The OEM has published a blog in which it illuminates readers as to three ways to tell when they are falling victim to a phishing scam.
Xerox calls phishing “the primary method hackers use to obtain victims’ personal data,” with the added note that “email is the most vulnerable form of communication”, owing to the ease with which someone can forge a counterfeit identity, and the fact that the medium “represents an easy way into nearly any organisation.”
This is particularly the case for large businesses where the employees will not all be familiar with each other, and where an email from someone in higher management “will often be taken at face value.”
As Xerox says, “you can build the biggest, strongest, most secure walls around your data infrastructure, but it only takes one careless employee to accidentally invite the enemy through the front door.” Therefore, it has presented its three biggest red flags for suspicious emails, to prevent yourself getting phished.
The first of these is mismatched names, which the OEM calls “the biggest telltale signs of known phishing scams.” It explains that whilst the From field in an email may seem legitimate, a check of the email address itself may not correspond. Often it may be a slight difference, like a hyphenated version of the company name, or it may be something completely different. Another giveaway along similar themes is if an email from a trusted third-party doesn’t use your own name in the opening to the email.
The second red flag highlighted by Xerox is emails from unknown figures (often supposed authority figures) saying “Urgent Action Required”; the OEM points out that employee intimidation is “exactly what cybercriminals want.” It recommends that your company’s cybersecurity policy should either “provide for verification of urgent action emails – or simply require that urgent actions be communicated by more secure means.” This is especially the case for any emails which threaten punishment or damage for not taking “urgent action.” Xerox also recommends verifying any suspicious emails of this sort by phone, stating that “occasionally annoying the CEO is far preferable to accidentally allowing a high-profile data breach that costs millions of dollars and generates widespread public distrust in the company.”
Thirdly, Xerox warns readers to be wise to embedded links, as cybercriminals can forge domain names as easily as they can forge email addresses. “Most people are not familiar with DNS naming structure,” the OEM states, “and will fall for a link that looks legitimate.” The blog adds that “cybercriminals using an IDN homograph attack can even forge a domain that looks exactly like the domain they are impersonating using international character symbols,” warning that “no human eye could tell the difference.”
The blog concludes by reassuring readers that there is still time to formulate a response to the results of phishing, such as malware or ransomware, as these programmes often don’t take root in a network immediately. Xerox recommends appointing a cybersecurity expert, and having them install a comprehensive security suite to “thwart would-be attackers before the attack is fully triggered. If you have reason to believe your network might be compromised, the time for a full-scale audit is now.”
You can read the blog in full, here.
