By Jon Xavier
Cybersecurity is only as strong as its weakest link. Unfortunately, that weak link is often us.
People are generally friendly, eager help each other out, and often willing to extend the benefit of the doubt in unclear or ambiguous situations. These are very admirable traits from a humanist perspective. From a hacker’s perspective, however, each one is a potential security hole that can be exploited.
It’s no surprise then that the vast majority of data breaches include some element of social engineering—the practice of manipulating a human into doing something that compromises security. When this happens through email, text messages, or social media, it’s called phishing.
Phishing can be (and often is) automated, and therefore it happens at incredible scale — according to Symantec, the average internet user now receives 16 phishing emails each month. It wouldn’t be much of a stretch to call this the most constant social engineering threat most companies face.
Fleetsmith prides itself on being “Secure by Design,” so we take the threat posed by phishing seriously. We believe the best defense against these kinds of attacks is to build a strong internal culture of security, and that takes training. We give our new hires a crash course in phishing and how to spot it as a part of our onboarding, and we thought this information might be useful to other organizations that are looking to teach their team to protect themselves.
What follows is a very high-level look at commonalities between phishing attacks, some examples of what these attacks look like in the wild, and advice for how employees can protect themselves.
How phishing works
Phishing messages are a diverse lot, from crude, grammatical-error ridden spam to sophisticated imposter emails that a talented web designer spent hours making indistinguishable from the real thing.
The commonality among all of them is that phishing messages attempt to trick you into thinking they’re coming from someone you trust, and they want you to do something, usually with some urgency.
What sort of things do phishing messages want from you? There are four main categories:
- Enter your login credentials into a fake login form.
- Go to a webpage with a script that exploits some weakness to get your machine to do something without your knowledge.
- Download a file with a hidden payload.
- Take some action in IRL. (Wire money, reveal confidential information, give the attacker access to some resource)
Whenever you get an email that wants you to do something like this, it should raise at least a dull roar of alarm in your mind.
A Field Guide to Common Phishing Attacks
That’s all well and good, but what does this look like in practice? The following are examples of actual phishing emails gathered by security professionals in the field. (I’ve credited the source and linked to each). Each is a representative of a different genre of common phishing attack, and highlights some features that are useful in spotting them.
Most phishing emails will try to create a sense of urgency for their request as a way of getting you to override your better judgment and comply with the request. The deactivation threat is often one of the easiest ways to do this because the attacker doesn’t need to know anything about you or your organization other than that you use a common service, in this case Netflix. This is easy for an attacker to learn, but it’s usually a safe guess even if it can’t be determined. It goes without saying that a legitimate deactivation emails are unusual for most online services, especially ones that are in active use.
Emails from your boss
Power and authority are a shortcut to compliance, and we react quicker and second guess less when a request comes from someone that holds those things over us. So it’s not surprising that impersonating someone’s boss is a very common way to disguise a phishing email. It’s trivial to find out who the CEO and executive leadership is for most companies, and in the age of LinkedIn determining direct reports is not much harder. In this case, we also see a good example of a pretext for the an unusual request coupled with a very urgent framing. You might think it would be difficult to get someone to send money in this way, but authority and urgency are a powerful combination. If the attackers were especially tricky, they’d be monitoring the executive’s social media and would wait until they could tell that they were traveling, to make this email seem even more plausible.
Government/Law enforcement spoofing
Keeping with the theme of appeals to authority, emails from government and law enforcement agencies are another common phishing tactic. Common agencies to spoof are the FBI and the IRS, especially around tax time. In some cases, these are threats—you’ve done something wrong and need to respond immediately with your personal information, or you’ll be in trouble. But this style of email can play on hope as well as fear, as with this recent example where fraudsters dangled the possibility of restitution from earlier rip-offs, perhaps trusting that people who’d already been fooled once would likely be fooled again.
It goes without saying that these agencies will almost never contact you via email like this, because if there really was an active investigation they wouldn’t want to tip off the target before they’re ready to take action. When you’re wanted by the cops, usually the first time you hear about it is when they show up at your door.
Spoofed File Sharing
When you share a file with someone on a cloud storage provider, it can generate an email informing the recipient that a file has been shared. This is an excellent pretext for phishing, as it’s common for people to simply click through these emails without thinking about it too much. As you can see, hackers work very hard to make these look like the real thing. When you get a file sharing email, it’s safer to navigate to the cloud provider directly and look for the file rather than clicking through from the email.
Fake invoices/Refunds/Payment confirmation
Source: C. Spike Trotman
Much like cloud storage, accounting and invoicing services generate emails that are easily spoofed by attackers. This genre of phishing attack often directly targets the accounting department, which can receive dozens of such emails each week and thus is unlikely to read any of them very closely. Desire for a quick payout or fear of being charged for missing a payment work to create a sense of urgency that ups the chances that this kind of attack will be successful.
Text message and social phishing
It’s still common to think of phishing in terms of email, but in a world where that’s no longer the most dominant form of digital communication, phishing on social media sites and through text messages is increasingly common.
Text message phishing, sometimes known is “smishing” for SMS phishing, can be especially problematic for a couple reasons. Services do use them to reach their customers, particularly the mobile providers themselves, but they’re stripped of a lot of the contextual information that makes it easy to spot a scam. Texts don’t have any branding, and mobile sites often look different than their desktop counterparts, which can disguise some sloppiness on the part of the scammer when designing a fake login page. Since its possible to pay for things with a cell phone number, scammers can sometimes use text responses to extract money from victims — for example, tricking them into texting a word to a specially set up number, which will sign them up for recurring charges on their phone bill.
It’s a good practice to ignore unsolicited links from numbers that are not already in your contacts.
Identifying phishing and keeping yourself safe
As you can see from the previous examples, phishing scammers are resourceful, and many of them are good at crafting convincing facsimiles of legitimate messages to cloak their activities. So it’s hard to spot these fakes with 100 percent accuracy.
That said, there are some commonalities here to be alert for that can tip you off that something is not right, and some simple practices you can adopt that will make you a harder target.
Look for the 3 tells
Here’s three attributes that most phishing messages have:
- There is an ask.
- There is a reward for performing the ask and/or a risk for not performing it.
- There is a sense of urgency.
If a message checks these three boxes, it’s much more likely to be phishing. That doesn’t mean it is phishing, because plenty of legitimate messages also display these qualities. It does mean that you should stop and think before you do anything when you get a message like this. Phishing is most effective when people act impulsively, so even a brief pause to assess the situation is often enough to reveal a ruse.
Verify the sender
If you do suspect a message is phishing, a good first step to assess it is to verify the sender.
If it’s an email, check to see that the address is one the sender commonly uses, or that the email domain matches the normal domain used by their organization. The domain is the part of an email address that comes after the @ sign, and includes a Top Level Domain suffix. Scammers can set the sender name and the bit before the @ sign to whatever they want but they must use a real email domain. An email coming from email@example.com is probably from Google, but one from google@some_domain.com almost certainly isn’t.
If the suspicious message comes via social media, take a moment to look at the profile it’s coming from. Is it verified? Does the Facebook page, Twitter username, LinkedIn profile, or other site come up on the first page when you Google the sender? How many followers does this page have, and do those followers seem legitimate? Is the profile photo unique, or is it something that shows up in other places when you do a reverse image search? It’s actually pretty hard to create a social media page that will stand up to more than cursory scrutiny, so if you look closely there will usually be signs something is up even if you’re dealing with a very sophisticated attacker.
If you’ve received a suspicious text from phone number, is it one that you know? If not, what comes up when you Google it? Known scam numbers tend to get flagged quickly on various sites, so this will often turn up useful information.
Hover on links before clicking
If you hover over a link, most email services will display the full address. On mobile, a long tap generally accomplishes the same thing. Again, look at the domain. Does it match what you’d expect? If an email says it is linking to a file in Dropbox but the domain is something else, be wary. Don’t be too sure even if the URL seems legitimate, however. Clever attackers can take advantage of homographs to create legit-looking urls for fake pages.
Never login through a linked page
Login pages should be seen as areas of danger, particularly if you land on them from a link in an email or other message. That said, sometimes you actually do need to log back into a service you use before you can view a legitimate message. When this happens, the safe thing to do is to open a seperate tab and navigate to the service directly rather than logging in from the linked page. If you can see that you are logged in but the link still confronts you with a login page, this is a red flag.
Check with the sender directly
If you get an unusual request from someone you know, it’s safer to follow up with them on another communication channel before you do anything to act on their message. It’s a bit of a hassle, but a quick Slack message to a coworker asking if they actually emailed you a file before you open it is better than installing malware on your computer.
Keep your apps up-to-date
It’s common tactic to use phishing messages to drive traffic to pages loaded with malicious code that attempts to exploit flaws in your browser or OS to get malware onto your machine. But true zero-day exploits are rare. Many of the exploits you’ll encounter will have already been found and neutralized with a security patch, so you can maintain a decent protection baseline just by staying on top of your updates. You’ll also want to be sure you are running the latest version of your OS, because most security patches aren’t backported to previous versions—n-2 support is a myth.
Trust your intuition
Sometimes there’s nothing overtly suspicious about a message, but still you feel your Spidey Senses tingling. Trust that feeling. Humans are remarkably good at perceiving patterns and spotting deviations from them, especially as it relates to danger. The predators we evolved this sense to protect ourselves from may have been more interested in the meat on our bones than the cash in our bank accounts, but that doesn’t mean you aren’t picking up on real warning signs when something doesn’t feel right.
What to do if you suspect you’ve been phished
- Don’t click anything. If you’ve caught something you suspect is a phishing message, don’t interact with it. Don’t click the links, don’t download the file, don’t write an angry email back to the scammer berating them for trying to defraud you. The safest thing to do is to just leave it alone. If its a corporate account you may want to save the email to show to your security team, otherwise it’s usually best just to delete it immediately.
Of course, there’s a chance you won’t notice a phishing message’s true nature until after you’ve done something that could have compromised your security. Normal remediation practices apply:
Reset your passwords. If you have a suspicion your login info has been stolen, the first thing you should do is to reset your passwords. Do this immediately. The longer attackers have access to your account, the more damage they can do, particularly in the case of email accounts, which often become a skeleton key to unlock other accounts due to lax standards around password reset requests. If you are in the habit of reusing passwords, you’ll also need to reset the stolen password everywhere else you’ve used it. (For a full breakdown on password security, check out our guide.)
Document what happened. Once the immediate danger of a compromised account is dealt with, spend a few minutes writing out what happened, including what the email said, who it purported to be from, what it wanted, and what you’ve done since receiving it. In the case of phishing against a corporate account, this will be information your security team will appreciate as they try to assess and contain the threat. Against a personal account, you’ll appreciate it for the same reason. Taking a few moments to write down what happened helps clarify what’s at risk, and it will make the steps you need to take to get back to relative safety more obvious.
Talk to your security department: Even if you’re pretty sure you’ve fixed things, even if your corporate account was never in danger, let your security team know what happened. The thing about phishing attacks is that they’re rarely targeted at a single person. If you got a phishing message, chances are your coworkers did too, and they might not be as on top of things as you are. Security is a team sport. The only way to keep your whole organization safe is a good security culture, and that means prompt, non-judgmental communication around threats.