot phishing
Phishing emails (or lures) typically have a few key features:
- The website they link to is illegitimate: This can be quite difficult to detect, with link shortening and lookalike domains. For example, in this case the domain would be different than the real one, but potentially only by a few letters.
- The email address they send email from is illegitimate: Here again, memorising support email addresses for everyone a customer has interacted with online can be quite difficult. There are obvious examples that might include numbers, but in this case the email often comes from a very similar domain name to the legitimate one provided, and they’d have to be paying close attention to spot this. Something to keep in mind is that large businesses will never communicate from a public email domain, such as @gmail.com, @yahoo.com and @outlook.com.
- There is a sense of urgency: In this case, the content of the email often contains a directive that implies urgency – for example, a customer’s account will be disconnected if they don’t take X action immediately. Generally, legitimate businesses will approach sensitive issues with a less dramatic tone.
The best, but least convenient, way to protect yourself from phishing
All of the methods mentioned above can be confusing. Instead of trying to memorise a number of domains and agonise over small details, a far more robust way to avoid phishing scams is to build a habit of not clicking on links in emails. When prompted to perform a time sensitive action on a website, instead of clicking in the email, customers should browse to the website the way they normally would (i.e. via Google, a bookmark, your browser history, etc) and authenticate that way.
Most services today have red notifications visible on a toolbar, which will help users perform required actions. This method is a little bit less convenient, but it takes all of the burden of understanding phishing off of customers so that they can focus on living their lives.
How Stitch helps e-commerce sites prevent fraud on their platforms
As a result of email phishing scams, customers are highly susceptible to bank card fraud and identity theft, and this is exacerbated during times of high traffic such as Black Friday.
If you’re an e-commerce business, chances are you’re looking to instill more confidence in your consumers while also combating fraud on your platform. Stitch’s pay-by-bank product includes measures to enable zero-fraud payments, such as identity verification and suspicious activity tracking, which prevent phishers from using customer details maliciously on your platform.
For businesses that use Stitch to enable bank payments, we match the bank account details on a customer’s side (e.g. name, email, address) to the details that the business has for that customer. For example, if a customer is trying to checkout on your site via Stitch InstantEFT, we can first conduct a check on the customer’s bank account ownership against your own KYC information, ensuring that the customer isn’t using a third party’s details to pay for the transaction.
Because we link to customers’ financial accounts while a payment transaction is happening, we can also check any suspicious transactions against their bank account behavior to ensure that they are good actors on your platform.
Using these methods, we’ve been able to fully eliminate fraud on our pay-by-bank product, making it easier for consumers to pay and for businesses to securely and directly accept payments.
Want to learn more about how you can enable seamless, instant bank payments on your platform, without fear of fraud? Get in touch at firstname.lastname@example.org.