An individual’s lack of awareness and ability to identify social engineering attacks can lead to a security breach or financial loss. Hence, the human is often regarded as the weakest link when it pertains to information security. Increasingly, phishing (a social engineering technique), has become the attack vector of choice. According to CSO Online, in the first quarter of 2016, 41 businesses have reported to be victims by phishing attacks targeting employee tax records (Ragan, 2016).
More on Phishing
According to Anti-phishing Working Group (2016), phishing is a criminal mechanism to steal consumers’ personal identity data and financial account credentials. Phishing attempts usually appear in the form of spoofed e-mails purporting to be from a known associate, businesses, agency or colleague. They are crafted with the intent to lead consumers to reveal sensitive information such as financial credentials to an online backing account. This can be done by leading victims to a fake login page or in some cases, planting malware onto the victim’s computer through drive-by downloads.
Fig 1. Phishing’s most targeted industry by 2nd quarter 2016 (APWG, 2016)
Types of Phish
1. Spear phishing
Spear phishing refers to a phishing scam that targets a specific individual or small group of individuals. In the case of a spear phishing attack, the attacker has to collect as many information as possible before crafting a genuine looking email, increasing the success rate of the attack. This kind of attack usually has a unique objective as it targets a individuals or a small group of individuals.
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization (Indiana University, 2016).
How to detect Phishing emails
Fortunately, there are some characteristics that you can look out for in emails. These characteristics or traits allows you to discern between a legitimate request or a phishing attempt.
1. Emails with urgent action required.
One of the most effective ways to persuade users to click on a malicious link is to inform them that their action is required to regain access to their accounts which has been suspended for imaginary reasons. Hence, most phishing emails would include an urgent “call to action” to persuade readers to take immediate action. i.e. Clicking on the link. Pay attention and be skeptical of emails that claim to have your account suspended. If possible, open a separate browser to verify the authenticity of the message.
2. Similar, but wrong official address.
To deceive the victims, attackers often use an email address that is similar to the real email address. For example, if the CMU’s official office of registrar’s email address is email@example.com, an attacker might use an email address firstname.lastname@example.org. Keep an eye out for suspicious looking email addresses. If possible, verify the authenticity of a suspicious looking email address before replying with sensitive information.
3. Generic greeting.
Because most phishing emails are sent in bulk, these phishing emails are not personalized. As such, phishing emails would start with a generic greeting. For example: “Dear Customer” or “Dear Member”. If you receive an email that starts with a generic greeting, such as “Dear Customer” or “Dear Member” stay cautious and look out for other indicators that may suggest that the email is a phish.
4. Spelling errors, grammatical errors, or inferior graphics.
Poorly crafted phishing emails are known to be riddled with spelling and grammatical errors. If you come across an email notice from a bank that is full of grammatical or spelling errors, you can be certain that it is a phishing email.
5. Link to a fake web site.
Most phishing emails require the reader to click on a link provided by the attacker. To steal the victim’s credentials, the attacker inserts a link that leads to an official looking website that belongs to the attacker. This website usually includes a login screen that captures the username and password that the victim keys into the fake login page. Additionally, these websites may have URLs or domains that are similar to the real site. For example: amazon’s official webpage (URL) is https://www.amazon.com/, the attacker might craft a fake login page with a URL address http://amazon.net. Keep an eye out for links that are provided in suspicious emails. If possible open a new browser and use a search engine to bring you to the real domain and login page.
6. Understand that established institutions will never ask you for sensitive information.
Established institutions such as banks will never ask you for account passwords or additional credit card information. For example, Internal Revenue Service will never send an email to communicate with tax payers. So, if you receive an email from IRS asking for personal information, it is very likely that you have received a phishing email.
Here are some examples to illustrate common characteristics that you can look out for.
Fig 2. Phishing Email Characteristics (Paychex, 2016)
Fig 3. Phishing scam purporting from IRS (University of Memphis, 2016)
Fig. 4 The phishing email is purporting from Amazon Retailer (Sheridan College, 2016).
If you are still unsure …
If you are still unsure or do not entirely trust your ability to detect phishing emails, there are still some precautions you can take to stay safe.
1. Anti-Phishing Software
You can also install anti-phishing software, to help you better detect phishing emails. PhishTank SiteChecker and GFI Mail Essentials are examples of anti-phishing software. Some antivirus software also features in-built phishing detection.
2. Contact the customer call center to verify the email.
A call center or customer care is a reliable source of information. So, when you are not certain of the email originality, call the respective hotlines to verify the authenticity of the message before you click on the link or open an attachment. You can find a company’s hotline by using a search of your choice.
3. Report the phish to your organization.
It is possible that the phishing email you received is a precursor to a larger attack. For example: The Target data breach was initiated by a phishing email that was sent to an employee of Target’s HVAC vendor. The stolen credential was used to penetrate into Target’s internal network, before hackers started extracting payment data to their servers. The breach might have been avoided if the phishing email was detected earlier in the kill chain.