Over the years and across different parts of the World, cybercriminals have mastered the art of phishing to lure their victims into submitting their personal information. I have been very active on social media and if there is a growing trend recently, it has been the case of people losing their money to cybercrime. I literally have a great sense of pity for these victims because many of them have lost their life savings to these cyber criminals. I have noticed phishing as a common technique these cybercriminals use to perpetuate their crimes. This is often a multi-stage process.
What is a Phishing Attack?
Phishing is a type of social engineering attack which is often used to steal user’s data, including login credentials and other financial details. An attacker would masquerade as a trusted entity to lure a victim into opening an email, downloading an attachment, clicking a link within an instant message, text message or following specific instructions from a phone call. More often than not, the recipient is lured into clicking a link which results in a drive-by download of a malware. This malware can then be used to harvest details or open a fake page that is used to harvest financial details.
Forms of Phishing:
There are different categories of phishing attack based on the channel on which the attack is executed.
- Vishing: From the word “vishing” refers to phishing done with voice. This is done over the phone. Most times the cybercriminals masquerade as a trusted entity to gain your trust and make you comfortable over the phone.
- Smishing: This is also known as SMS phishing. The victim is targeted by using SMS alerts. In smishing, the attacker may send a fake order detail to the potential victim and a link to either confirm or cancel the order.
- Search Engine Phishing: This is the type of phishing where a cybercriminal creates a fake webpage tied to specific keywords and waits for a victim to land on the fake webpage once he/she has any of the keywords in his/her search query. Once the victim clicks on the webpage, he/she is tricked into providing his/her financial details.
- Spear Phishing: This type of phishing attack is well crafted and directed at an entity rather than a random set of people. I consider this type of attack the most dangerous of all types of phishing attacks because the attackers must have gotten enough information on the potential victim. Social engineering techniques are well used in this form of attack.
- Whaling: Whaling is quite similar to spear phishing; it is targeted towards a specific group in an organization. This technique targets C-Suite executives such as CEO, CFO, CISO or any other member of an organization’s senior management. These positions are known to be held by the big players within the organization. These big players are called whales in phishing terms.
As you can see from the above categories, phishing can come in different forms. However, I will focus on email phishing, techniques used and how to identify and guard against them in this blog post.
Techniques Used in Phishing Emails
Email Spoofing (Name Impersonation): A common technique used in phishing emails is to spoof the display name or sender’s address. This is done to make the email look believable and lure the unsuspecting victims into divulging their personal information. The impersonation can be in the following forms:
- Sending an email using a familiar username.
- Sending an email that impersonates your bank or superiors and asking for some confidential data.
- Sending an email impersonating your organization and asking to share internal information.
Below is an example of a spoofed email
Depending on what type of information the cyber criminal is looking to get out of his/her victim, the composition of the email could vary as shown in the following sections.
A. Phishing emails impersonating financial merchants like Paypal:
With over 200 million users of Paypal globally, it becomes a good hunting ground for attackers to execute their phishing attacks. They use several notable techniques.
Verify your Account:
When you register for a PayPal account, a verify-your-account email is sent to your mailbox to confirm your account. An attacker can abuse this by also creating a look-alike email. This email would also contain a link which when clicked will go to a page that closely resembles PayPal’s but with the intent of harvesting your login information.
Your account is limited
Many financial organizations including banks have a limit on the number of transactions you can make on your account. Hence, when you attempt to exceed the limit, they would inform you of the limitation and sometimes may send you a link to apply to increase the limit. This is a good avenue also for attackers to send a fake email to increase your limit and then you are asked to input your credentials. Many people have fallen victims to this technique.
Change your ATM PIN.
Many a time, cyber criminals would send an email to potential victims to click on a link to change their PIN as there is suspicion of criminal activities on their card. This is a method to lure the potential victims to clicking on a link and then inputting his/her ATM card details.
B. Credit Card Phishing Email:
Such an email appears to originate from legitimate credit-card companies or organizations. These emails contain false notification about some suspicious activities on the victim’s credit account (examples below). It also comes with a call-to-action link for the user to click and input his or her card details or login information in order to be able to review or block the “suspicious” activity.
- Card blocked due to the unrecognized transaction or suspicious activities.
- Account locked due to many failed login attempts
- Expired pin or password
The forms of phishing through emails is not limited to these two but for this blog, I will not go beyond this as this is just to give an idea of how phishing works through email.
Tools Used for Phishing
There are some tools that you can use to do a demo of phishing to your staff or to your audience. Some are free while some require a fee. I will list 7 of those tools.
- SecurityIQ PhishSim
- KING PHISHER
- Social-Engineer Toolkit
- Spear Phisher
How to Identify a Phishing Email
Since the attackers are always on the move trying to get to their next victim, it is important for us to note some ways to easily identify a potential phishing email.
- Mismatch between the display name and sender’s address: Attackers often spoof the display name of an email to trick the potential victim to trust the email came from a trusted source. Always check the header of the email to see the actual email of the sender. Do not rely on the display name. For instance, an email may have a display name of your bank and the sender’s email is not from your bank, but you will not be able to discern if you do not check the header of the email.
- Look at the link but do not click: When you see links embedded in an email, do not click on the link. First of all, hover your mouse on the link to see the actual web address. If the web address looks weird, do not click on it.
- Check for Spelling Mistakes: Organizations are quite serious about their emails, hence a good effort is put into proofreading their emails to be error free. Therefore, when you see spelling mistakes all over the email you are receiving, there is a high probability that it is not an authentic or legitimate email.
- Vague Salutation: Phishing emails frequently use the vague salutation like “Dear sir/ma” or “Dear user” etc. They are usually not specific enough apart from Spear Phishing emails which are often targeted at specific individuals. Most legitimate emails personalize the salutation in their greetings e.g. Dear John Pogue.
- Request for Personal Information: Most financial organizations will not request personal information from you over an email. Whenever you get a request in an email asking for your personal information, that is a red flag of a phishing email.
- Use of threatening and urgent tone in the message: Attackers always want to create a sense of fear and panic in the heart of their unsuspecting victims. This is to make them act out of impulse. You must be on the lookout for such emails that threaten or want you to perform an action urgently.
- Watch out for the email signature: Legitimate emails from companies have their address, contact details, detail of the sender, etc. at the end of their emails. This also helps to confirm the authenticity of the email.
How to Prevent a Potential Email Phishing
There are various ways in mitigating against a phishing email. Below are some of those ways.
- Avoid clicking on unknown shortened links: This is a very important measure to reduce the risk of falling victim to a phishing email attack. Most times, the attackers use shortened URLs to disguise the phishing URLs from their potential victims. These cause the victims to let their guards down without suspecting any foul play.
- Verify the website’s security: Sometimes, we may be tricked into going to a website we think is legitimate. Just before you put in any sensitive information on that website, verify the website’s security. Many a time, these fake websites do not secure their websites. This is often reflected in form of a missing SSL certificate. SSL is the technology used to ensure secure transmission of data over the internet. It is important to note this and not give out sensitive information on websites without a valid SSL certificate installed (it is seen by a lock on the domain name in the browser toolbar).
- Never enter personal information on website pop-ups: Using the Iframe technology, pop-ups can easily capture personal information and send to an entirely different domain from the one showing on the browser toolbar. Reputable websites rarely ask for users to put sensitive information in a pop-up as a rule of thumb. Therefore, you should avoid putting personal information in a pop-up even if the website passes the SSL certificate security check.
- Refrain from putting out your Personally Identifiable Information (PII) on Social Media: Today on social media, attackers have mastered the art of social engineering. They are well aware that many people, for ease of remembrance, use their PII as part of their login details. So, these attackers create a game or quiz to lure potential victims into revealing their PII such as Date of Birth, Mother Maiden Name, Name of children. This is so dangerous as it is a goldmine for attackers.
- Install Anti-Phishing toolbars: There are several anti-phishing toolbars out there that can be useful in warning of a potential phishing link or a website such as Windows Defender Browser Protection, Avira Browser Safety, BitDefender Trafficlight. Be careful not to install from an unverified source as you don’t want to end up installing an adware or malware on your computer while trying to protect yourself.
- Targeted Threat Protection Technology: Targeted threat protection technology ensures that both the links and attachments in an email are clean. The technology scans email links in a sandbox to give either a malicious or non-malicious verdict. This is done so fast that the user is not even aware of what is going on in the background as it does not affect the user experience. For every attachment, the technology by default does not download executable files. for other files, it converts it to a pdf document and checks for any malicious pattern in the file before it approves it for download.
Matthew Oyebode is a Cyber Security professional, currently based in Canada. He holds a Masters degree in Information Technology Security from the University of Ontario Institute of Technology.