The vast majority of IT security breaches start with a phishing campaign. This statistic should not be a surprise to you as the human element is after all the weakest link in the security chain. The best way to defend against this form of attack is to look for signs the innocent looking email you just received is actually an attempt to breach your personal information and to always be vigilant when clicking on links and opening attachments.
The reason we have seen such a rise in phishing in the past few years is as a result of improved security which mitigate traditional vulnerabilities that attackers have exploited in the past. Through the years as organisations have hardened the security of their IT systems by implementing firewalls, writing better applications with less vulnerabilities and taking an interest in the security of their data, system hacking in is not as easy as it was several years ago. Traditional targets are no longer available, or much harder to crack, so attackers now seek out the weak spot in an organisation’s armour and that weak spot is the human element.
The overwhelming majority of phishing attacks are conducted via email. Although the content of the email and the type of attack varies to a degree, the ultimate goal of a phishing attack is to get an unsuspecting victim to actively engage the attack by clicking on a link or opening an attachment. This is generally the only action needed by the user. From this point the user’s machine will either open an infected web page where malicious software will automatically infect the user’s machine. Alternatively, the link will open a page that looks very similar to the site being impersonated by the phishing email and the unsuspecting user then enters their credentials into the fake site which are recorded on the attacker’s database for later use.
Now that we know the reasons and mechanisms behind a phishing attack let’s look at an example and see how to spot the signs that this is in fact a phishing email.
The email below is one I received recently and is supposedly from my bank. As you can see it looks legitimate and even presents the bank’s corporate identity in the fonts and colours used to create this email.
It even goes as far as warning about phishing in the disclaimer of the email listed below.
It is however a phishing email. A very well crafted phishing email but a phishing email nonetheless.
Firstly, the email address it was sent to is not known by my bank which raised my suspicion. Secondly, I was not expecting a payment so this too made me wary. The vital bit of information however that clearly indicated this was a phishing email was the attachment type. My bank does send me correspondence with attachments but those attachments are always in a PDF format. An HTML attachment is not what I would expect from a bank. If you open the attachment it renders a carefully crafted web page where it asks you to enter your card number, PIN, password etc. However, when you click submit it then sends this information to a compromised server where your personal login credentials are now recorded and as such compromised. This can be seen in the source code of the attachment where the call is made to a compromised server.
Below is another example of a phishing email. This one however asks me to click on a link to logon to my secure banking profile with a call to action to stop a fictitious debit order from being paid. Once again, this email was sent to an email address not known by my bank and my bank has warned me on multiple occasions to never click on a link in an email. These two factors raised suspicion and verified that this was in fact yet another phishing email.
My email client has the functionality of when I mouse over a link in an email, it displays the link’s URL.
Clearly you can now see that this link will open a page on a server which is clearly not a banking site.
Phishing emails may not always take the form of a bank email asking you to verify details. Here are two examples of recent phishing emails which use alternative avenues of deception.
Below is an email from Netflix stating that my membership has been suspended and that I should update or verify my billing information which would result in my credit card details being compromised. Looks really legitimate as it comes from a legitimate looking Netflix email address but the link once again redirects to a compromised server.
Below is another example. This email claims that a user has shared documents with me on Dropbox.
However, if I mouse over the link it shows a shortened URL which may be legitimate. However, when I open the link in a virtual machine I am running it redirects to a compromised website in Asia which then automatically infects my machine with malware.
So in short spotting a phishing email is not as simple as it used to be but you can still safeguard yourself by following the following rules:
- Check if the email address is valid. Does it come from someone you know? Individuals are generally a more trustworthy source than organisations but this is not always the case as per the DropBox example above.
- Is the email asking me for an action? Do I need to click on a link or download an attachment?
- Is the attachment type a standard file format? Generally, PDF attachments are the safest. Never open an HTML attachment.
- Only click on verified links that go to legitimate websites. Where possible verify the link by ‘mousing’ over it if you have this capability or opening the site in an isolated environment where you cannot compromise your personal details.
- When in doubt do not open the attachment or click on the link. Rather verify the legitimacy by contacting the person or institution who sent this to you.