February 17, 2021
What’s the number one choice for an initial attack in the hacker’s playbook? Phishing emails. Still are, and always will be.
Phishing is a time-proven and efficient way to gather intelligence and distribute malware. According to Google’s Safe Browsing, 2,145,013 phishing sites were registered as of Jan 17, 2021.
Now there are 75 times more phishing websites than malware sites, and those dominated the space once. This is a paradigm shift we all should acknowledge. 96% of all phishing comes from email, which is another good reason to learn more about this type of attack.
We will overview how to identify malicious phishing emails in the shortest time possible in this blog post.
Identifying phishing ultimately comes to the basics, so let’s start with the definition.
An email phishing attack is a scam where a malicious party tricks the targeted user into giving out their login credentials or compromises the user’s device with malware.
The first scenario usually happens when the victim types out own credentials into a spoofed form. The second one comes after the target engages with links placed inside the email or downloads Office and PDF attachments. Nowadays, phishing emails predominantly carry other malicious content - Windows executables and script files.
When opened or downloaded, attachments can hijack credentials saved in the browser or a notepad file on the desktop. It depends on the proficiency of the targeted user...
But that is the end game.
How do the hackers develop their phishing attacks to get the attention and, most importantly, interaction from the user? What drives people to make a mistake?
Now that we know what phishing is in rough terms, we need to visualize it better and understand how it behaves in the wild.
There are no limitations on who the phishing may appear to come from, which makes it extra sneaky. And although phishing comes in various forms, we can still break it down into two distinct categories, based on who it is addressed to.
A traditional phishing email is more likely to spoof a legitimate platform like Amazon, Google, Netflix and targets a larger audience.
On the other hand, spear phishing is crafted and personified to target a company or a particular individual working there. It could be anyone from the CEO to the person that manages wire transfers. Some spear phishing emails impersonate authority figures to gain more trust or even force the victim to urgent actions, a strategy often described as whaling or CEO fraud.
All sophisticated phishing scams are designed to look like reputable entities sent them.
The game is rigged from the beginning, and there’s no option not to play.
People like to repeat that the adversary only needs to be successful once to succeed, while those who oppose the attack have to be right all the time.
This is far from being fair, but it is true.
Sometimes one click is enough, and sometimes no click is needed at all to lose. You better not ‘investigate’ any suspicious email at all if your alarm bells set off from the headline. Remember that your emotions also could be played with, as social engineering is the foundation of all phishing email attacks.
There are many psychological leverages used to lure unsuspecting victims down. Curiosity, fear, urgency, reward, entertainment, and opportunity were named premier motivational factors of phishing emails in the PhishMe report.
Emotional connection helps to manipulate people into revealing their personal information, login credentials, or even commit to wire transfers. It’s pretty worrying that simple words can make us do things we would not do under normal circumstances.
Consider the words ‘important’, ‘urgent’, ‘attention’, ‘payment’, or ‘request’ to be big red flags. Those are designed to push you to the edge and switch your attention from the actual danger.
If your company abuses the words listed above in their email communication, there’s a good chance it does not have a refined phishing response policy, if any at all.
Let’s elaborate on why the companies need to take an interest in that.
When people click faster, they’re calling for a disaster.
We know that half of the victims click on the phishing email within an hour from the Proofpoint report, while a quarter of clicks happens in the first five minutes from mobile devices.
And even though there’s a clear incentive for hackers to perfect their phishing campaigns, a lazy template and outright embarrassing email copy usually delivers all the passwords and usernames they need.
After stealing one user’s credentials with a spear phishing attack, the hacker could target other users and escalate privileges. That’s how attackers get to personal data of employees, product roadmaps, sales projections, insurance claims, and credit card information.
Under these circumstances, phishing awareness becomes a team effort, or else you’re playing a house of cards in a windy park on a Wednesday afternoon.
In case no such training is expected to come to your company anytime soon, it is high time to find out how to detect a phishing attack yourself, protect your data and avoid the misfortune of losing your hard-earned money.
Despite a positive success ratio for hackers, it is not ‘mission impossible’ to identify a phishing email in most cases.
To effectively spot a phishing scam, you need to pay attention to the details, be skeptical, and approach every email you get with a healthy dose of criticism.
Here are just three tips for you to sense malicious signals:
Hackers spoof the domain of recognized and established brands in half of their email attacks to trigger your attention.
Always remember that companies will never ask about your login credentials by email, SMS, phone call, or even in person, so you should never reveal that information to anyone online.
“Security update” scams that encourage you to change the password are widespread and should not be taken seriously unless verified in person by an administrator.
A public email address is also a sure-fire giveaway of a scam, and a lazy one too. Look over the ‘From’ section of the email, not only its headline.
Telling someone to outright stay away from clicking on links is borderline counterproductive.
People need to do their jobs and do it fast, or else they will have some more pressing issues hanging over their heads. But there’s still a way to minimize the risk and inspect a potentially malicious element without any technical equipment.
Experienced users already know about the ‘hover over’ trick, which allows you to find the true destination of the link you are asked to interact with.
A ‘balloon tip’ in the bottom left corner will give you enough information to identify a strange site.
When the email body is packed with bad English, you better be careful.
Historically, Internet criminals are associated with awful grammar and lots of typos, so getting an email ridden with mistakes is another phishing sign. Thankfully, most people can easily pick up on a poorly written email body, and not necessarily to mock the sender for his limited knowledge, to stay safer online.
There’s a popular theory stating that hackers inject mistakes and misspellings in their phishing emails on purpose to weed out “smart” users.
Why they would want to do that is anyone’s guess, but there’s no denying that serious businesses would always spell check their message and read through it numerous times before clicking on the “send” button.
Although identifying a phishing email is not the easiest job in the world, it can be handy in some cases.
But if we look at the bigger picture, we will soon realize that the numbers are not on our side. There’s still a good chance to fall into the phishing trap, even after scanning through it with your focused pair of eyes.
The human factor won’t go anywhere, and neither will scammers. Moreso, in an ideal setting, the analysis of suspicious emails is not the worker's responsibility. But no email filtering technology will save you from all of the email phishing threats.
To keep the critical data and confidential information of your company safe, you need StealthMail. Its technology substitutes the usual way of business communication without changing much for the end user. It has a stern user verification policy to brush phishing emails off, and encrypts all email communication, so the perpetrators could not carry out any reconnaissance work.
Furthermore, all the StealthMail communication is staying away from the public Internet, held securely inside your own cloud server. StealthMail is seamless in integration, and it makes life easier for the workforce. If you feel like you’re fed up with phishing emails - book a demo at StealthMail.com today!
Link copied to clipboard!