How to Recognize and Avoid Phishing Attacks
Phishing attacks come in many variants. Even if your organization has implemented state-of-the-art email filters, no technical control will stop 100% of phishing emails from reaching their intended recipients. Your best defense against these attacks is to arm yourself with information that prevents you from becoming a victim.
Failure to recognize and avoid phishing attacks can result in significant and even catastrophic consequences. Phishing is often a precursor to ransomware and/or extortion attacks that deprive businesses of access to their critical data and often expose that data. Customers may lose trust in a company’s ability to protect their sensitive information. The consequences of attacks that began with a single phishing email are sometimes so severe that targeted organizations cannot recover.
What is a phishing attack?
Phishing is a form of social engineering wherein the bad actor sends a deceptive email message instructing the recipient to take some ill-advised action. This might include divulging sensitive information, visiting a malicious site, or opening an infected attachment.
Phishing attacks generally target randomly selected individuals. For example, an attacker acquires a list of employees at a company and targets them with emails that include malicious links in the hope that some individuals will click on them. Spear phishing emails, on the other hand, target selected recipients based on their positions within an organization and information gathered from their digital fingerprint.
Anthony Reyes, Managing Director at Prescient, notes that spear phishing threat actors study their targets. They search normal web resources and the Deep/Dark web for information about their potential victims, often scraping it from social media platforms, company websites, press releases, leak sites, etc. Threat actors then use that information to craft targeted email messages that are more likely to elicit a response or click. Reyes encourages organizations and individuals to minimize this risk by reviewing their online information and minimizing their digital footprints.
Most phishing attacks also contain language that conveys a sense of urgency. Being on the lookout for this very common characteristic can help you recognize and avoid phishing attacks. A scammer’s goal is for the recipient to act hastily without giving sufficient thought to the scammer’s claims or taking the time to verify them. An employee may, for example, receive an email that appears to be from IT Security stating that their login credentials have been compromised and instructing them to immediately click a link in the message to log in and change their password before too much damage is done. But, the link actually takes the victim to a malicious site set up to look legit, but in reality, designed to steal their credentials.
How do phishing attacks bypass email filters?
State-of-the-art email filters designed to weed out malicious messages use artificial intelligence to “learn” which emails to block. For example, once an attacker has used a particular domain (i.e., @MyMaliciousDomain.com) to send a number of phishing emails, filters will begin blocking messages sent from that domain. New domains are, however, cheap and easy to get. Bad actors simply acquire new domains and restart their phishing campaigns. It takes time for the filters to recognize and begin blocking emails from those newly acquired domains.
Filters also scan messages for certain keywords that frequently appear in malicious emails. When those keywords are detected, the messages containing those keywords are blocked. Scammers also will misspell those known keywords intentionally to get their messages through the filters. These spelling errors are often also missed by humans. For example, scammers may replace the letter “l” with the number “1” – an intentional error that the recipient might overlook or chalk up to just an unintentional typo.
What are some sure signs that help identify and avoid phishing attacks?
Unfortunately, not all nations are committed to arresting and prosecuting cybercriminals operating within their borders. Scammers in these countries can, with impunity, target their victims incessantly with a variety of phishing attacks. The upside is that English is not the first language of many of these foreign actors, and that shows in their phishing messages.
If an email includes obvious spelling and grammatical errors, chances are very good that it is either spam or a phishing message. These are perhaps the easiest malicious messages to identify. If they were from legitimate sources, they probably would not be rife with errors. Unfortunately, not all phishing emails are so easily detectable.
Identify potential phishing attacks by examining email addresses.
The address shown in the From field of an email is not necessarily the actual address of the sender. Attackers often “spoof” the From address to make it appear as though the message came from a trusted source.
One way to avoid phishing attacks is by looking at an email’s header to view the sender’s real address. How you do this differs depending on the email application you use, but you can easily find step-by-step instructions for your app online. For Outlook users, Microsoft has posted instructions that make it easy to view headers. Gmail users can find a how-to article here.
Another indicator that an email came from a scammer can be found in the Reply-to address field of the header. Often you will see a different address here than what’s in the From field. In fact, what you may see is gibberish. This is another sign that you’re dealing with a scammer—or at the least, that you are on a spam email list.
Examine links in emails to identify possible phishing attacks.
First, if there is anything about an email message that raises your suspicions, do not click on any links in that message without first verifying the email’s authenticity and confirming that it came from a trusted source. That said, you can do some of your own investigating and take a closer look at those links.
Avoid phishing attacks by examining the URL in any included link and looking for very subtle differences between the link and the actual URL of a legitimate site. Bad actors often slightly alter the spelling of a company name. You may encounter something like “qoogle.com” or “wallmart.com.” Use of the lowercase “Q” in Google is barely noticeable, as is the extra “l” in Walmart. Clearly, the email sender is attempting to deceive the recipient.
Links in emails often display URLs that differ from those of the actual sites to which you’d be taken if you clicked them. Hovering your mouse over a link should display the underlying URL. If it differs from the one in the email, this may indicate that an attacker is attempting to conceal the URL of a malicious site.
What about phishing attacks from trusted senders?
On occasion, you may receive an email that looks like it’s from someone you know and trust, but that just seems a bit off. You examine the header which indicates that the message is, in fact, from a trusted sender. But bear in mind that email accounts do get compromised. A hacker could have broken into the sender’s account and sent phishing emails to addresses from the contact list.
In this case, it’s a good idea to call the sender using a phone number you know to be correct (not one included in the suspicious email). Do this before you reply, before you click on any links, and before you open any attachments. If the sender confirms that the message is authentic, that’s great. If not, then you have avoided falling victim to a phishing attack and have let the sender know that a password change is in order.
Attachments are powerful tools in phishing attacks.
If anything about an email seems “phishy”, do not open any attachments. Attachments could infect your device or computer as well as your organization’s critical infrastructure. Devastating ransomware attacks are frequently launched using malware-infected email attachments. Follow your organization’s process for reporting the email or, if no process exists, permanently delete the suspicious message and attachment(s).
Scammers come up with new phishing attack variants daily, so stay informed.
Here are three examples of new phishing attack variants recently observed by security pros:
- Hijacking virtual meetings – Hackers commandeer an email account, then use it to join or create virtual meetings where they either collect sensitive data or divert company funds to their accounts.
- Phishing with bait – Bad actors are sending emails with little or no content to random addresses. Some of these messages include nothing but the word “hi” in the subject line. If the scammer receives an auto-reply indicating the address is not valid, it gets crossed off the list. If a real person replies, the criminal knows he’s found a target willing to communicate. Some message recipients actually try to engage the attackers in conversations. These are high-value targets.
- Customer complaints – An employee receives an email that appears to be from HR or a manager indicating that a customer has filed a complaint. The “complaint” is attached and must be reviewed by the employee immediately. The employee opens the infected attachment and releases malware into the environment.
These are but a few examples of the creativity exhibited by cybercriminals. New variants and strategies emerge daily. It’s a good idea to keep up with the latest emerging threats, so you can stay skeptical and avoid phishing attacks even as new variants emerge. As always, if you need help combatting a data breach or developing corporate security protocols that can protect you from a breach in the first place, BIA’s experts are ready to help, so reach out today.