Don't get hooked on a phish email!
In the early days of computer security, a breach meant someone had physically gone through an organization’s layers of security to get the information they wanted to steal. This process was very time-consuming, sometimes taking months or even years.
-
Your password is expiring. Click the link to
change it or keep using the same one.
-
You’ve earned free rewards points. Click the
link to see your new points balance.
-
Want a free gift? Answer a few simple survey
questions and your feedback could be worth <prize>.
- <Person name> has shared a file with you. Click the link to download it.
More often than not, clicking the link takes the user to
a spoofed login page that looks exactly like or extremely similar to your organization’s
login page asking you to login to continue. Once the user provides their login
credentials, they are taken to either a legitimate page or receive a “page not
found” error.
-
If you receive an
email that seems suspicious, the first question you should ask yourself is “Is
this email the kind of email I would expect to receive from this sender?”
o If
you get a password expiring email from bob.smith@bobstiresandauto.com,
ask yourself “Would someone at bobstiresandauto.com know when my password is
expiring?” Very likely not!! This is most likely a compromised account an
attacker has gotten credentials to and used to send phishing emails like this
to many recipients.
o If
you answer NO to this question, report the email immediately using the provided
method! Each organization may have a specific email address to forward the
email to, or a fast button to click that will automatically forward the email
to the appropriate individuals for investigation.
o If users only completed this one single step when dealing with a suspicious email, we would make a very significant cut in the number of email attacks that are successful.
-
Check for spelling
and grammar errors. In many instances, English is not the primary language of
the attacker and will make simple spelling and grammar mistakes. Some common
things to look for:
o Attackers
love making small replacements in words, such as replacing o’s with 0’s (Google
vs. G00gle); w’s with v’s (When vs. vvhen), etc.
o Most users read emails fast and this causes their brain to automatically think the word is spelled correctly when it is not. Take a few extra moments to read an email and look for this flag!
-
Sense of urgency?
Many attackers want you to ignore my advice above and read through an email
quickly and act on it without thinking.
o Your account will be disabled if you do not change your password within 24 hours! Once disabled you will no longer be able to log in and get your data.
-
Generic greeting –
since phishing emails are sent to large numbers of recipients at a time,
attackers usually include generic greeting lines.
o Dear Customer/Hello Friend vs Dear Mrs. <Last name>
-
Conflicting
information – attackers generate emails with certain information and then use
compromised accounts to send that info to recipients. Sometimes there is
obvious conflicts of information.
o Sending
address is bob.smith@bobstireandauto.com
but email messages is signed by a completely different name
o Email messages says your Microsoft account password is expiring but sending address is not from Microsoft
-
No message but
includes attachment – many organizations employ security tools that can flag
certain words and phrases used in an email’s message body to indicate a
suspicious email.
o Attackers know this and send empty message emails that only contain an attachment that includes what looks like an email message, including links to click.
-
URL destinations can
be spoofed! When including a link in an email message, the link can be covered
up by whatever words or phrases the attacker wants to use, i.e. “click here to
review your info” instead of www.domain.com/youraccount/review.......
.
o BEFORE
CLICKING ANY LINK, hover your mouse over the link. Don’t click, just hover. A
small popup window should appear that shows the destination page you will go to
if you click the link.
o Make
sure the destination page matches up with the intent of the email message, i.e.
if the email is about your Microsoft password expiring make the sure the link
goes to a Microsoft page or a page within your organization.
o Can’t
tell? Right click the link and select Copy Hyperlink, then go to urlscan.io,
paste the link into the search bar and URLscan will use a sandbox browser to
visit that page and tell you if it is safe or possibly malicious.
o URLscan
can also tell you of any redirects. This happens when the link looks to go to a
legitimate site but then somewhere in the processing of the URL code it
redirects to another site, this one usually malicious and controlled by the
attacker.
o If you click a link, make sure you know what information is being requested and what information you are providing! No legitimate organization will ask you for your password. If you click and link and see a page like this, it is most likely a phish attempt:
o Notice the red flags: use of 0 instead of O, random capitalized letters, requests your username and password
o If you click and link and get to a page that looks like this, DO NOT PROVIDE ANY INFO!! Contact the sender and confirm the request!
-
Watch out for spoofed
email addresses! Attackers may spoof an account at your organization to make it
look legitimate.
o For
example, say you work at an organization where your email address is username@school.edu and your supervisor’s
name is Bob Smith.
o Attackers
may spoof this a bit and send you an email with a sending address of bob.smith.school.edu@gmail.com.
o The signature block in the email will most likely be legitimate and the same signature block used by your supervisor. But not the email address.
-
Sometimes, malicious activity
can start as a legitimate email and escalate to malicious.
o One
attack I’ve seen at my work many times is the gift card scam. Users receive an
email that simply asks “Are you available? I need a favor.”, “Are you there?”,
something like that. In and of itself this is not usually a red flag. At first,
it would depend on the sender address. Sometimes it’s a generic email address
like Mike1267@outlook.com or
something like that from a free email provider. Other times the sender address
looks like bob.smith.school.edu@gmail.com
which should be an IMMEDIATE red flag! However, users read over this so quickly
they see it’s from their co-worker Bob Smith and click reply.
o Their
reply is something like “Of course! What can I do to help?
o Attacker
replies with a sob story such as : “I am stuck in a meeting and can’t call. I
need to get some gift cards for a birthday present for someone. Can you get me
$300 of <gift card type like iTunes> cards, scratch off the codes and
send me a picture of them? I’ll re-pay you tomorrow.”
§
One thing to watch
out for here is a switch in emails!!! This
is a popular tactic when attackers use compromised accounts to send phishing
emails!
§ Once
an attacker has “hooked” a target, they tend to switch the email they are
using. The original email may come from bob.smith.school.edu@gmail.com
but when you clicked to reply the email was sent to a completely different
email address.
§ This way, replies don’t go back to the compromised account alerting the user that something may be wrong with their account because they are receiving replies to an email they never sent out!
-
Different fonts used –
emails can be created by simply copying and pasting. Sometimes attackers
copy/paste things that aren’t in the same font. So you get an email that is 4
paragraphs long and each paragraph uses a different font.
o Sometimes
the font difference is extremely subtle. I’ve seen phishing emails before where
different fonts are used on a single word in a sentence. Sometimes this is done
intentionally to try and put emphasis on something but other times it’s an oops
the attacker made and is a red flag that tis is a phishing attempt.
-
Logos can also be an indication of a phishing
attempt!
o Attackers
are making phishing emails much more realistic looking which makes it harder to
determine if the email is legitimate or not.
o Can
you spot a fake logo?
o Test your skills on the 2 examples below! Answers are at the end of the post.
Some tips to keep you safe:
- If you receive a suspicious email and you know the person “sending” it, don’t reply to the email! Contact that person directly and ask them if they can confirm sending the email and/or requesting the info requested in the email.
- Know how to report phishing emails!! Internet email providers like Gmail, Hotmail, Yahoo, etc. have different ways of reporting phishing emails. Be familiar with your provider’s process!
- When in doubt, report the email! If you are not 100% sure that the sender/link/attachment is legit, don’t do anything except report the email using your reporting process.
- Take a few extra moments to review an email that asks you to do something relating to your password, credit cards used for payments, banking details, etc. or to provide personal information to the sender like phone number, address, etc.
- Rushing through an email and acting without thinking is exactly what the attacker wants you to do. Slow down and read every word and think about what is being asked of you!
When reading/replying to emails, YOU ARE IN CONTROL!!! You control what to send and who to send it to. Attackers try to take that control away by making you act before thinking! Take a few extra moments to review the email before acting on it. Those few moments could save you a lot of time, money and headaches!
Until next time…..Code Geek out!!
Logo challenge:
B is the correct Google logo (the color order matters)
A is the correct Starbucks logo (the star on the image
head is filled in)
Comments
Post a Comment