Cybersecurity professionals develop many defences against viruses, malware, ransomware, and fraud; however, these lines of defence can become useless when one user makes one wrong click.
Social engineering is the primary strategy for scammers and other cybercriminals to bypass all those different layers of protection. Phishing is the number one security breaching method for gaining this information and is typically done through email or text messages.
What is Phishing?
Phishing is a term that is under the umbrella of social engineering and relies on the user to make a mistake, not the software*.
If you google the phishing definition from oxford dictionary it states:
“The fraudulent practise of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
Aspects of this definition need to be adjusted or explained further.
- Phishing can happen not just through email but through your phone number by SMS (Smishing) or any voice call (Vishing).
- Phishing attempts do not only come from cybercriminals pretending to be from a company but also individuals that claim to be from your work team, family members and other reputable organizations.
- The person that falls victim to phishing sometimes doesn’t need to reveal any personal information. Instead, it can be as simple as a malicious link or attachment in the email that downloads and runs malicious software like ransomware.
The Phishing meaning should be updated to reflect the above aspects. Most importantly, when thinking of phishing, focus on the part you take part in as the victim or bait.
In this reference point, a Phishing attack is an act of luring the bait (you) into believing that you are communicating with someone authentically for the attacker’s gain.
First, understand how phishing emails work.
Email Phishing can come in many forms. Enticing the user to do a particular action is the main tactic of a email Phishing scam. The best way of avoiding phishing emails is by looking at phishing email examples.
We will take a look at different aspects of each example. Keep in mind all of these techniques are often used together.
For each example, see if you can spot the problem with the email. When you think you found it click Display Problem to see the issue. Make sure to read the explanation of the problem below the image.
Using a fake email address, fake websites, phony domain names are all standard. The problem is that Netflix has two XX in the address. This example is a tale-tale sign of how to determine a phishing email.
When in doubt, check the company’s support page. Here is Netflix’s support page.
Using “rn” as “m” is very effective as they look very similar and standard for amazon phishing emails. This example is a classic homograph attack, which is a lot harder to spot then the Netflix example.
If you do suspect phishing claiming to be amazon, take a look at their support page.
In this apple phishing email example, the problem is called a subdomain attack. Always look for the dot within the email. This one is tricky since some legitimate companies use subdomains.
The critical thing to look for is random subdomain names. For instance, why would it be “apple.idhelp” when “apple.help” would suffice.
Again if you suspect a phishing attempt from apple, then check their support page.
Other things to look out for in PayPal phishing or any bank phishing emails are HTTP vs HTTPS. Banks use what’s called security certificates (HTTPS), and this means that there is a lock icon at the begging of the URL in your browser.
In 2020 you should always be looking for HTTPS over HTTP no matter the site.
How do you protect yourself from email phishing
You are doing a great job right now by reading this article. Email phishing training, awareness and education are vital. Having that second nature to check emails or take a look at the URL before clicking is crucial.
As an organization, make sure that you have human controls (what we previously talked about) and technical controls in place. Make sure your IT department has spam filters, malware detection antivirus in place.
As a Managed Service Provider (MSP), we offer specialized cybersecurity services that include better protection against phishing. We also do phishing awareness training for education and simulated phishing to access your current risk as an organization. Testing allows us to introduce training to the people who need it the most.
We also have recently partnered with Mimecast to offer advanced protection. Secure Email Gateway is one aspect of there offering that is effective against suspicious links. To learn more about implementing better cybersecurity, contact us to make sure you have proper IT safeguards and education in place.
Unsure about an email/report phishing email
If you are uncertain about an email, check their support page for accurate information about how they would communicate with you. If you do find a phishing email, make sure to report it. You can submit phishing emails through the organizations’ support page, Canadian anti-fraud center or your countries equivalent.
Other support pages for prevalent phishing of Canadian users are:
- Support page for a CRA phishing email
- Support page for a Telus phishing email
- Support page for a Canada post phishing email
Always google “(insert company name) phishing,” and the first result should be a support page to offer you more information if you are unsure.
What should id do if I opened a phishing email?
First, don’t panic and disconnect your device from the network.
If you are a client of ours, contact our service desk right away.
For more information, take a look at the Infosec Institute 10 step process for a useful guide on what to do when you think you have been clicking on phishing links.