Detecting a Phish

A lot of malware attacks start with a simple Phishing email, or some other social engineering attack. Sometimes they are very believable. All it takes is for you to be distracted, taken in by the plausibility of the message or pushed into clicking a link due to the urgency of the communication to be breached and start a cyber attack.

There are several types of social engineering attacks, but in this blog I am going to focus on the most prevalent at the moment being:

  • Phishing
  • Spear Phishing
  • Whaling.

Here are the definitions from our glossary:

Phishing – This is typically when you receive an email that claims to be some form of offer, or request for information that is fraudulent. The emails can look genuine (e.g. form your bank), and can trick a lot of people into disclosing their login credentials or key banking information. among other things. See also Lateral Phishing.

Spear Phishing – This is similar to the other forms of Phishing (including Vishing and Smishing), where the attack is very focused on an individual. The email will be highly customised to the individual, and is a regular attack method used against enterprise executives. They will typically focus on a particular aspect of your professional interests and requires the attacker to fully research their target.

Whaling – This is a highly focused form of Phishing attack that is largely targeted at executives. This is similar to Spear Phishing.

These messages can come from multiple channels, for example:

  • Email
  • SMS
  • Instant Messengers (e.g. WhatsApp, Signal, Facebook messenger)
  • Social Media.

How to detect a Phishing attack

When you receive a message (from anyone) you should ask yourself the following questions:

  • Who is the message from?
  • What is the message about?
  • Do you trust the message?
  • Does the message look suspicious?

Let’s look at these in detail and see what the red flags are.

Who is the message from?

  • Is the message from someone, or a company, you know (known email address, phone number)
  • Is the sender someone you would normally have contact with via the messaging channel (e.g. email, WhatsApp)
  • Does the email address look spoofed or faked?
  • If via SMS, WhatsApp, Signal, etc., is the phone number known to you (e.g. in your contacts)
  • Does the email come from someone you know, but the email address is from somewhere else (e.g. an Amazon email from a GMail account)
  • Is the greeting personalised to you, for example mentions you by name or provides some form of official identifier (e.g. the Inland Revenue in the UK will always quote your UTR reference)
  • In a company setting, does it appear to be from a senior executive asking for an urgent payment (see our blog on Business Email Compromise Attacks).

If you are receiving an urgent message from your CEO requesting an urgent payment, and you wouldn’t normally expect such a message, then treat it as suspicious and escalate it to your team leader. If necessary call the executive, or his/her assistant, for verification.

It should be noted that email addresses can be spoofed to look like the real thing. You may find some official sources will use a sub-domain to send emails (e.g. email.company.com). These are often legitimate, but some can be faked especially when you get something like email12345.company.com. For more information please see our blog on Domain Typo Squatting.

I wish companies wouldn’t use sub-domains in this way since I am now suspicious of every email I receive from such an address.

What is the message about?

  • Is the message in context for the type of message you would receive from the person or company?
  • Does the message appeal to an emotion, such as fear, shame, anger, curiosity?
  • Is there a sense of urgency (e.g. your bank account has had suspicious activity and you need to act now by calling a number or clicking on a link)
  • Does the message request some form of verification (e.g. click here to enter your verify account details), ask for personal details or in a company setting any details about your employer that you would typically not send to that person/company?
  • Is the message threatening to discontinue a service if you don’t respond?
  • Does the message contain any blackmail type of threats?
  • Does the message contain links to a website that does not look right?
  • Does the message ask you to bypass any security procedures your employer has put in place, such as signature checks/call-backs?

If the message falls into any of the above categories, you should not act on it unless you can independently verify it. Never use links in the message or call phone numbers provided by the message. Contact the company concerned using verified means (e.g. a bookmarked link to their website, an official contact number or email address). If at work, then report the email to your security department and/or your manager.

Do you trust the message?

  • Is the message oddly formatted?
  • Does it contain grammatical and/or spelling errors that the sender would never use?
  • Does it use unofficial branding?
  • Is the company names varies in some way (for example Amazon Trading instead of Amazon but it uses other valid branding)?
  • Does the message contain a link to a company/service that is at odds to the official web address?
  • When you hover over the link with your mouse (long press on a mobile), is the web address different to what you would normally expect?
  • Is there an official channel you would expect such message through and this is not one of them?

Does the message look suspicious?

If the email falls into any of the categories above, the email is suspicious and you should not act on it unless you can independently verify it is genuine.

A lot of phishing messages use the official branding (e.g. logos, fonts, colours) and often on the surface look genuine. However, when looked at with an open mind and calmly, there are a lot of tell-tale signs (some of them are above) that should raise a suspicion.

Other forms of Social Engineering Attacks

Take a look in our glossary under Social Engineering for a full list of attack methods. All the above red flags apply to these other methods in some form.

How do I report a Phishing Email?

If you are at work, there should be a procedure to handle these kinds of communications. Sometimes there is a button on your email application, or an address you forward the full email to for further examination. If not, then escalate to your team leader as a minimum action and let others know in your team.

If you are at home, then the UK National Cyber Security Centre (NCSC) offers a service for you to send the email to. The best way to send the phishing email is as an attachment rather than a direct forward since there is a lot of routing meta data in the headers that will allow the NCSC to track where the email came from.

The NCSC email address could also be used in a company setting, but sending such an email outside of the company may inn itself may breach company policies so be careful.

Conclusion

Phishing emails and messages are an ever present threat – more so now since we are working from home a lot due to the current health crisis. They appeal to your emotions, greed to get something for free or clear and simple fear. The objective is for the cyber attacker to trick you to:

  • Click on a link to:
    • Acquire your login to a website
    • Acquire your banking details
    • Install some form of malware
  • Call a phone number to:
    • Redirect you to a premium line that will charge extortionate amounts of money per minute
    • Make you get in contact so that a scammer can launch some form of scam attack.

These are only a few of the objectives. If you don’t think you have anything of value, them please read our blog Myths of Cyber Security and you will be surprised.

For more information on Social Engineering attacks, please look at our guidance on Social Engineering as well as a number of blogs on this subject including our recent blog “Anatomy of a Phish” where we dissect some specific examples of phishing emails.


Headline image provided by Gino Crescoli from Pixabay

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: