“I don’t know why you unethical f–kers think you can get away with this.”
Pretty shocking, right?
That was one of the more memorable phishing email subject lines my colleagues recently spotted in their work inbox.
This attempt went on to ask why the sender wouldn’t pay an “invoice” attached to the email. Our IT staff later confirmed this attachment carried a ransomware payload.
The “shock and awe” method described above is not a new tactic, though the use of vulgarity seems to be a relatively new variation.
Fake shipping confirmations. Tax-related W-2 requests. Emails requesting password resets for social media accounts, online banking, you name it. These are just a few ways scammers use social engineering to bypass technological safeguards and compromise sensitive data.
No matter the method, each phishing email shares the same goal: Get a human to grant a cybercriminal access where a piece of malware alone could not do the job.
The basic phishing attack has three components:
- The sender of the phishing email (often called the attacker)
- The intended target
- The email itself
Exact motives vary, but the point of nearly all phishing emails is theft, either through stealing funds directly or accessing sensitive information that can be sold for a pretty penny in the seedy back alleyways of the Internet.
For example, attackers will craft emails to look like bank alerts hoping the targets will be tricked into giving up credentials on a fake login page. Cyberthreat analysis firm Webroot found that fake web pages connected to phishing attacks grew 220% from January to December 2018, with more than three-quarters impersonating financial institutions.
Alternatively, phishers will entice their targets to click on a link, triggering a download of malware designed to grant the attacker access to a single computer or whole network.
The strategies are many and recent industry research continues to show how effective these attacks are.
Social engineering scams of some kind snagged 72 victims per day on average in 2018, costing about $48 million, according to the FBI’s annual Internet Crime Report.
Verizon’s 2019 Data Breach Investigations Report (DBIR) found that 94% of detected malware came in via email. With 32% of confirmed breaches starting with phishing.
How to Spot a Phishing Email
“But my employees know what a phishing email looks like,” you might be thinking, “They won’t be tricked.”
The truth is, anyone can make a mistake.
Hidden among the dozens of real (or at least irrelevant but harmless) emails your employees get every day is a message designed to do harm. All it takes is a split-second lapse in judgement to fall into the phisher’s hands.
Fortunately, just as these attacks share the same goal, many share the same signs revealing their true nature as a phishing attempt.
Here are five common signs to keep an eye out for:
Check the Spelling
One of the most obvious giveaways in a phishing email is incorrect spelling in the body or the subject line.
Misspellings become especially significant when the mail purports to be from a larger corporation, like T-Mobile or Facebook (notice the misspelling of “facbook” in the URL of the sample email above). You can bet that multimillion-dollar corporations have the resources to spell check all customer-facing communications, even if they’re automated.
Some InfoSec researchers even suggest that misspellings are used on purpose to increase the odds that less observant targets are tricked. This would theoretically make it easier to string these targets along for additional data theft or compromise.
Hover Before You Click
The highlighted blue text of a hyperlink in an unexpected email should automatically raise a red flag.
Phishers often try to conceal URLs leading to malware this way, so a good rule of thumb is to always hover over hyperlinks in emails before you click them. This will reveal the true destination of the URL, no matter what the linked text says.
On mobile devices, carefully long-pressing on a suspicious hyperlink will reveal the link destination and other options.
Does the destination URL look suspicious? Time to delete that email or report it to your IT staff.
Phishers will also try to masquerade phishy URLs as legitimate ones by including some or all of an actual brand name. For example, “http://firstname.lastname@example.org/34-1e.php” will direct clickers to “playpaysite.com” and is not affiliated with the legitimate PayPal site in any way. The dead giveaway here is the @ symbol. All a browser will see is the root domain before the first, single forward slash (/). The “www.paypal” might as well not be there.
Be Suspicious of Generic Greetings
Any messages addressed generically, especially ones regarding financial transactions, are suspicious.
For better or for worse, most companies that deal in data have enough information on their customers to call them by their names in email communication. While creepy to some, this personalization can help separate real emails from fake ones.
A common phishing tactic includes blasting out generic emails to thousands, sometimes millions of email addresses, often gleaned from a compromised or stolen database. All it takes is one user to click on one of these emails for the cycle to repeat itself.
The same caution should be exercised if suspicious emails come to an email alias address that includes multiple individual email addresses. Examples of these include HR@companyXYZ, or payroll@companyXYZ.
Be Wary of Attachments
Though attachments have almost reached “old-fashioned” status in favor of URLs leading to downloads, the malware-carrying file attachment is still a common tactic for phishers.
The 2019 DBIR reports that email attachments were the leading cause of malware delivery in 2018 cyber incidents, with 45% of malware coming from attached Microsoft Word documents.
Many email systems will flag or altogether block attachments for this reason. But when they don’t, it’s up to the person receiving the file to decide what to do.
In all circumstances: unexpected attachments should not be opened. The risk is simply not worth it.
Don’t Be Intimidated
As the opening line of this article points out, phishing email attempts will often seek an emotional response from the recipient using inflammatory or threatening language.
Other examples include emails claiming to be from a bank or even a law enforcement agency threatening account closure or arrest if immediate action is not taken.
These tactics take advantage of the ancient human tendency to take quick, unthinking action in the face of danger. In this scenario, this means clicking a link you may not have given much thought to or replying with the information requested by an attacker pretending to be a supervisor.
The reality is banks, phone companies, even the federal government are not in the habit of threatening serious action of any sort by email. Snail mail or in-person contact are the far more likely avenues for these sorts of communications.
If the subject line or body of an email tells you to do something right now, or else, chances are it’s not what it seems.
The Human Factor
The methods listed above are good overall points to look for when scrutinizing a suspicious email. However, they do not represent all the ways in which scammers will attempt to phish you or your employees.
That’s why a vitally important sixth way of spotting a phishing email should be pointed out.
And it’s sitting right where you are.
That’s right, it’s you—you and the employees entrusted with your organization’s cybersecurity wellbeing.
You have the best understanding of what sort of emails you usually get at home and at work. If an email just feels off for any reason, that’s enough to be wary of it. Any legitimate email request can be followed up with a phone call or separate email.
Odd-looking financial request from your boss? Call him or her or, if possible, stop by his or her office.
An email that looks to be from your bank, but is asking for something that makes you uncomfortable? That’s what customer service representatives are for. Give them a ring and ask about the topic of the email over the phone.
The sheer ingenuity of cybercriminals almost guarantees the coming years will bring phishing attempts no one has ever seen before. That’s why a healthy dose of security awareness, with some skepticism and situational awareness thrown in, can go a long way.
Want to keep your employees’ phishing email knowledge up to snuff? MediaPRO’s Phishing Simulator is an optional component of all our TrainingPacks, which include comprehensive security and privacy awareness training coverage, employee assessments, and customer support. Speak to an expert to learn more or request a demo.