Phishing

How to Recognize Phishing Emails

Daniel Dimov
May 30, 2017 by
Daniel Dimov

Section 1. About phishing

People all over the world get phishing emails on a daily basis. Email inboxes are full of suspicious requests to confirm bank transactions, respond to social media messages, reply to soldiers serving in war zones, and receive inheritances from unknown relatives residing overseas.

Phishing is an illegitimate fraudulent practice conducted through electronic communication means that aims at obtaining victim's sensitive data, such as passwords and credit card details, for malicious purposes by camouflaging as a legitimate entity. Phishing is performed by using various techniques, including, but not limited to, targeted spear phishing, content injection, session hijacking, link manipulations, Trojans, ransomware, and malvertising. However, email phishing remains the most common phishing technique as it is easy to perform (a fraudulent email can be sent to millions of users by a single click) and it does not require overly sophisticated IT skills.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Email phishing relies mostly on email spoofing, a fraudulent technique that imitates the characteristics of legitimate websites to mislead the users about the origin of a message. This technique works because the core email protocols cannot authenticate the sender of an email. For example, an Internet user may receive a deceiving email from his/her bank asking to confirm his/her bank account details by filling out a form or signing the attached document. The message informs that, if the user fails to do so, customer's bank account may be suspended. The email may look exactly as originating from a legitimate bank – it uses the same graphic elements, trademarks, colors, and font. Moreover, the sender's email address may contain the name of the bank. After a deceived user submits the requested information, the phishing actors receive the data immediately and may further use it for causing financial losses, committing identity thefts, ransomware attacks, blackmailing, or installing malicious software.

The "2017 Verizon Data Breach Investigations Report" warns that, at present, phishing remains a serious problem among Internet users. It summarizes current phishing research results as follows: "around 1 in 14 users were tricked into following a link or opening an attachment - and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data - or take control of systems." The same report compiled in 2016 stated: "30 percent of phishing messages were opened by the target across all campaigns last year. It took a recipient an average of one minute 40 seconds to open the email and three minutes 45 seconds to click on the malicious attachment." The latest phishing trends also indicate that, at present, 95% of phishing attacks are followed by an installation of additional software.

Section 2. How to recognize phishing emails?

Although there is no single method to avoid a phishing attack, there are some techniques that can help to recognize and prevent potential phishing-related risks. The main method for mitigating phishing risks is combining technical security measures with raised information security awareness. In this article, we overview the main techniques that can help Internet users to recognize phishing emails in their inboxes.

2.1 Assessing the overall quality of the form of the message

To assess the form of a suspicious message, it is important to check the email for grammatical mistakes, proper language use, as well as the quality of used graphic elements and logos. Cybercriminals usually send mass emails containing spelling mistakes and faulty layout. This is also valid for more targeted phishing (e.g., spear phishing) that addresses particular persons or organizations. It is important to stress that professionals and serious companies do not allow themselves to contact their users and customers by using incorrect language or poor quality images.

2.2 Assessing the content of the message

In addition to the form of the received email, it is also important to critically assess the content of it. The first indicator of a fraudulent message is a threat contained in the message. Thus, if the message incentivizes the user to perform certain actions (e.g., to visit a website, submit sensitive information, confirm personal details, and fill out the form) in order to avoid a threatening operation (e.g., security compromise, closing of a bank account, and deleting of an online account), especially with an urgency notice, such a message is likely to be a fake alert designed for phishing purposes.

The second indicator that the message may be a phishing attempt is a request of personal information. It is unreasonable that an institution would request their customers to provide their bank account numbers, credit card details, or login information when all the financial data is usually stored in the protected internal networks of the institution. Thus, in any doubt, the targeted Internet user first should contact the potential sender by using legitimate contact details for verification of the request before clicking on any links contained in the message, opening attachments, or filing out the forms.

Thirdly, if the message contains unreasonably attractive offers, such as a large inheritance, a big amount of money won in a lottery, or big promises, such a message is likely to be a scam.

Finally, the phishing actors may refer to an unrequested offer. Emails containing such offers should be approached with the utmost care. For example, an email from an unknown relative with an attractive financial offer is likely to be phishing.

2.3 Checking the origin of the links contained in the email

Phishing emails often contain links that should be clicked on. Before clicking on any such links, it is important to check their origin and integrity. It can be done immediately by resting a mouse on the link and examining if the web address revealed next to the pointer of the mouse matches the link that was typed in the message. In phishing emails, such links may be typed as a string of cryptic numbers instead of a web address of a legitimate company.

In addition, it is handy to inspect the domain names used in the message. Phishing organizers often use domain names resembling legitimate websites. However, not all recipients are familiar with DNS naming system and the fact that "child" domain names are constructed by adding the main domain name on the right side of the domain name and leaving the "child" part of the domain on the left side. Thus, the domain name www.phishing.testdomain.com may originate from the original domain name www.testdomain.com, whereas the domain name www.testdomain.com.phishing.com would probably be a malicious use of the domain name www.testdomain.com.

2.4 Announcement from a governmental institution

Law enforcement agencies use certain protocols for contacting people. Usually, they do not contact a person by email unless the person has initiated the communication earlier by asking for information or requesting to answer certain questions. Thus, if a message appears to come from a governmental institution without a previous email request on behalf of the recipient, such a message should be assessed carefully, especially if it contains the phishing elements discussed above.

Section 3. How to avoid phishing on an organizational level?

Raising awareness is one of the main tools for mitigating the risks of phishing attacks. Since phishing directed towards corporate victims can bring more extensive damages than phishing directed towards individuals, it is of utmost importance to educate the end users, namely, organization's employees, to recognize phishing emails and not to get into the trap of cybercriminals. Such proactive approach may protect organization's informational and financial assets.

It is important to deny the opinion that only big enterprises become targets for phishing attacks. Small and medium size businesses often become victims of phishers because they do not have sufficient financial and professional resources to protect and defend their networks.

Cybersecurity plans against email phishing may contain extensive security policy programs, envisage the creation of phishing tests for assessing the cybersecurity knowledge of organization's employees and introduce checks of employees' capabilities to implement the plans.

Also, it is important to remember that new phishing techniques are being developed on a regular basis. Thus, following the news about phishing scams and familiarizing with latest trends in phishing can prevent an attack on an individual and organizational levels. Cybersecurity awareness training can provide valuable knowledge about the methods, preventive measures, and newest trends in the field of phishing.

In addition to the general phishing security measures discussed above, there are technical security means that can be used by individuals and organizations to prevent this type of attacks, namely, using browser toolbars, firewalls, antivirus software, and spam filters.

Installing browser toolbars

Developers of the most popular Internet browsers offer anti-phishing toolbars (e.g., Netcraft Extension, Password Alert, and Anti-Phishing) free of charge. Such toolbars run checks of the websites visited by the user and compare the collected data with blacklisted phishing websites. In case a user browses in a blacklisted website, the toolbar informs the user about a possible threat. Moreover, such toolbars protect against deceiving cross-site scripting (XSS), create phishing-resistant passwords, and create anti-phishing communities where the users can report discovered phishing sites. The browsers themselves should also be up-to-date, because, by updating browsers, developers regularly address security loopholes.

In addition to installing browser toolbars, users need to monitor the security of the websites visited by them. By way of illustration, if a website (1) does not begin with "https", (2) does not contain a closed lock icon next to the address bar, (3) does not have a security certificate, and (4) offers suspiciously cheap goods, the transactions on such websites should be conducted with utmost care.

Using firewalls, antivirus software, and spam filters

Firewalls and antivirus software are widely used tools for ensuring network cybersecurity. Firewalls (desktop firewalls and network firewalls) restrict incoming and outgoing communication traffic, whereas antivirus software prevents infiltration of suspicious content to the network. Also, pop-up blockers should be enabled as pop-up windows are also often used by phishing actors.

It is important to note that an email spam filter, antivirus software, or a firewall alone cannot assure safe and phishing-free communication. Such tools assist only to a certain extent in preventing phishing attacks. To have a complete protection, they should be combined with raised security awareness.

Section 4. Conclusion

Phishing has been a widespread scam technique for years. Unfortunately, simultaneously with the rapid increase of the Internet use, more and more phishers succeed to lure their victims. Our article has overviewed the main methods that can assist in identifying a prospective phishing attack and mitigating phishing threats on personal and organizational levels.

To summarize, a phishing attempt can be recognized by: inspecting the form and the content of the message in question, including the quality of its graphics, spelling mistakes, the origin of the links, and the other information contained in the message.

In order to minimize phishing risks, it is important to employ complex security plans that include technologic security infrastructure (e.g., firewalls, encryption, anti-virus software, and phishing toolbars), raising security awareness of Internet users and organization's employees (e.g., educating about types of threats, password security, limiting access control, and familiarizing with action plans in case of incidents), and reporting phishing scams. Special attention should be paid to training as the human factor is usually the weakest link in the cybersecurity chain. The combination of the methods discussed in this article may prevent individuals and organizations from falling victims of phishing actors. Unfortunately, a single weapon in this warfare does not exist.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

References

  1. 'Anti Phishing'. Available at https://addons.mozilla.org/en-US/firefox/addon/anti-phishing/.
  2. 'How to recognize phishing email messages, links, or phone calls', Microsoft. Available at https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx.
  3. 'Netcraft'. Available at http://toolbar.netcraft.com.
  4. 'Password Alert', Google Chrome. Available at https://chrome.google.com/webstore/detail/password-alert/noondiphcddnnabmjcihcjfbhfklnnep.
  5. 'Phishing', Australian Competition and Consumer Commission. Available at https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/phishing.
  6. 'Phishing Techniques', Phishing.org. Available at http://www.phishing.org/phishing-techniques.
  7. 'Verizon Data Breach Investigations Report 2016', Verizon. Available at http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf.
  8. 'Verizon Data Breach Investigations Report 2017', Verizon. Available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.
  9. 'What can I do about phishing?', Facebook Help Centre. Available at https://www.facebook.com/help/166863010078512?helpref=faq_content.

Co-Author

"Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law."

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.