A phishing email is frequently the starting point for a cyber attack. While spam filters, whitelists and antivirus programs do an adequate job of keeping malicious emails from making their way to end users’ inboxes, there are still plenty that make it through. With the COVID-19 pandemic, many organizations have shifted to a remote workforce, which has introduced new security risks. Scammers are using this situation to get even more people to fall for their schemes.
In this blog, we’ll take a deeper dive into the anatomy of a phishing email and how you can prevent yourself and your organization from becoming victims.
The Background
Why do people keep falling for the bait? According to one study, participants are consistently overconfident when it comes to detecting phishing emails. But the reality is that a lot of these emails are so well crafted that they look like messages that people trust from brands they know well.
Twenty-two percent of security breaches in 2019 involved phishing, according to a recent report. While security awareness training can help limit the rate and/or impact of phishing attacks, many organizations still don’t have a regular training program in place or enforce security policies they may have. In other words, telling employees not to click on phishing emails isn’t enough.
Still, if you take extra time and pay attention to the details, there are often very clear red flags you can use to spot a phishing or a more targeted spear phishing email.
Here are five things you can watch out for.
1. Sender Details
It’s difficult to tell if an email is safe purely from the visible sender information. Threat actors who send phishing emails can include misleading details in an email’s “From” field to make it look legitimate. A savvy user will examine an email header and the appropriate fields to verify the true origin of the email. However, a phishing email can also come from the email account of someone you know. Phishing campaigns can be spread by using a previous victim’s email client to forward the scam to more victims in their contact list.
Beyond simply verifying the sender, ask yourself:
- Is this the type of content I would normally see from this person?
- Would they be likely to send me only a link or a one-line “get rich quick” offer with no other context or content?
Making a quick phone call or sending out a separate email to that person to see if the email is indeed from them or not can make all the difference in avoiding a compromise.
It’s also important to carefully scan the email domain in context with the displayed sender information. For instance, reputable companies, especially well-known larger brands, won’t use free public email services like Gmail or Yahoo to send mass emails or correspond with you. So an email address like bankofamerica@gmail.com or citibank@yahoo.com is a dead giveaway that it’s not legitimate.
2. Subject Lines
Emails, whether from a legitimate organization or a threat actor, often feature a catchy subject line to get readers’ attention. There is no definitive way to determine the validity of an email from the subject line alone. However, suspicious subject lines with misspellings, all capital letters, uncommon characters and offers that sound too good to be true can be other indicators of a phishing email.
Many common phishing email subject lines usually include an offer of money to attract as many victims as possible. Beware of emails promising you money or other rewards “if you act fast!” This is a favorite social engineering technique threat actors use to get people to act without thinking.
Spear phishing email subject lines are more specific to the intended victim’s environment. Be aware of how these work and what to look for, such as urgent requests to review a file, transfer money and so forth. When in doubt, pick up the phone, send a text, or shoot your friend or colleague an IM to be sure that they are indeed requesting that wire transfer or confidential information.
3. Content
The content of an email can provide many telltale signs that you’re dealing with a phishing scheme. When it comes to emails from a known organization, logos and names can be impersonated by malicious hackers, so don’t rely on them to judge the legitimacy of an email. Pay attention to the greeting and compare it to any previous emails you might have from that organization. Are you being addressed the same way as in the previous emails? For example, your bank probably addresses you by the name on your account, while your friends and colleagues might call you by a nickname. If your bank is addressing you differently than it normally would in an email, it can be a sign something’s “phishy.”
Next, pay attention to the grammar and spelling. This is often a huge red flag. Legitimate organizations typically don’t make glaring errors in their communications. And legitimate businesses and organizations will never ask you to supply confidential information like your Social Security number or your username and password via email.
4. Context
You also need to confirm the overall context of the message. Phishing emails are designed to get victims to reveal private or sensitive information. Be highly suspicious of requests for passwords, account numbers or verification of sensitive information.
Additionally, be aware of any implied sense of urgency in the message. It’s common for threat actors to push people into acting quickly without thinking or verifying the validity of the message. This might take the form of a monetary reward, or conversely, being threatened with penalties if action isn’t taken with a specific timeframe.
Even if the email appears legitimate, you should always make a phone call to the alleged sender organization to verify any request before providing sensitive or private information.
5. Links and Attachments
Phishing and spear phishing emails are often designed to implant some type of malicious code on the recipient’s system. Links or attachments are the common vehicles of choice to deliver malicious code. Embedded links to seemingly legitimate sites take advantage of vulnerable browsers to download and execute the code from a waiting server. Most email clients will reveal the link address when you hover over it with your mouse. You can also verify links (malicious or safe) through an online third-party database search. It pays to study links carefully and only click on links you know are safe.
Attachments are the other way of delivering malicious code, and they’re often buried in what looks like a legitimate attached document. People send attached pictures, PDFs, and Microsoft Office documents to each other all the time, so it’s not uncommon to encounter these files in an email. Don’t open attachments until you verify the message is legitimate, especially if it’s something you’re not expecting to receive.
Summary
Email is still one of the most prevalent means of communication for most organizations, especially now with many employees still working remotely. Therefore, cyber criminals will continue to use phishing and spear phishing as an attack vector against your systems and enterprise networks. Make sure you take the extra steps we discussed in this blog to verify the next questionable email that hits your inbox.
Need a cybersecurity risk assessment or phishing prevention training? Visit our Cybersecurity Services website today to learn more.