Every day in my classroom we talk about current events that are going on in the cybersecurity world. Many times these current events have to do with data breaches or data leaks that end up costing companies millions of dollars to clean up. As a class, we dissect these breaches, and most of the time it has to do with a weak password or an instance of someone falling for a phishing scam. No amount of anti-virus or security controls can stop social engineering. The only thing that can stop it is educating users. In this post, that is my goal, here are 5 ways that you can spot a phishing campaign and sharpen your cyber senses.
1. Check The Sender
When you receive an email that is asking for any personal information it is best to verify who it is coming from. This is the first defense against falling for a phishing scam. If you examine the email address and it comes from an @gmail.com or @yahoo.com or some other publicly available service, chances are the person on the other end is not who they say they are.
Sometimes there are more advanced phishing schemes and they will go as far as purchasing a similar domain to try and get your personal information. For example, if I was going to try a campaign in which I was amazon customer service, I may purchase the domain amazoncares.net. For less then 15 bucks and about 30 minutes of work, I can create a website and a legit email address that would most likely fool most people reading this article.
Always look at the actual email address that the email is being sent from. If you are unsure, type in the company’s address into Google and see if it matches the sender of the email. Always look at what comes after the @ sign!
firstname.lastname@example.org <– most likely legit
email@example.com <– most likely not legit
2. Look for Mis-spellings and Grammer
Many times if there is a phishing scam and it is hitting your personal email the attackers are throwing a wide net. With this wide net comes automation in which bots are doing most of the work. Computers are good but they are only as good as the person writing the programs. Because of this, there are often mis-spellings in the body of the emails.
Below is an example of a spam email in which the threat actor is trying to scare me into thinking that some expensive electronics were purchased on Amazon and they are being shipped to someone in Florida. They are hoping that I over-react and call the number on the email because this order was made in error and I am out over $700! Sadly, their mistakes are easy to spot and I did not reply to this email nor did I call the number in the email.
Slow down! Take a second to read the email and see what is going on. If your Spidey sense is tingling, then trust it and delete the email. I treat emails the opposite of what we are used to in the US. They are guilty until proven innocent.
3. Trust No Attachments
Back in the day, attackers could send payloads, or malicious code, as an attachment of an email and people would open it. Now they have to try a little harder because most email providers block executable attachments (.exe’s). That being said, you shouldn’t just trust attachments that are sent to you just because it is a PDF or a jpg. These files can also have malicious code that is set to run and steal credit card information and other valuable data from your computer.
Watch this video of just how easy it is for an attacker to get information from your computer just by sending you an infected pdf:
If you don’t know the sender, don’t open the attachment. If you do know the sender but are still unsure, pick up the phone and contact the person on the other end just to verify. That 5-minute phone call could prevent you from having your identity stolen and keep your information safe.
If you receive a questionable email on your work account then contact the IT department right away. Chances are if you received the email, then someone else did too and you can help prevent the spread of malware across the organization.
4. Verify Links
All of the points so far are important, but this tip is the biggest tell of all. As a social engineer, I can craft the perfect email and make it look super legit but at some point, I have to get you over into my playground so I can start launching attacks. This is where most phishing campaigns fall apart because they use URL shorteners to mask the website that they are sending you to.
What is a URL shortener?
A URL shortener is a tool that takes really long URLs and makes them much shorter so they are easier to type into the address bar.
So how can we be sure that we are not going to malicious websites? The easiest thing you can do is hover over a link in the email and see where it is taking you. For example, hover over the link below:
Click here to update your information.
You will notice that this link that looks innocent is actually taking you to a bad site that is targeting your personal information.
What you see is not what you get… If you hover over the link below, check out where it takes you. At quick glance, you may think that it is going to a legit website but upon further investigation, you will notice that it is taking you to my malicious website 🙂
Head over to www.amazon.com/orders to check the status of this order.
Trust but verify is my motto when it comes to everything in life and that is no different when it comes to email. Take a minute to hover over a link to see where it is actually taking you. If you want to be double sure, right-click on the link and paste it into notepad so you can verify it.
5. If It Is Urgent, Chances are it is a scam!
One of the best tools in my social engineering toolkit is the idea of urgency. As humans, we do not want to miss out on anything and we always feel like we are missing out (ever heard of FOMO?). Social engineers are keenly aware of this and use it to their advantage. Urgency, Fear, and Authority are the three main ways I can try to get you to do something for me. If I combine all 3 of these things then I am more likely to get you to click on a link or tell me your personal information.
As you can see from the email below, the threat actor is using urgency and fear to get me to update my shipping information by replying to the email.
Like all of the previous tips I recommend you slow down and ask questions. If I were to get the above email I would open up a new tab, go to Amazon.com, and click on customer support. I would not click on any links in the email.
Trust but verify 🙂