Phishing continues to be one of the largest threats facing enterprises today, both in terms of network security (95% of attacks are the result of successful spear phishing) and financial loss (companies have been scammed out of over $2 billion in the past two years). Fortunately, user education can go a long way in helping to reduce the risk of these scams. The more users are aware that these types of attacks exist, the more examples they see and the more tips they receive for how to identify them, the less likely they are to fall victim.
That said, let’s take a look at some common types of phishing attacks, along with tips for how to spot them.
Scenario 1: You Get an Email from Someone You Don't Know
Does the email address seem suspicious?
I would argue the most important first step to spotting a phishing email is to look at the source. Before you go diving into the email contents, take a step back and look at who sent it.
If you’re not familiar with the sender, take a hard look at the address. And, I don’t just mean the display name; look at the actual address and domain as well. Does it look suspicious? Of course, “suspicious” can be pretty objective, but some common red flags include misspelled words, nonsensical strings of letters and numbers and display names that don’t match the mailto address.
Take a look at an example email I received below. The sender name is nonsensical and doesn’t match the mailto and I didn’t recognize the domain name. It seems pretty suspicious to me and I would not click on anything in that email. However, if I hadn’t stopped to inspect the address, I could have got caught up in the urgency of the message – ignore them and my laptop will be “unrecoverable forever”?! But, that’s exactly what these hackers want you to think. They’re playing off your emotions to distract you from the indicators that this is a fake email.
What does the email contain? Were you expecting it?
Okay, so what if you get an email from someone you don’t know, but the sender address isn’t throwing up any red flags? Depending on your role and the type of organization you work for, it might not be that uncommon for you to receive legitimate emails from new contacts.
Rather than trying to list out ways to know whether these emails are legitimate, (since this will largely depend on the situation), it might be more helpful to point out some things to look for that should make you approach with caution. I’ll use the following email I received as an example.
This email set off my phishing radar immediately because it was unsolicited. I’m not familiar with the company and I certainly haven’t ordered anything from them. There’s no way I’m downloading that attachment.
It may seem obvious from an outsider perspective, but asking this simple question – “Was I expecting this email?” - can help you spot a number of potential attacks right off the bat.
Other tips for spotting phishing emails from unknown senders
The example above contains a number of other red flags that indicate it could be a potential phishing email. Keeping an eye out for these types of indicators can help you identify malicious emails before falling victim.
- Vague subject line – no reference to the order number, product etc.
- Grammar - repeated use of “please” in the body of the email, sentence is awkwardly worded.
- Lack of personalization – the greeting only says “Hi”, which is somewhat strange for such a specific email (i.e. not a mass send).
- Lack of details - very simply stated, no product or service details are given, no reference to a mutual contact.
- File name – the name of the invoice isn’t specific to a project or company, no details given at all.
- Email signature mismatch – the details of the email signature don’t match the sender details (e.g. name, email address).
Scenario 2: You Get an Email from Someone You "Know"
I’ve put “know” in quotes because we’ve shown in the past just how easy it is to create a spoofed email address. It’s important to note that an attacker can spoof email addresses already in use, so even if the email appears to come from someone you’ve already emailed with, it is always good to be careful of links and attachments.
For example, I received the email below from “email@example.com”, although it was not actually sent by someone at GlobalSign.
So if you can’t rely on the sender address to indicate it’s a fake email, what can you do?
Check for a Digital Signature
It’s no secret that we recommend digitally signing all company emails. Digitally signing an email ties a person’s third-party-verified online identity to their email communications. This means if you receive a digitally signed email from someone you know, you can be confident that the email actually came from them and not a phisher.
How can you tell if an email has been digitally signed?
Most enterprise email clients clearly indicate if an email has been digitally signed. For example, Microsoft Outlook includes a red ribbon.
Clicking the ribbon brings up additional information about the signer and the certificate used to apply the signature, so you can further validate the signer’s identity.
ALWAYS Check the Link Before You Click
Phishers love to hide malicious links in hypertext. You should always view the destination address (e.g. by mousing over it) before clicking anything. In the earlier example about the virus outbreak, you’ll see the link directs to a suspicious URL – “http://globalsign.uk.virus-control.com/...”, which is not a legitimate GlobalSign web property.
Sanity Check Any Attachments
Similar to what I said above, it’s helpful to take a step back and ask yourself if it makes sense for this person to be sending you this type of file. You got an email from “HR” with an attached PDF outlining your company’s new health insurance plan…when you know you just switched plans a couple months ago? “Finance” sends out a spreadsheet detailing first quarter results…when they’ve never sent them in that format before? This kind of logic check can go a long way in combating some of these types of targeted attacks.
Be Wary of "False Legitimizers"
Phishing attacks have grown increasingly sophisticated in recent years. Take a look at the earlier virus outbreak email again, for example. In addition to the spoofed company address, there are some other factors designed to make the email seem more legitimate:
- A domain was registered (virus-control.com) to imply that the malicious URL belongs to an authentic anti-virus company.
- A real brand name of an anti-virus company, Kaspersky, was incorporated into the URL to impart false assurance (see red highlighted box above).
- The urgency of the messaging – flagging it as high importance, use of “at the earliest” within the copy.
These extra features make it even more difficult to spot phishing emails and highlight the importance of taking a minute to think before clicking or downloading anything.
When in Doubt – Don't Click!
If you’re still not sure if the email is legitimate, we urge you to err on the side of caution. Some phishing attempts can be quite sophisticated, involving detailed knowledge of the target and the company and can be difficult to spot. It never hurts to double check with the sender before you click any links or download any attachments. Your IT department may also be able to help you determine if an email is safe. If in doubt, forward any suspicious emails to your IT/IS department, so they can verify if the email is valid and are aware of it if it is a phishing attempt.
Want to know more about how to fight the threat of phishing? Check out our upcoming Webinar July 27: Email Security Using Digital Signatures & Encryption.