8 Ways to Identify Phishing Attempts Updated for 2021

What is Phishing?

Gone phishing? Cybercriminals sure have, but it’s not just catch and release anymore. At its core, phishing is a cybercrime that uses electronic communication to take advantage of users. Attackers attempt to gain sensitive or confidential information, such as usernames and passwords, credit card information, and more by posing as legitimate organizations or individuals. They use social engineering to manipulate victims into clicking on malicious links and entering information. 

Phishing was the most prevalent cybercrime in 2020, according to the FBI. Reported incidents nearly doubled from 2019 to 2020, with 114,702 in 2019 and 241,324 incidents in 2020. Email is still the top way phishing tactics are delivered, with 96% arriving in an inbox; however, there are other tactics outside of email that are being used every day. We’ve broken down these differences below:

Email

Why is email such an easy target? While most people know how to send and receive emails, the same cannot be said about the understanding of how emails are sent or received.  The simplicity of modern email interfaces lulls users into a false sense of security; however, a potent combination of human error and malicious agents can make emails one of the most dangerous threats to an organization’s security.

As with all security practices, it starts with training employees to understand and identify suspicious emails. Alongside this training, organizations need to have the right tools to fight against this data theft, including anti-virus filters, email filtering, email encryption, and more. 

Types of email phishing can be broken down into the following categories:

  1. Spear phishing: These attacks will not look random. Attackers will gather information about the victim to make the email feel more authentic. 
  2. Clone Phishing: Attackers will make almost identical copies of previously delivered email messages and change an attachment or link to something malicious. 
  3. Whaling: These specifically target high profile and/or senior executives at organizations, presenting themselves as legal communications or other executive business matters. 

Other Forms of Phishing

While most phishing attempts do occur over email, it is still common to receive material in other ways. A telephone attempt is also known as vishing. When a message is sent over text message, it is called smishing. 

Phishing in a Pandemic

By now its old news that COVID-19 changed everything in how organizations operate and share information, and phishing is no exception. Of the consumer complaints about stimulus payments to the Federal Trade Commission (FTC), 72% were related to fraud or identity theft. Additionally, the three primary objectives for COVID-19 related phishing emails were identified as fraudulent donations to fake charities, credential harvesting, and malware delivery. Although these may be primary objectives seen from phishing emails, the traditional methods of attempting to phish employees remain consistent.

One note: The increase in phishing during the pandemic, however, may be skewed because of the increase in remote users, and those users may not be protected by the same security tools they used to. 

As we move toward the holiday season, the nature of those trended emails will surge, encouraging users to click using some of the traditionalinfluencing tactics. With businesses of different industries suffering supply chain delays, scarcity will be leveraged to drive email responses or secure deals.

8 Ways to Identify Phishing Attempts

  1. Requests for Sensitive Information – A legitimate organization will never ask you to enter any information that is sensitive by following a link. You will usually be asked to go to the official website or app to enter your credentials and any other information that is required. 
  2. Generic SalutationsMost hackers will greet you with a “Dear Valued Customer” or “Dear Account Holder.” Sometimes, ads will not even include a greeting. Genuine organizations will use your name. 
  3. Check the Domain – Don’t just check the name of the sender. Check the email address attached by hovering over the ‘from’ address. If you see any changes from what you were expecting, like numbers or letters added, this might be a phishing attempt 
  4. Bad Grammar – Legitimate organizations will send emails that are professionally writtenwith no spelling errors or bad syntax. Hackers believe their prey are less observant and easier targets, so they tend to have spelling errors and grammatical mistakes.  
  5. Forcing you on to a Site – If in doubt, don’t open the email. Many times, emails can be coded entirely as a hyperlink so any accidental click anywhere in the email can lead you to a malicious site or start a spam download on your computer.  
  6. Unsolicited Attachments – Authentic organizations will seldom send you attachments. They will usually direct you to their website to download what you need from there.  
  7. HyperlinksAlways hover over any links in the email because it may not be all it appears to be. When you hover over the link, it will show you the actual URL it will direct you to.  
  8. Sense of Urgency – One of a hacker’s favorite methods to hook a victim is asking them to act fast, often by offering a one-time deal for a limited time. Other times they will pretend to inform you that your account has been compromised. It is usually best to ignore these communications. 

Here's an example...

Phishing Email

(Note – we have removed our domain information we tested here as not to advertise what services we use for which of our testing email domains. This email was from a testing domain used at O365.) 

This was an email we recently received at one of our email domains. Here’s how we know this is a phishing attempt:

    1. Yellow Headers: Wadded headers from our email provider, letting the receiver know it did not source from our domain. If your provider offers such potential, this is a great tool that could benefit your team’s awareness of where an email is coming from 
    2. To and From” Visibility: We see that “To” and “From” are not domains that anyone should expect to see regarding a password alert. This email is hoping that the user has an urgency to click the “Keep your Password Now” link and ignore the rest of these details. 
    3. The onmicrosoft[.]com message at the bottom looks out of place and is likely not an email that you would receive for a password reset notification from Microsoft. 

When we went to “View Message Details” on this specific email, here is what stood out:  

“Received: from 365days[.]one – Marked by some Web Filtering Vendors as Placeholder Category 

X-Originating-Ip: Received-SPF: pass (domain of mail110.suw91.mcdlv[.]net designates 198.X.X.X as permitted sender) – IP address of the user that sent the email, then using that identify the owner of the IP address, leveraging sites like ARIN Whois/RDAP. 

Buried in the headers we found:  

X-Mailer: MailChimp Mailer – **CIDEXAMPLE** X-Campaign: mailchimp CIDEXAMPLE X-campaignidmailchimp CIDEXAMPLE X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u= CIDEXAMPLE &id= CIDEXAMPLE” and since this is not new to use services, such as MailChimp for such activities, MailChimp does have a website using the above abuse link to report it (we removed all indicators from this campaignid above, but this is an example).   

While this specific email did source from MailChimp, it was forwarded by another email service provider before reaching our test email address domainIn this example, we found our email report to MailChimp as Abuse returned a quick response back. 

Lessons Learned:  

    • Mismatched sender addresses? This may not always be an indicator of malicious intent, but helpful to review. 
    • Email Travel Path? As email traverses’ multiple email servers a record of those servers is stored in the email headers. Headers can be modified by email servers so should not be considered entirely trustworthy. This is where looking for DKIM and SPF being enabled will show results of “failed verification.” 
    • Email client specified? Most of us use a client to send our email and do not directly connect, but as with the email travel path, email client can also be altered or spoofed. 
    • Received an email with an attachment? Call the person directly if possible, or craft a new email to them (not using the reply button) and ask about the attachment.  
    • Received an email with a link? If it’s a system you normally use, don’t click the link, use a trusted process that doesn’t involve clicking the link. For example, if you use Gmail and received a Gmail expired password email: open a new browser, type in the domain on your own, log in, and verify the password works. While you are logged in, check your Google Security settings to see if any strange systems or IP addresses connected to the account recently that would lead to receiving such an email. That’s just one example, but if you use a Portal to access corporate tools, use a Web Portal of Widgets to access the site (via Lastpass, Okta, PingIdentity, OneLogin to name a few).  

Pro Tip: Don’t publicly share templates for emails (or communication emails) which help adversaries better craft attacks against your organization.