“I don’t know why you unethical f–kers think you can get away with this.”
Pretty shocking, right? That was one of the more memorable phishing email subject lines my colleagues recently spotted in their work inbox.
This particular attempt went on to ask why the sender wouldn’t pay an “invoice” attached to the email. Our IT staff later confirmed this attachment carried a ransomware payload.
Like the confusing influx of different Oreo flavors in recent years (cotton candy Oreos, really?), the variety of phishing email attempts has blossomed. The “shock and awe” method described above is not a new tactic, though the use of vulgarity seems to be a relatively new variation.
Fake shipping confirmations. Tax-related W-2 requests. Emails requesting password resets for social media accounts, online banking, you name it. These are just a few ways scammers use social engineering to bypass technological safeguards and compromise sensitive data.
Same Goal, Different Wrappers
No matter the method, each phishing email shares the same goal: Get a human to grant a cybercriminal access where a piece of malware alone could not do the job. Recent industry research continues to show how effective these attacks are.
Last year, according to the 2017 Data Breach Investigations Report, one in 14 users was tricked by a phishing email into following a link or opening an attachment. Overall, 43% of the thousands of data breaches analyzed in the report were the result of phishing.
Fortunately, just as these attacks share the same goal, many share the same signs revealing their true nature as a phishing attempt. Here are five common signs to keep an eye out for:
1. Spell Check to the Rescue
One of the most obvious giveaways in a phishing email is incorrect spelling in the body or the subject line. This becomes especially significant when the mail purports to be from a larger corporation, like LinkedIn or T-Mobile. You can bet that multimillion dollar corporations have the resources to spell check all customer-facing communications, even if they’re automated.
2. Hover Before You Click
The highlighted blue text of a hyperlink in an unexpected email should automatically raise a red flag. Phishers often try to conceal URLs leading to malware this way, so a good rule of thumb is to always hover over hyperlinks in emails before you click them. This will reveal the true destination of the URL, no matter what the linked text says. On mobile devices, carefully long-pressing on a suspicious hyperlink will reveal the link destination and other options. Does the destination URL look suspicious? Time to delete that email, or report it to your IT staff.
Phishers will also try to masquerade phishy URLs as legitimate ones by including some or all of an actual brand name. For example, “http://firstname.lastname@example.org/34-1e.php” will direct clickers to “playpaysite.com” and is not affiliated with the legitimate PayPal site in any way. The dead giveaway here is the @ symbol. All a browser will see is the root domain before the first, single forward slash (/). The “www.paypal” might as well not be there.
3. “To Whom It May Concern”
Any messages addressed generically, especially ones regarding financial transactions, are suspicious. A common phishing tactic includes blasting out generic emails to thousands, sometimes millions, of email addresses, often gleaned from a compromised or stolen database. All it takes is one user to click on one of these emails for the cycle to repeat itself.
The same caution should be exercised if suspicious emails come to an email alias address that includes multiple individual email addresses. Examples of these include HR@companyXYZ, or payroll@companyXYZ. My own company had a close call a few months ago with a ransomware-carrying email sent to a sales alias email address.
4. Be Wary of Attachments
Though it’s almost reached “old-fashioned” status in favor of URLs leading to downloads, the malware-carrying file attachment is still a common tactic for phishers. The 2017 Verizon data breach report found that 66% of malware installed in 2016 got on to machines and networks via a malicious attachment.
Many email systems will flag or altogether block attachments for this reason. But when they don’t, it’s up to the person receiving the file to decide what to do. In all circumstances: unexpected attachments should not be opened. The risk is simply not worth it.
5. Are You Threatening Me?
As the opening line of this article points out, phishing email attempts will often seek an emotional response from the recipient using inflammatory or threatening language. These tactics take advantage of the ancient human tendency to take quick, unthinking action in the face of danger. In this scenario, this means clicking a link you may not have given much thought to.
Banks, phone companies, even the federal government are not in the habit of threatening account closure or arrest via email. If the subject line or body of the email tells you to do something right now, or else, chances are it’s not what it seems.
The You Factor
The methods listed above are good overall points to look for when scrutinizing a suspicious email. However, they do not represent all the ways in which scammers will attempt to phish you or your employees. That’s why a vitally important sixth way of spotting a phishing email should be pointed out. And it’s sitting right where you are.
That’s right, it’s you.
You have the best understanding of what sort of emails you usually get at home and at work. If an email just feels off for any reason, that’s enough to be wary of it. Any legitimate email request can be followed up with a phone call or separate email.
Odd-looking financial request from your boss? Call him or her or, if possible, stop by his or her office. An email that looks to be from your bank, but is asking for something that makes you uncomfortable? That’s what customer service representatives are for. Give them a ring and ask about the topic of the email over the phone.
The sheer ingenuity of cybercriminals almost guarantees the coming years will bring phishing attempts no one has ever seen before. Just look at the Google Docs phishing scam from last month. That’s why a healthy dose of security awareness, with some skepticism and situational awareness thrown in, can go a long way.