The Scenario
Picture the scene…
It’s 4PM on a Friday afternoon. You’re killing time, waiting for the day to be over.
Suddenly, the computer, that has been quiet all afternoon, makes a familiar sound – you have a new email. You minimize the solitaire game you were playing to see what’s arrived.
Your heart skips a beat when you see the subject – YOU HAVE WON TICKETS!
You open the email, and it looks something like this.
Congratulations, you have won tickets to the game tonight!
CLICK HERE NOW TO DOWNLOAD!
-Local Radio Station
Tonight’s game?
You’ve been entering contests trying to win tickets to the sold-out game for weeks. You never win anything – this is your lucky day!
Clicking the link, you are taken to the website for the radio station, where it asks you to confirm your name, email address, and answer a few security questions. Excited, you put in the name of your childhood dog, and your mother’s maiden name.
Clicking the “DOWNLOAD TICKETS” button prompts you to save a PDF.
Your heart races.
Danger Ahead!
Opening the PDF does nothing.
Your heart sinks. You call the radio station to tell them there’s a problem, but no one answers.
Dejected, you head home.
On Sunday, you get a call. There’s been an incident at work, the computers are all down. Everyone is told to stay home.
This scenario has played out, in different variations, time and time again. The bait may be different. Who sends the email may be different. But the result is the same. You let an attacker into the company network.
How could this have been prevented?
What Does a Phishing Email Look Like?
There’s unfortunately no exact science or formula behind identifying whether an email is phishing or not.
Often, it can be difficult to determine whether an email is legitimate, phishing, or simply spam. It can involve a lot of effort to dig into a message, safely explore the link(s), and determine if something is legitimate or not.
This isn’t meant to scare you, or make you think there’s no hope, that we should just turn off the Internet.
Let’s look at this example to see how you might have spotted this phishing attack.
A Call To Action!
“CLICK HERE NOW TO DOWNLOAD!”
The sense of urgency instilled in this sentence, coupled with the excitement you felt by winning caused your mind to ignore the critical thinking that you would normally apply.
It’s a dirty trick used frequently by scam artists, social engineers, and even by legitimate salespeople.
Any time you see an email or ad, or even when you are talking to someone, if there is a sense of urgency or emotion – act now before it is too late – stop. Take a minute to think about WHY is it so urgent?
Limited Time Offer!
Act Now to Reserve Your Spot!
Only 5 Units Remaining!
These types of messages are designed to make you fear that you will miss out, but they’re often not true. Whether in a genuine sales situation, or when faced with an email asking you to do something, this fear of missing out is used to make you act before you have the opportunity to think about what you are doing.
With sales, the goal is to get you to commit to the purchase before you realize you don’t need that new TV.
In phishing or scams, the goal is to get something from you: your login details, gift cards, or other sensitive information.
That’s Great – What Else Can I Look For?!
How else could you have spotted this malicious email?
Hover your mouse over the link – you will see the website address. It looks right! Or does it?
Look closer. Another common tactic is to use a tendency of the human brain to fill in details that are missing, see what is expected, or simply trick your eyes using an uppercase “i” in place of a lowercase “L”.
This is similar to a tactic used by malicious websites that “typo-squat”, whereby they use spelling mistakes on website addresses to sit in wait for someone to make a mistake in order to take advantage of them.
Think about how many times you meant to type “google.com” and instead entered “goggle.com” – you may end up on a website that looks just like Google, but instead are on a malicious website that could try to infect your computer with malware or steal your credentials.
You may be thinking, that’s great, but what else? There must be more!
Take a closer look at the sender of the email. Does it look off to you? Often, attackers will use hacked email accounts to send their malicious emails. Sometimes they get lazy and don’t try to hide that fact.
This is a relatively simple example. Other emails are much more nefarious and use different tactics to evade detection.
Tell Me More!
Let’s look at another scenario.
You received a reply to an email thread from a business associate you were dealing with a few months ago. In the message, there’s an attachment asking you to review a document related to the deal you were working on that was missed.
You worked on this project together for months. No big deal. Right?
Except it wasn’t your associate sending the email. Instead, their email was compromised in what is known as a Business Email Compromise, or BEC.
A malicious actor compromised their email, possibly through the very same scenario that you are faced with. Opening the file may lead to a variety of outcomes, such as being prompted to login to your company network (or so it appears), having malware run on your machine, or asking you to update banking information for the final payment.
What happened?
Well, this is another tactic used to short circuit your critical thinking. You have dealt with this person, and you trust them. You remember the email thread, so it must be legitimate. After all, who else could have gotten this much information?
How could you spot this particular threat?
Did something initially seem strange to you? You will be more aware of the vendors and potential relationships or interactions that occur in what you do, so if something seems off to you, it probably is.
Was the spelling and grammar different from what you remember the person using? While the days of all phishing attempts having poor spelling and grammar are gone, emails that are written with misplaced capitalization, punctuation, or strange phrasing raise the suspicion level. It is a poor indicator of phishing, but it does add up with other indicators.
Don’t Despair!
BEC can take many forms, including unsolicited emails with attachments, old email threads being revived with a random link or attachment provided, or requests asking you for information or changes that are out of context or not timely to the existing email thread.
Both of these scenarios can be difficult to navigate. If you are prompted to act quickly or take an action that seems out of the ordinary, step back and think. If you’re still uncertain, ask someone. Quite often another person can provide perspective and insights that help spot a scam.
Ultimately, you are the best defense against these types of emails. To protect yourself, you must apply critical thinking and avoid emotion when deciding if you should trust a situation.
Looking for more? Kalnara provides Security Awareness Training solutions to help businesses big and small train their employees to detect these scams, be safe on the Internet, and more. Call us today to start! (See what we did there?…but really, you should call.)