Top tips: how to spot phishing scams
30 April 2018
TEISS guest blogger, Eyal Benishti, CEO and Founder of IRONSCALES, outlines six top tips on how to spot phishing scams.
Phishing continues to remain the number one attack vector for cybercriminals around the world.
While once these were crude messages, often poorly spelled and easy to spot, today’s phishing lures are concealed in targeted attacks that use technology to spoof the sender and conceal an attachment’s true intentions.
With attackers prepared to go the extra mile in their attempts to trick unsuspecting victims into handing over all kinds of sensitive data - financial information, personal, sensitive information, and these messages designed to evade detection and be delivered to our inboxes, it’s down to humans to determine fact from fiction.
With sensitive information, from financial information to passwords and everything in between, lucrative to nefarious actors, all it takes is one click to become entangled in a phisher’s net.
Thankfully there are still some signs that hint towards a message being a phishing attempt, so knowing what to look out for could prevent the workforce from falling for a malicious communication, with potentially catastrophic results.
Here’s our list of phishing indicators for users to tick before they click:
Also of interest: How to mitigate the human risk of mobile working
Indicator 1: The URL
Often phishers will hyperlink text embedded in an email which may seem perfectly legitimate – it may even be one that’s recognised. However, by hovering the mouse over the link, it may change to something completely different.
This apparent mismatching of URLs is a sure sign that something is not right, and clicking it will probably lead to visiting a site with malicious intent.
Indicator 2: Spoofed Sender
Just like checking the URL carefully, it’s also important to look at the sender’s address. A Gmail or other free email service is an easy spot but sometimes the address may not be as easily deciphered. Things to look for are slight variations in the address – for example is it @apple.com or is it actually @appple.com?
Of course, scammers are able to use technology to spoof the sender so this is when other indicators need to be checked. If the sender looks right, but the message ‘feels’ wrong then there may be other clues as to the message's legitimacy.
Also of interest: The cyber war stage: who are the players?
Indicator 3: Spelling and Grammar
The next tip you will have heard a million times before, but that doesn’t make it any less relevant - always keep an eye out for bad spelling and grammar.
A legitimate communication from an established brand or recognised organisation has almost certainly been reviewed by countless people to ensure everything is perfect - nothing usually gets past the legal department or the marketing grammar police!
If an email claims to be from Apple yet has a few spelling mistakes, poorly constructed sentences and little if any punctuation, it has almost certainly come from a nefarious actor trying to spoof the brand.
Indicator 4: Strange Requests
Always question any email that asks for personal information.
For example, banks will never ask someone to reveal their PIN in any correspondence – be it verbal or written, so any communication that asks for this information will be illegitimate. Also question whether the Corporation or Government body that the message claims to be from would ask for the information requested via email.
Would the IT Team send a link to follow to patch an application or would this normally be scheduled via a routine update – do your users know that? If the message asks for something to be revealed when normally someone would call first and take them through security questions first to confirm identity then alarm bells should sound. While on this subject, there has been an increase in Vishing scams – telephone scams, so it’s worth suggesting caution here too.
Anything where legitimacy is in question – particularly if being asked to change payment details or disclose credit card numbers, then verification needs to be assured. This can be done by contacting the company who the email is claiming to be from to check its validity.
Indicator 5: Seasonal Scams
Just as advertisers like a well-timed promotion, so too do scammers. For example, when it’s tax return season, phishers are almost guaranteed to try and get victims to hand over their information by spoofing HMRC with enticing lures of large rebates. Popular sporting events are another favourite for scammers – whether it’s an app to stream Wimbledon live or a ticket promotion for the FA Cup final, if it seems too good to be true then it almost certainly is.
Although a communication may look official, guaranteed there will be another official channel where the claims made can be verified, such as a supporting website – just don’t click a link in the message. Instead, ask Google! – other popular search engines also exist.
Also of interest: Video interview with ethical hacker FC
Indicator 6: Under Pressure
Another sure sign that the recipient is about to be phished is if the email uses particularly threatening or pressuring language – for example “Urgent Action Required” or “Your Account is Closing!”
Nefarious actors will play on people’s emotions to get what they want, trying to make them act fast before they’ve time to really think something through. Remember, official communications from many senders are unlikely to arrive via email – a bank will call, HMRC will send a letter. True, online services such as Amazon might send an email but it will not expect the recipient to click a link but instead log into the account using the normal method.
Phishing scams are increasingly sophisticated - there is no denying this, and many are difficult to spot even with the trained eye. The issue is, if just one message gets through to a distracted or uninformed user who interacts with the criminal’s payload, the entire organisation can find itself disabled.
While gateway-level solutions are beneficial for spam and malware filtering, organisations need to take a multi layered approach that mitigates and remediates the risk before and after a phishing email has landed in the inbox as fast as possible.
Taking a bottom-up approach, using machine learning algorithms and deep scans at the mailbox level, organisations can detect phishing attacks that make it through secure email gateways.
By examining user communications and meta data to establish a baseline, anomalies in communications are easily spotted and automatically flagged as suspicious, to help people make smarter and quick decisions regarding emails within the mailbox. This needs to be combined with automated response capabilities for the security team to remove confirmed malicious messages from mailboxes enterprise-wide, to prevent a distracted employee falling victim to confirmed bogus message.
Following the tips outlined above will help stay ahead of the scammers game and out of the phishers net. However, it’s worth having a mechanism/process for those members of the workforce who do spot something a little phishy to report it and have it reviewed by security experts.
Find out more about IRONSCALES at https://ironscales.com/