Part of CompTIA Security+ Objectives 1.2
Phishing is an email scam designed that appears to be from a legitimate company and ask you to provide sensitive information. Cybercriminals use phishing to attempt to obtain sensitive information such as credit card details and login credentials, by disguising as a trustworthy organization or reputable person in an email communication. This is usually done by including a link that will appear to take you to the company’s website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.
Phishing is popular with cybercriminals because it enables them to steal sensitive financial and personal information without having to break through the security defenses of a computer or network. Public awareness about phishing campaigns has grown considerably in recent years, as many incidents have been covered by a variety of media sources. In addition to technical solutions, user security awareness is one of the cyber security measures being used to help counter attempted phishing incidents.
How to Identify Phishing and How to Avoid being a Victim?
Identifying Fake Email Addresses
Where is your email coming from? Fake email addresses attempt to trick end users into a sense of comfort, security and legitimacy. Does the domain from which you’re receiving the email make sense? Is it consistent with the company’s domain?
Here are two ways to identify fake email addresses:
As mentioned above, a legit email domain will match the URL for the organization’s website. Going back to the banking example, here are examples of safe and unsafe email domains.
At a quick glance, this seems like a reasonable and safe domain. But if the domain is anything different than what you would type in a web browser to access the organization’s website, it’s most likely a fake email address.
Spoiler alert: it doesn’t matter. Real names don’t mean anything on the internet. There’s no intellectual property or restrictions on the names of emails when creating an account.
In fact, many legitimate businesses create fake names for marketing emails that just head back to a distro so they can avoid being flagged for email abuse when they are spamming without an opt-in policy. I could start an email account with your name, and there are no checks and balances on it. That’s why the domain is so important – there’s a registration process for domains related to unique IP addresses, so it’s not possible to copy without having inside access.
Identifying Fake Websites
One of the easier ways to mitigate cybersecurity risk is to train your employees to pay attention to the address bar in their web browser. As we rely more on backlinking, cookies and search engines to reach websites, employees tend to pay less attention to the URL in the address bar and go more and more into autopilot when browsing.
Pay attention to your browser and ask these questions to identify fake websites:
Is your connection secure? Look to the far left of your address bar. If you’re using Chrome or Firefox, you should see a padlock icon to indicate that your connection is safe.
If you are still using Internet Explorer: Stop reading this article, delete all your cookies and search history on IE, and install Chrome or Firefox. Those browsers are much safer. Don’t ever look back, and don’t feel bad about it.
BUT… Secure Socket Layer (SSL)/ Transport Layer Security (TLS) certificates are now easier for threat actors to get, so the “padlock” strategy isn’t effective enough on its own. The lock icon is not bulletproof, and it must be used in combination with the rest of the points that follow.
Identifying Fake URLs
1. Does the URL make sense?
Use the same strategy to identify fake websites that you would to identify fake email addresses. The main parts of the URL before .com or .org, etc., should not be an alphabet soup of letters and numbers. The domain origination of the main site and emails that you receive from the organization should match.
A relevant example for personal banking would be this:
Threat actors purposely try to mask their URLs in clever ways, often by incorporating special characters or a sandwich of letters that resemble the correct website. If you’re not looking closely, you can easily be duped into clicking the link and installing malware on your device, even if the link doesn’t load or takes you to a dead page.
2. Did you get the link in an email?
If so, don’t click. This sounds extreme. It also sounds slow and antiquated. But verification is a pillar of being vigilant. Even if the contact emailing you is in your address book, they could have been phished – you just never know.
Call or email the contact before clicking. Calling is always preferred. As for emailing, you must make sure you open a new email to ask them if the last email was legit. If you reply directly to the email in question, you’re communicating with a hacker, and they will mislead you.
Seriously, call them before you open the email. Especially if it’s from an internal source. That will only create a stronger cybersecurity culture. This may seem like an unnecessary or slow step, but it’s the entire point of the training exercise! The more cybersecurity is discussed, the more it is prioritized in typical day-to-day interactions.