April 17, 2021
How to Spot Phishing Emails
What is a phishing email?
Phishing is a form of social engineering that attempts to secure a user’s personal information such as bank account details or access to their personal information. The emails often portray trustworthy organisations such as PayPal, Google, and others to appear credible and often ask you to confirm personal information or express an “urgent” need to take some sort of action. These emails can be identified if users are educated on how to do so.
How to identify a phishing email
Read the content of the email
The first step in identifying a phishing email is reading the contents of the email. If the email creates a sense of fear or urgency, the email may be suspicious. These emails are designed to instill fear in the reader and encourage them to take quick action without questioning it.
Common types of phishing attacks include:
- Spear Phishing: Spear phishing is an attempt to gain access to credentials or financial information from a targeted individual.
- Whaling: Whaling is a form of spear phishing with a focus on a high-value target, meaning the fraudulent communication comes from a senior employee within an organisation, to boost credibility.
- Mass Campaigns: Mass phishing campaigns cast a wider net than the targeted techniques of spear phishing and whaling. True to their name, they are sent to the masses to convince a subset of the wide net to fall victim to their efforts.
- Ambulance Chasing Phishing: This form of phishing is commonly a mass campaign, but can also be spear phishing. With ambulance chasing phishing, attackers will play off of current crises to drive urgency for victims to take action that will lead to compromising data or information.
- Pretexting: Pretexting is a highly effective method of phishing as it reduces human defenses by creating the expectation that something is legitimate and safe to interact with. Pretexting involves an attacker doing something via a non-email channel to set an expectation that they’ll be sending something seemingly legitimate soon.
Review the writing style
Another indicator is the writing style of the contents. If the email is poorly written, has grammatical and spelling errors, it’s likely it’s phishing.
Check the sender's email address
If you receive an email that looks like it may be phishing, check the “show details” dropdown under the sender’s name. You will see a section labeled as “signed-by”. This field can help determine if an email was shared securely from a service.
The goal is to determine if the signed-by field was generated by a DomainKeys Identified Mail (DKIM) or a service. A DKIM attaches a domain identifier to the signature to display an email generated by a user in the domain.
For example, if you received an email from ‘email@example.com’, you would see a DKIM in the signature that looks like this datto-com.20150623.gappssmtp.com. This is how all emails through a domain are processed.
Emails shared through a service (i.e. Drive, Calendar, Dropbox, Box, etc.) do not have a DKIM. Instead, you would see the signature of the provided service. If something is shared through Dropbox, for example, you would see ‘signed-by dropbox.com’.
Below is an example of a secure file that was shared through Google Docs:
Note the "mailed-by" section is signed by a service.
Now let's look at this phishing email.
Aside from the giant red banner warning, you can tell this is risky because:
- It was a shared file that was BCC’d and not shared privately from the service.
- Note the suspicious "to" address firstname.lastname@example.org
- The subject has a very generic name.
- The signed-by field is sent from an email and not the service (should be something.bounces.google.com or something.dropbox.com). The mailed by field also should list the service it is being sent from.
What to do if you’ve received a phishing email
If you think you’ve received a phishing email, do not open it. Malicious emails typically take two approaches.
- Urge you to give away user credentials
- Infect your computer when interacting with the email
Much like dealing with ransomware, it’s important to remain vigilant and operate with caution in these circumstances. Phishing emails will try to get you to log in to fake portals to try to steal login data to then steal more data, attack other users while pretending to be you, or change the login and hold the account ransom. With any suspicious emails, immediately delete the email, permanently. If applicable, send it to your internal resource for cybersecurity measures.
The difference between malicious emails and phishing emails
If a malicious email has been opened and clicked on, it’s likely that ransomware has been initiated and is spreading across the network. Notify your IT resource, whether internal or a managed service provider (MSP), so they can manage the infection.
How to protect yourself from phishing attacks
- Keep threat education up-to-date & Test systems regularly
- Ensure your network is protected with firewall and antivirus software.
- Use two-factor authentication (2FA) across your users.
- Automatically patch software applications.
- Backup data and have a recovery plan.
For MSPs looking to mitigate phishing risk and recovery quickly once an infection occurs, it’s crucial to have cloud-to-cloud backup and a business continuity and disaster recovery (BCDR) solution in place to provide clients with access to their data via a recent backup before the infection, and if needed, to virtualise their operations separately from the infected network to keep business operations going and avoid loss of profits.