How to Recognize and Avoid Being Tricked

Have you ever opened your email account to find an email from a service provider you have an account with that looks something like this: “Update Your Password to Secure Your Account”?

While this can sometimes indicate a legitimate need for you to update your account details, it can also be a phishing attempt.

What is Phishing?

Phishing is a type of online scam where an attacker, typically posing as a legitimate entity or organization, attempts to trick individuals into divulging sensitive information, such as usernames, passwords, and credit card details. This is often done by sending fraudulent emails or messages that appear to come from a trusted source, with the aim of luring the recipient into clicking on a malicious link or downloading an attachment containing malware.

Phishing attacks can also take the form of fake websites or pop-ups designed to collect personal information, or phone calls from scammers posing as customer service representatives or other trusted individuals.

14 Oranges has recently been receiving emails that are phishing attempts by a scammer pretending to be our software provider, Quickbooks. The emails look very official and use all of the same colours and branding as Quickbooks, but they come from “Quickbooks Intuit” versus the official emails which come from “Intuit Quickbooks”.

The goal of phishing attacks is to obtain sensitive information that can be used for fraudulent purposes, such as identity theft or financial fraud.

What the scammers hope I’ll do when I receive the phishing email from “Quickbooks” is click on the link they provide within the email, go to a fake Quickbooks page (not knowing it’s fake) and input my real login details.

The scammer can then use those details to log in to your account on the legitimate provider’s website to find other information they can use to gain access to other accounts and more.

Some phishers use the information they collect to log in to your online bank account and then drain your accounts by sending e-transfers.

Others use the information they steal through their scam to gain access to your social security number so they can eventually steal your identity. Last year, a couple in Toronto even had their home sold without their knowledge by individuals who stole their identity!

Fishy Emails Are Often Phishing Scams

How To Protect Yourself Against Phishing Scams

Be suspicious. If an email seems slightly off before clicking on any of the links look at it closely and check for spelling and grammar errors. Right-click on the email to see what the full sending address is–many times the “From” will say the legitimate company name, but when you review the sender’s email address, you’ll often see that the actual email address it was sent from isn’t legitimate.

If I’m unsure about the legitimacy of an email, my personal tactic is to simply log in to my account the way I normally would (not by clicking the link in the potentially dodgy email). So, for example, I start my own browser and go to the Quickbooks website, log in, and check to see if there are any notifications for me there that line up with what the email has said. Normally, if you need to take action regarding something to do with your account, like changing a password or updating payment information, you’ll be notified within your account. If I’m still unsure, I’ll contact the company’s support and find out if the email was actually sent by them.

What You Can Do To Ensure Phishers Don’t Try to Impersonate Your Company

To help reduce the risk of scammers using your company in their phishing activities, you can add what are called security mechanisms to your domain’s DNS entries. These DNS mechanisms provide an additional layer of security that makes it more difficult for attackers to spoof your identity via emails.

In addition to these DNS mechanisms, there are other security measures that can be implemented to help prevent phishing attacks, such as using HTTPS encryption to protect user data and implementing multi-factor authentication to prevent unauthorized access to user accounts.

For our 14 Oranges customers, as a first step, we recommend using an SPF (Sender Policy Framework) text entry, which is used as a mechanism to validate the authenticity of emails. It works by allowing a domain owner to specify which email servers are authorized to send emails on behalf of their domain.

When an email message is received, the recipient’s email server checks the SPF record for the sender’s domain to verify that the message was sent from an authorized server. If the email server determines that the message was not sent from an authorized server, it may be marked as spam or rejected altogether. When setting up your SPF entry, it is important to understand and make a list of all 3rd party tools (such as Mailchimp, Constant Contact, Sales Force, Hubspot, Sendgrid, Mailgun, so on) that are used to send emails on your behalf; otherwise, legitimate emails from coming these tools will be marked as spam.

Furthermore, by using SPF, domain owners can help prevent malicious agents from faking your company’s identity in phishing attacks on say your customers..
However, it’s important to note that no single security measure is foolproof, and you should take a layered approach to security by implementing multiple measures to help protect against different types of attacks.

If you’re concerned that your company domain is susceptible to potential phishing activities, give us a call and we can discuss ways to help ensure your site and domain’s security.

Sylvain Marcotte is CEO and President of 14 Oranges.

Fishy Emails Are Often Phishing Scams