Not 100% Sure It’s Grandma? It’s probably Phishing

By Phil Richards


We’ve all received an email like this:

 

Subject: IMMEDIATE ACTION REQUIRED!

“your password will expire shortly. To change your Password and continue using this account, please click here

Thank you
help desk”

 

This email looks non-threatening enough that you just might click the link, but if you did, you would be the latest to fall victim to a phishing scam, and could potentially expose yourself and your organization to a cyber attack. Unfortunately, the likelihood is quite high, considering 91 percent of cyber attacks originate from a phishing email. And the odds are, you wouldn’t be the only one to fall for it. A recent study found more than 50 percent of people will click on an unfamiliar link out of curiosity.

 

The Anatomy of a Phishing Email

Phishing scams are the epitome of a wolf in sheep’s clothing. Crafted by criminals with the intent to deceive, phishing emails mimic messages we have grown used to receiving and have the advantage of masquerading as anything they need to be to capture our attention. In most cases, this means focusing on “hot” items that require immediate action.

This is for two main reasons:  

First, generally speaking, an urgent email is addressed promptly. Delays can cause messages to become buried under newer emails and result in them getting lost in the fray and forgotten.

Secondly, urgent emails have the effect of shutting down some of the natural filtering mechanisms in our brains. We tend to take a “task-oriented” approach when dealing with an urgent message – skipping over the critical thinking and analysis phase.

 

The Content Strategy

It is the nature of any successful “social engineering” attack, including phishing emails, that the message appeal to, or compel, the person on the receiving end.  The infamous Nigerian prince email from the nineties serves as a perfect example.

The mass email, which was sent to thousands of people, promised the receiver an enormous award, if they were willing to transfer a certain amount of money that would supposedly lead to millions of dollars down the road. This scam, and similar ones that have followed, appealed to the emotions of the person receiving the note.

First, it appealed to the potential victim’s desire for money. Secondly, it took advantage of people’s natural instinct to help others. Together, the combination was a powerful motivator that proved difficult for many to resist.

For some, their belief and trust in these emotional appeals eclipsed their distrust of an unknown sender or source of information. Now, we dismiss these types of scams as well-known jokes, but in reality, the content strategy and motivational triggers used in these notes are still being implemented in phishing emails today – and in many cases, still work. We continue to be susceptible to an attack when our desire or instinct to believe a story is strong enough to overcome our wariness.

It’s for this very reason that we as individuals and employers need to stay vigilant and on the defense. By recognizing our weakness and vulnerability, we are able to see these attacks for what they really are: total scams.

 

How to Avoid Falling Victim

When it comes to phishing scams, the best defense is in user education and empowerment.


An ITSPmagazine Webinar: Google Docs Phishing, Because Some Days It's Just Too Easy

The bottom line: if you can recognize a phishing email as a scam and avoid clicking links, your personal or professional information is less likely to be compromised. Granted, this is easier said than done because scammers send these messages from copycat addresses that look like senders or programs you regularly trust, including Google Docs, your work administrator, the HR department, your CEO, a friend, spouse, or child. With that in mind, it’s crucial you train yourself to step back, evaluate the message and look for clues that indicate things may not be as they seem. When in doubt, contact the sending party and verify that the email is valid before you open it. If you’re unable to validate its authenticity, I follow the motto: when in doubt, throw it out.


Here are a few tips to keep in mind to better protect yourself, and your employer, from becoming a phishing scam victim:

  • Face it: it’s highly unlikely someone on the internet is going to send you money. The majority of these get-rich-quick schemes are more likely to compromise your personal information than provide you with any income.
  • Typically, authentic legal notices or documents will not be sent through email, so be wary!
  • Generally speaking, legitimate sources will not ask you to change your password or send sensitive personal information over email. This includes requests for your social security number, bank information, tax forms, etc. Before providing any details, call the official institution you’re a customer/member of to get confirmation on the message’s authenticity.  
  • Just because an email has a logo that you recognize does not mean the email is coming from that company. Look for blurry font, pixelated photos and typos – these can serve as signals that it may be a hoax.  
  • Examine the sender’s email address and URL links. Often times, there are typos or misspellings because they are not genuinely from the company or person they say they’re from. Look closely!

In today’s world of email scams, phishing, and compromised credentials, a healthy dose of skepticism might just save you a lot of grief down the road.

Now, take another look at the email at the beginning of the article. See anything “phishy?”

 

Subject: IMMEDIATE ACTION REQUIRED!

“your password will expire shortly. To change your Password and continue using this account, please click here

Thank you
help desk”

 

After looking again, it’s worth noting the subject line is meant to convey a false sense of urgency. Secondly, throughout the email, there is missing punctuation and odd capitalization. And finally, your official Help Desk would probably have a more professional looking signature.

While these are small and seemingly nondescript clues, they can make all the difference. Consider this: phishing scam damages exceed $1 billion, and continue to grow. Don’t let these criminals continue to profit. Instead, keep a keen eye on your inbox and always remember: when in doubt, throw it out.


About Phil Richards

Phil Richards is the Chief Information Security Officer at Ivanti. Phil has both breadth and depth of security experience as he has held other senior security positions within the industry for more than 20 years.

More About Phil