April 17, 2021
How to Spot and Protect Against Phishing Email Attacks
Phishing attacks are getting more and more sophisticated, making them difficult to detect and avoid. However, there are also multiple types of phishing attacks it's important to deploy a multi layered security approach when protecting your business and your end users.
How to identify a phishing attack
For MSPs looking to mitigate phishing risk and recovery quickly once an infection occurs, it’s crucial to have cloud-to-cloud backup and a business continuity and disaster recovery (BCDR) solution in place to provide clients with access to their data via a recent backup before the infection, and if needed, to virtualise their operations separately from the infected network to keep business operations going and avoid loss of profits.
1. Watch out for Social Engineering tactics
Be on the look out for emails that you were not expecting or where you are being asked to click a button to receive and offer.
2. Scan for fake emails
Read the content of the email
The first step in identifying a phishing email is reading the contents of the email. If the email creates a sense of fear or urgency, the email may be suspicious. These emails are designed to instill fear in the reader and encourage them to take quick action without questioning it.
Review the writing style
Another indicator is the writing style of the contents. If the email is poorly written, has grammatical and spelling errors, it’s likely it’s phishing.
Check the sender's email address
If you receive an email that looks like it may be phishing, check the “show details” dropdown under the sender’s name. You will see a section labeled as “signed-by”. This field can help determine if an email was shared securely from a service.
The goal is to determine if the signed-by field was generated by a DomainKeys Identified Mail (DKIM) or a service. A DKIM attaches a domain identifier to the signature to display an email generated by a user in the domain.
For example, if you received an email from ‘firstname.lastname@example.org’, you would see a DKIM in the signature that looks like this datto-com.20150623.gappssmtp.com. This is how all emails through a domain are processed.
Emails shared through a service (i.e. Drive, Calendar, Dropbox, Box, etc.) do not have a DKIM. Instead, you would see the signature of the provided service. If something is shared through Dropbox, for example, you would see ‘signed-by dropbox.com’.
What to do if you’ve received a phishing email
If you think you’ve received a phishing email, do not open it. Malicious emails typically take two approaches.
- Urge you to give away user credentials
- Infect your computer when interacting with the email
Much like dealing with ransomware, it’s important to remain vigilant and operate with caution in these circumstances. Phishing emails will try to get you to log in to fake portals to try to steal login data to then steal more data, attack other users while pretending to be you, or change the login and hold the account ransom. With any suspicious emails, immediately delete the email, permanently. If applicable, send it to your internal resource for cybersecurity measures.
3. Review Urls Accuracy
Sometimes phishing email can look like the real deal on the surface but when reviewing the urls or link in the email that can link to fake websites that are deliberately misspelt but very similar to a credible brand.
4. Spot check the website
Always check the website if you are unsure, is it real? Do you really need to enter your credentials?
5. Automatically Mitigate Phishing Attacks with ATP
Knowing how to do all of the above steps and what to look for is a great first step however doing all of these steps on every email you receive is simply not scaleable for most users. This is where an Advanced threat protection (ATP) Solution like Datto SaaS Defence comes into play.