Phishing attacks are nothing new. In spite of all the “advanced” detection technologies and secure email gateways available, phishing is one security headache that technology has not solved. Attack groups continue to successfully penetrate major organizations and, although businesses will continue to deploy technology-based defenses for various reasons, including compliance, many security and risk professionals will agree that humans play an important role in cutting off attackers before they gain a foothold in information systems.
To spot a phishing email, you first need to understand exactly what one is. Phishing is any type of email-based social engineering attack designed to lure recipients into reacting in an undesirable way. This includes clicking on a link that drives them to a malicious website, opening an attachment laden with malware, or giving up valuable assets such as user credentials.
Successful phishing attacks give attackers a foothold in corporate networks and access to vital information such as intellectual property or, in some cases, money. Phishing emails are carefully crafted and targeted to specific recipients, making them appear genuine to many users. Even one phishing email that goes undetected and unreported by employees can have devastating effects on an organization.
While the sophistication of these social engineering attacks can make them tricky to block, there are several common characteristics and indicators of phishing emails that can help recipients better identify and report possible attacks before sensitive information is compromised or money is stolen. The following are some of the key indicators that can help anyone spot a phish:
1. Threats or a sense of urgency. Emails that threaten negative consequences or punishment should be treated with suspicion. A sense of urgency can also be a big indicator of a possible phishing scam. If an email provides a strict deadline for performing an action, recipients should be on alert. Many attackers use this method of encouraging or demanding immediate action to fluster recipients, which can result in email recipients not reading the content thoroughly enough to detect other inconsistencies that are indicative of a scam.
2. Grammar and spelling errors. Another telltale sign of phishing is the use of poor spelling and grammar. If a message is sent out on behalf of a legitimate company, there is typically a thorough review process to catch any grammatical errors or typos.
3. Unfamiliar tone or greeting. Most people know how co-workers and friends speak, so if an email’s tone sounds out of character or otherwise strange, it is worth a second look to scan for other indicators that this could be from an attacker instead.
4. Inconsistencies in email addresses, links and domain names. Another simple way to spot a potential phishing attack is by looking for discrepancies in the email address or in any links included in the email. Does the email come from an organization your company corresponds with often? If so, look at the domain name in the email address for any changes or inconsistencies to confirm it is a legitimate user. Email recipients can also detect if a link might be malicious by holding their mouse pointer over the link and examining the URL before clicking on it to look for anything that might be out of place based on the context of the email. For example, if the email claims to be from Dropbox but the link doesn’t include “dropbox.com,” it might be malicious.
5. Suspicious attachments. When an attachment comes from someone unfamiliar or if the recipient did not actively request or expect to receive the file, the user should be cautious about opening it. If the attachment is a ZIP file, users should be particularly wary, as legitimate versions are highly uncommon to receive via email.
6. Request for credentials, payment information or other personal details. Spear-phishers will often forge login pages to look exactly like the real thing in order to steal user credentials. Anytime an email points recipients to a login page or says there is a payment required, recipients should refrain from inputting information unless they are 100% certain the email is legitimate. If they were not expecting it or it came from an unfamiliar sender, it should be flagged to the organization immediately.
7. Too-good-to-be-true incentives and financial rewards. Phishing emails often dangle a financial reward or incentive of some kind to encourage the recipient to click a link or enter their account information. If an email offers something that seems too good to be true, it probably is.
8. Recipient did not initiate the interaction. A phishing attempt can come in the form of a reward for a contest they did not enter, or an email from an organization claiming that recipients signed up for its newsletter or services. If the content of the email is completely unfamiliar or the user did not initiate the interaction, there is a strong chance that clicking links or opening attachments could lead to malware.
Conditioning employees to be vigilant in identifying these indicators and reporting suspicious emails is crucial, because chances are if one employee is targeted in a phishing campaign, others are as well. “If you see something, say something” is a good rule of thumb when it comes to suspicious emails.
To that end, it is important to have an easy and efficient process in place for employees to report potential phishing attacks to information security personnel. Reporting possible phishing emails as soon as possible helps security operations and incident response teams rapidly secure the network, prevent the attack from reaching other employees and minimize the time an attacker has access to a network, preventing potentially costly breaches.
In addition to a timely response, it is also important to track which users are reporting actual phishing attacks as this can help prioritize incoming reports based on the employee’s reporting track record.