A phishing email is typically the starting point for many cyber attacks. While spam filters, whitelists, and anti-virus programs do an adequate job of keeping these emails from passing through to end users’ inboxes, there are still plenty of emails that make it through. Now, with the COVID-19 pandemic, many organizations have shifted to a remote workforce, and scammers are working even harder to get you to fall for their schemes.
In this blog, we’ll take a deeper dive into the anatomy of a phishing email and how you can prevent yourself and your organization from becoming victims.
Why do users keep falling for the bait? According to one study, participants were consistently overconfident when it came to detecting phishing emails. But the reality is that a lot of these emails are so well crafted that they look like messages users typically trust from brands they know well. These aren’t emails coming from fraudsters posing as Nigerian princes.
Twenty-two percent of breaches in 2019 involved phishing, Verizon reported in its 2020 Data Breach Investigations Report. While security awareness training can help limit the rate and/or impact of phishing attacks, “in some instances, this training appears to be either not carried out at all or delivered in an insufficient or inadequate manner,” the report noted. In other words, telling employees not to click on phishing emails isn’t enough.
Still, if you take extra time and pay attention to the details of an email, there are often very clear red flags you can spot in a phishing or spear phishing email.
Here are five specifics you can watch out for.
1. Sender Details
It’s difficult to tell if an email is safe purely from the visible sender info. Threat actors who send phishing emails can include misleading details in an email’s “From” field to make it look legitimate. A savvy user will examine an email header and the appropriate fields to verify the true origin of the email. However, a phishing email can also come from the email account of someone you know. Phishing campaigns can be spread by using a previous victim’s email client to forward the scam to more victims in their contact list.
Beyond simply verifying the sender, you need to ask yourself:
- Is this the type of content I would normally see from this person?
- Would they be likely to send you only a link or a one-line “get rich quick” offer with no other context or content?
Making a quick phone call or sending out a separate email to that person can make all the difference in avoiding a compromise.
It’s also important to carefully scan the email domain in context with the displayed sender information. For instance, reputable companies, especially well-known larger brands, won’t use free public email services like Gmail. So an email address like BankofAmerica@gmail.com is a dead giveaway that it’s not real.
Learn more about combating spear phishing and other cyber threats with next-generation EDR and Delta Risk.
2. Subject Lines
Emails, whether from a legitimate organization or a threat actor, often feature a catchy subject line to get readers’ attention. There is no definitive way to determine the validity of an email from the subject line alone. However, suspicious subject lines with misspellings, all capital letters, and offers that sound too good to be true can be yet another indicator of a phishing email. Spear phishing email subject lines are more specific to the intended victim’s environment. End users need to be aware of how these work and what to look for, such as urgent requests to review a file, transfer money, and so forth.
Many common phishing email subject lines usually include an offer of money to attract as many victims as possible. Beware of emails promising you money or other rewards “if you act fast!” This is a favorite social engineering technique threat actor use to get people to act without thinking.
The content of the email can provide many telltale signs that you’re dealing with a phishing scheme. When it comes to emails from a known organization, logos and names can be impersonated by malicious hackers, so don’t rely on them to judge the legitimacy of an email. Pay attention to the greeting and compare it to any previous emails you might have from that organization. Are you being addressed the same way as in the previous emails? For example, your bank probably addresses you by the name on your account, while your friends and colleagues might call you by a nickname. If your bank is addressing you differently than normal in an email, it can be a sign something’s “phishy.”
Next, pay attention to the grammar and spelling. This is often a huge red flag. Legitimate organizations typically don’t make glaring errors in their communications. And most, if not all, legitimate organizations will never ask you to supply confidential information or your username and password via email.
You also need to confirm the overall context of the message. Phishing emails are designed to get the victim to reveal private or sensitive information. Be highly suspicious of requests for passwords, account numbers, or verification of sensitive information. Additionally, be aware of any implied sense of urgency in the message. It’s common for threat actors to push you into acting quickly without thinking or verifying the validity of the message. This might take the form of a monetary reward, or conversely, being threatened with penalties if action isn’t taken with a specific timeframe.
Your service providers are highly unlikely to ask you for information of this nature in an email. Even if the email appears legitimate, you should always make a phone call to the alleged sender organization to verify any request before providing sensitive or private information.
5. Links and Attachments
Phishing and spear phishing emails are often designed to implant some type of malicious code on the recipient’s system. Links or attachments are the common vehicles of choice to deliver malicious code. Embedded links to seemingly legitimate sites take advantage of vulnerable browsers to download and execute the code from a waiting server. Most email clients will reveal the link address when you hover over it with your mouse. You can also verify links (malicious or safe) through an online third-party database search. It pays to study links carefully and only click links you know are safe.
Attachments are the other way of delivering malicious code, and they’re often buried in what looks like a legitimate attached document. People send attached pictures, PDFs, and Microsoft Office documents to each other all the time, so it’s not uncommon to encounter these files in an email. Don’t open attachments until you verify the message is legitimate, especially if it’s something you’re not expecting to receive.
Email is still one of the most prevalent means of communication for most businesses, especially now with many employees still working remotely. Therefore, cyber criminals will continue to use phishing and spear phishing as an attack vector against your systems and enterprise networks. Make sure you take the extra steps we discussed in this blog to verify the next questionable email that hits your inbox.