Phishing emails are a serious problem for both businesses and consumers. Phishers use phishing emails to steal users’ personal information, like usernames, passwords, credit card numbers, social security numbers and other sensitive data.
Phishing emails can come in many forms; some may be more convincing than others. Phishers often impersonate trusted companies or people by sending fake email messages that look legitimate. Phishing is becoming more sophisticated day by day with new techniques designed to get you to click on malicious links, which will lead the user to enter their password so they can steal your identity!
This blog post aims at providing you with examples of common phishing examples so you can identify them before it’s too late!
What is a phishing email?
Phishing emails are messages that appear to come from a trusted company or individual but actually direct users to enter their password on an illegitimate website. Phishers take advantage of the trust people have in brands and companies they frequently interact with online. The goal is for you to click on malicious links, which will lead you to enter your username/password so they can steal your identity! Phishers often use clever techniques to make their emails more convincing, including logos and links that look legitimate.
In a phishing email, cybercriminals will often demand such information:
- Email address
- Password(s) to a platform or service account
- credit cards information
How do phishing emails work?
Phishing emails are designed to trick people into clicking on a link or opening an attachment that installs malware, like ransomware and keyloggers. Phishers also create fake login pages in order to steal your username and password for popular websites such as Facebook, Amazon, Netflix and more.
As it is an easy setup for scammers, phishing scams are an attractive proposition for cybercriminals that yields maximum returns when compared to other forms of scams.
Top Phishing myths
- The biggest misconception is that tech-savvy users won’t be victims of phishing crime.
- Phishing emails are easy to detect
- Our IT has it covered
- Phishing is about opening malicious attachments. No, the phishing scope is much wider than just email attachments
- Email security software catches all phishing and spam
- A secure website has a lock that protects from phishing
- Poor grammar is a giveaway sign of phishing. This no longer applies to phishing messages
- Employees and staff can be trained not to click on a link to decrease phishing attacks
- Phishing attacks originate from Russia and China only
What is a phishing attack?
A phishing attack is a type of cybercrime in which an attacker uses fraudulent emails to attempt to steal sensitive information, like credit card information, usernames and passwords. Phishers typically use spam email campaigns to deliver their attacks. A phishing attempt performed using phone calls or by leaving voice messages is known as voice phishing or vishing.
Phishing attacks can also be done through a text message or phone call when the attackers pretend to work for popular companies such as Microsoft or Apple, to trick users into revealing sensitive information. Phishing attacks are a method used by hackers to gain access to your personal data and can be done via an email message, text message, phone call and instant messaging service.
There are various types of phishing attacks observed in real life. These are:
- Phishing – A generic term for email-based attacks
- Spear phishing attacks are phishing attacks that target specific individuals
- Whaling involves targeting high ranking employees or senior management
- Pharming involves phishing campaigns that involve redirecting users to fraudulent websites to submit sensitive information
- Smishing attacks utilise phishing user information via SMS or text messages as attack vectors
- Vishing attacks involve voice as an attacker vector i.e. voice calls, voice messages
- Malvertising utilises online advertisements as an attack vector
How to identify phishing emails?
Phishing emails are often hard to identify due to the way they are crafted to look legitimate. However, you can identify phishing emails from warning signs that are common amongst most phishing scam emails. Here is a list with telltale sign of a phishing scam:
1. Ask for personal information such as usernames, passwords and credit card numbers. Phishers may also request that you send them sensitive company data like financial reports or presentations
2. Use incorrect grammar and spelling errors (some phisher messages avoid this)
3. Out of character emails that appear to come from a company or person you don’t know. Phishers will often impersonate a company and domain name you’re familiar with, like PayPal, Amazon or Apple.
4. Include urgent requests for action and assurance that will give your personal information to the sender, such as a password or account number. Phishers often include messages like “your Amazon purchase is on its way” and tell you it’s urgent so you don’t have time to verify with Amazon directly if it was fake email or real.
5. Use social engineering tactics that draw upon behaviour insights about how people interact online.
6. Use confusing links that lead to unexpected websites and ask users to enter personal information or account credentials there. For instance, it could be a bait to check your passwords against data breaches or ask for credit card details
7. Include attachments, like login page forms and word documents which will be used as bait
8. Contain links to websites other than the ones they claim to belong to
Real-world phishing email examples
A number of popular phishing attack examples include target specific tech support scams, spear phishing attack on executives, shared docs using google docs, a survey web page, government agency officials, cryptocurrency scams.
In the following example, sense of urgency and lack of username to whom this email is addressed are quick tell tale sign of a phishing attempt.
Tips to Prevent Phishing Attacks
The best defence against phishing attacks is to follow a multi-layered approach. An organisation must lead by example to defend against phishing attacks. Using a combination of people, processes and technical controls, you can make it difficult for attackers to reach your users and limit and respond to the attacks in case of an event.
Phishing defences strategy for organisations
A high-level rundown of a multi-layered approach to phishing defences is below:
Do not blame the users, it doesn’t help your cause. You must not create or support punishment or blame-oriented defensive strategy against phishing. This would turn some users against your plan to win users to help report issues such as if they clicked something or to create a better culture.
Make it difficult
Making it difficult for attackers by using a number of technical measures such as security controls and reducing publicly available info. These controls include the use of anti-spoofing measures, DKIM, DMARC and SPF. Encourage your contacts to do the same.
Spot and report
Don’t rely on training courses. Instead, help your staff to spot phishing emails, make gamified plans that are run periodically. Encourage active reporting of such incidents.
Defence in depth controls
Ramp up authentication and authorisation controls. Make two-factor authentication mandatory for Internet-facing infrastructure and use of password managers. Review and improve web and email filtering controls. Ensure that endpoint protection mechanisms are well configured for regular scans and event reporting.
Detect and respond
Logging and monitoring controls should be reviewed in line with good security practices. This includes ensuring secure collection and storage of logs and monitoring. Do not limit to preparing and implementing incident response plans, make sure you test these plans to be ready for the event handling.
Phishing tips for users
Phishing is a real threat and can impact anyone! Here are some steps you can take to protect yourself against phishing scams:
1. Do not click on links or download attachments from unknown senders especially where emails are showing urgency or offer to their victims
2. Keep your software up to date (antivirus, operating system)
3. Use a secure password (minimum of 12 characters, different from those used for other online accounts)
4. Be sceptical. Phishing emails look legitimate but ask yourself: does this email make sense? Does it address me by my first and last name?
5. When possible, go directly to the website of a company rather than clicking through from an email
6. If you’ve already given away your username/password or other personal information, change it immediately
7. Check your bank account and statements for any suspicious transactions. Report the phishing email to your bank or financial institution and social media sites like Facebook, Twitter etc.
8. Use different passwords for each website. Phishers often use lists of usernames and passwords for popular websites to try them on other places.
9. If you receive an email from a company, check that it is legitimate by contacting their customer service. Mention details such as subject line, if it’s asking for any information such as login credentials or sense of urgency shown to call phone numbers
10. Do not provide personal information in response to an email.
11. If you are suspicious about domain or company names, always search those names using a search engine to see if any results come up with legitimate activity. It could be web site, logo, domain name, individual names, phone number, etc. Bad guys have done their homework well before crafting phishing emails, you should do yours to avoid getting caught. This article will help you get up to date with typosquatting, its examples and prevention tips.
Spot and report scam emails, texts, websites and calls
To spot and report scam emails, texts, websites and calls around phishing, read our in-depth article here:
What to do if I have responded to a phishing email?
If you responded to a phishing email and gave away any of your company or bank account information, please see the sections below for some key measures you should take as soon as possible:
- Change the passwords of any sites with the same password. Change your account passwords if you’ve given out your login details for other websites.
- If an attacker has compromised your account before you found out, contact your service provider to have it reinstated. Make a new account and notify all essential and concerned people so that they do not get fooled by phishing attempts using your name.
- Notify your IT and other relevant teams if you’ve been the victim of a phishing attack and revealed sensitive information.
- If you’ve come upon a questionable link or downloaded an untrustworthy file, run a malware scanner to quarantine or block any malicious content.
- Freeze your account and check out your bank accounts and statements; if you have shared your bank details.
- If the criminals have already transferred your money from your account, contact your bank and inform the cybercrimes unit about the fraud.
Make yourself a challenging target for attackers. This has multiple benefits from the improved security-conscious culture within an organisation to make it difficult for attackers.
Using a tell tale sign to other multi-layered controls helping against phishing, is a collective approach that yields effective results against phishing. Make sure your organisation must think about it strategically and not just another training program.
Get in touch to discuss your security concerns around phishing, processes or technological controls or how to protect your business against phishing attacks.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.