Phishing, a Cyber Threat Insight Awareness Video
Phishing is the term used to describe the fraudulent practice of pretending to be a known contact or reputable company with the intention of misleading the recipient into doing something that may compromise their system or giving personal information like username, password, or credit card details.
Phishing attempts are done through the use of email and websites that can look very convincing or legitimate and often play on human emotion.
When an attachment is opened, or a link to a compromised site is clicked, many security measures that are in place to protect PCs, laptops, and ultimately the network, are circumvented.
Phishing emails are widely used because they are often successful. Phishing attempts are a common way for cyber attacks to gain access to a network.
Some phishing attempts are easy to spot with poor grammar, strange subjects, or content that is of no interest while others are more polished. The reality is that because phishing attempts are often successful, there is financial motivation to become more convincing and harder to detect.
Luckily, regardless of how convincing a phishing site or email looks, there are still ways to tell.
Some are Easy to Spot
To spot phishing attempts, look for these commonly used tactics.
Urgent Action Required. Preying on human emotion, the subject or content of a site or email may try to trick you into thinking some sort of action needs to happen immediately.
Some examples are:
- Your account will be closed or disabled
- Someone logged in with your password, please verify
- You won a free iPhone X
- A long-lost relative left you money
- or requests for funds needing to be transferred immediately
The old adage applies, if it seems too good to be true, it probably isn’t.
Some misleading examples that involve attachments are:
Faxes – Invoices – Payments – Resumes – Tracking information or purchase orders. More sophisticated methods are a bit harder to spot.
The ability to copy a business’s corporate image with an exact copy of their website graphics, logo, look, and feel is very easy to do and often utilized.
Commonly impersonated companies used by phishing attempts may include, but are by no means limited to, these:
Apple – Microsoft – Google – Dropbox – FedEx – linkedIn – Paypal – Adobe – Blackboard – UPS – Facebook – Intuit
Often these are used with an attachment saying there is more information about a service, account, or payment where the attachment has more details or information. The attachments used in these types of phishing attempts almost always contain some sort of ransomware and should never be opened.
When these types of tactics are used, it makes it very difficult to spot Phishing attempts at first glance but if you look harder, the signs are there.
Often, phishing emails will look like they come from people you know or companies you recognize or do business with.
An example of this would be a spoofed sender email address.
In this example, the sender name shows as iTunes but the actual email is not an apple or legitimate email address. This is a clear sign that the email is a phishing attempt and should be deleted.
In some cases, the name of the sender is correct but the email address is not. Other times, the email address and sender name are both correct.
The methods used to make an email look like it comes from a legitimate source have become very convincing and make it very difficult for the recipient to tell if an email is a valid email by looking at the sender alone. In these instances, you will need to look at the email itself to see if there are other clues.
The goal of a phishing attempt is to get you to take an action that the sender wants you to take.
The three basic methods used by phishing attempts are:
Ask – Install – And Link
The ask method is where the phishing attempt asks for an action to be done or for the information directly.
An example would be for you to reply back to verify some piece of information needed. Another example would be an email asking for funds to be transferred for some urgent reason.
Before sending any information through email you should know the request is coming in advance or that the source is legitimate.
If you were not expecting the email or do not know if the source is legitimate, confirm the request by calling or contacting the sender with information from a source other than the suspected email in question.
Meaning, if an email says it is about a credit card issue, call the number on the card itself and not a number on the email requesting the information.
If you are not sure of the sender or the request and cannot verify it, do not respond and do not take the requested action.
The install method relies on the recipient opening an attachment by giving some sort of compelling reason by tricking the recipient into thinking the attachment is legitimate or needed.
It is actually simple to avoid installing malware included with phishing attempts by never opening an attachment unless you verify the sender first.
These are easy to fall for if you are not careful and you should always ask yourself if there is a reason you even have an attachment.
A very common example of this is a phishing email from FedEx. The email looks like it comes from FedEx and the attachment says it has tracking information.
The questions to ask would be:
Was I expecting a package?
Why would the tracking information be in an attachment?
Or Better yet,
Could I track my package directly at FedEx.com rather than clicking on the attachment or any other link in the email.
Using caution is the key to avoiding phishing attempts.
If you are not sure of the sender or the content of the attachment and cannot verify it, do not click on, download, open, or install it.
As for the link method, it’s easy to spot if you know what you are looking for.
The link method is used to send you to a location through the internet that the sender controls and wants you to go to. If you click on the link, it either sends you to a website to collect sensitive information, links to malware for installation, or some other malicious purpose.
In order for a phishing attempt to collect the desired information or install malware, the sender must control the destination somehow.
The destination could be a website on a domain the sender controls completely or an innocent third parties’ website that was hacked and exploited.
In either case, the link itself can be used to spot the phishing attempt.
On many devices you can hover over the link with your mouse pointer to show where the link leads. When you hover over the link a box may appear showing the link or the link may display at the bottom of the active window.
On other devices without a mouse pointer such as phones and tablets, you can touch and hold the link to get a popup similar to the one shown here that will show the desination of the link. Be sure hold the link to get the popup to show rather than clicking the link.
In this example, it is easy to see that this link is a phishing attempt link and should not be clicked or followed. The destination of the link should be something that you recognize or similar to the the text in the link itself.
Be cautious of shortened links and be sure to check all the links to see if they are all valid. Sometimes the link will be valid in some sopts and point to a malicious location in others.
In the example below, the link goes to www.google.com which is a valid site but in this instance is not actually a valid link since the phishing email is trying to look like it is coming from Apple.
This is a great example of phishing attempts trying to look legitimate by mixing in links to safe sites with links to malicious sites. In this case, even though google.com is a safe site, it is also a giveaway that the email is a phishing attempt.
Links should lead you to a known or expected location at a legitimate site but be sure to look carefully. Garbled or irrelevant site links are easy to see but some malicious links are harder to spot.
Common tricks are to use variations of a safe sites domain name. Some examples following the apple phishing email theme could be:
Legitimate sites use their actual domain name and not a variation of it.
If you are not sure of the sender or the link and cannot verify it, do not click on or follow the link.
Email Best Practices
Here are some Best Practices to keep in mind when using email.
Never give out personal information including:
- Usernames or passwords
- Social Security Numbers
- Banking Information
- Credit Card Numbers
- Mother’s Maiden Name
- Or Birth Date
If you are unsure if the email is legitimate or not, call the sender or, if you know the senders email address, send them a separate, new email asking about the email in question.
Never respond to, call a number from, or click on a link in a suspected phishing attempt. Phishing attempts by definition are misleading and can contain phone numbers and other contact information controlled by the malicious sender. When validating a suspicious site or email, always look up the information outside of the suspected phishing site or email.
SSL and HTTPS do not mean that a site or link to a site is safe.
Even though a site may use the HTTPS protocol, that does not mean the site is safe to use.
Site that use HTTPS protocol utilize a Secure Socket Layer or SSL certificate which means that the data transferred between the site and your machine is encrypted but that does not ensure the data being transferred is not malicious.
Making sure you see the lock in the browser when entering sensitive data on sites you know to be legitimate is still important but cannot be used as an indicator to tell if the site is legitimate or not.
If you are still unsure if what you are looking at is a phishing attempt you still have options:
You could error on the side of caution and ignore the request and wait for a possible second request for clues.
If you are unable to validate the sender, you can submit suspected phishing emails using the “Report Phishing Email” option in outlook that is included as part of the Cyber Threat Insight service.
Thank you for watching our phishing awareness video.
Contact us for more information about our services including, awareness training, threat simulations, network assessments, dark web monitoring, password management, and more.