How to Detect a Phishing Email

Concise | Date: May 13, 2021 | 8 minute read

Share

With 94% of all malicious cyber-attacks sent via email, isn't it time you make sure you learn to detect when you're being phished.

Phishing accounts for 80% of all reported security incidents. Daily its seems, I get these urgent emails telling me my account is about to close or I need to update my payment details. None of them are legitimate, but I am used to it, I know what to look out for, its become instinctive, the checks and verifications.  I call myself a Phishing Detective.

However, someone is going to be fooled by it, someone ends up doing as the email asks, otherwise we wouldn't still be receiving these types of emails. The cyber criminals are getting better at it though. Even more vigilance is needed when you are at work.

I asked one of our Cyber Security Team members, George, to help create the blog,  "We have created a list of common tactics used by these malicious actors to deceive recipients into providing information. The list covers the most common areas, but attackers are constantly adapting their techniques, and some may not be included below." Great thanks George.

An example

Here's an email, I received on Tuesday into my personal email account, not Junked. It looks legitimate enough. Before opening it, at first glance the Subject appears to be notifying me that my Direct Debit has been cancelled and its from TV Licensing (yes I watch normal TV). Haven't a clue if that reference is mine.

detect-a-phishing-email-exampleExample Email - is it a phish?

On opening it, yep its from TV licensing, there's the logo, it looks sort of personalised.  The language of the email is okay, reads alright, however the sense of urgency is making me start to panic, and question if it is real or not.  Has my account got no money in it? I've not been told by my bank? Must check it. I read further I may not be able to watch TV if I don't do something about this now! They are asking me to sign in using the link and provide my bank details.  

Okay what do I do next? Click the link? ......................

I don't click the link, because I have learned a set of tactics to help me check and verify it is legitimate. I've become a detective. I do my checks and simply tell the account its a phishing email, and delete it.

Malicious actors or cyber criminals are chancers.  They literally send thousands, if not millions of emails like this one to random people from a list of email addresses they bought from the deep web. They aren't expecting everyone to be fooled by the email, but someone will and that's why they keep doing it. What they do with the information they collect could be devastating for the individual, but for them it could be money in the bank,  they have sold the information or worse used it to steal from the individual themselves. Its a game of chance.

I want to be like you how do I become a phishing email detective? I hear you ask. Well you need to understand how the cyber criminals try to trick you and have a set of tactics under your belt to defend yourself against phishing emails. So here they are,

Always trust but verify

The most common method used to defend against phishing attacks is to trust but verify that the email is intended for you, then use an alternative form of communication to verify the sender’s identity or email legitimacy and don’t use contact details included in the message. 

This is especially important in a business environment. You may think its trustworthy as its from your boss or colleague, so you may not verify it. Check that the sender actually sent it to you, make a call if you think its urgent enough. Verify you were meant to receive it. In the TV License email above, I could verify by logging into my TV License account or by checking my bank account. Once I have done this I can trust or no trust because of verification.

Tactic 1: Check the Display Name

Display Name Modification or Spoofing is where attackers change the display name of emails to make it look as though it has come from someone within your organisation or any trusted business. Attackers do research on LinkedIn, Companies House, and others to find names and job roles to impersonate. Alternatively, they will use well known organisations such Microsoft, HMRC, local councils, TV licensing, Netflix and more. Any reputable company could be spoofed with the hope that you will trust but won’t verify the emails origin.

In the TV License email, my email provider shows the Display Name and email address underneath it,  "TV.License Service <no@happydaygames.com>".  Completely and utterly not right. I've verified that this isn't correct. If your provider doesn't do this you can select the Display name, usually, to see what email is behind it.

In the image below, the name "Microsoft account team", already looks suspicious as it doesn't use capital first letters. Reviewing the email address, there are errors in spelling "outlooo.teeam@outlook.com". First verification of no trust.

detect-a-phishing-email-spoofed

Tactic 2: Email Subjects & Incentives

Attackers typically try to leverage negative consequences or rewards to get the recipient to click a link, sign into a service, or download an attachment. As in the TV License email, the subject read "Alert: Direct Debit Cancelled", particular words to create urgency and panic. Here's some more.

CEO fraud

CEO fraud is commonly used to try and make users buy products or make payments on behalf of people at Board or Director level. In this case, we typically see a request to make payments or buy gift cards that they can sell on. Watch out for these, they are creating a sense of trust because its from a board or director.  Go to Tactic 1 and verify that the sender requested the purchase.   As a recommendation, George suggests,  that "there should be a company process where, for example, all payments, even urgent ones, go through a stage of verification before actioning."

Deliveries

Emails are commonly made to look as though they have come from delivery companies or online shops, using the “sorry we missed you” or “we attempted to deliver your parcel” to motivate you to click the links. In this case it is recommended to question whether you’ve used your email to sign up for these kinds of emails and if so, are you expecting a delivery? If you are not, then it’s time to verify that the sender, links or attachments are legitimate.

Offers or Rewards

Discount codes and limited time offers for popular brands are used to try and motivate the end user to provide their login credentials or download a malicious attachment. Again, asking yourself whether you signed up for these codes to be emailed to you? If you have forgotten, then its time to verify that the email is legitimate by checking the sender and links in the email. 

Fines or Negative Consequences

Missed TV license payments, bills, tax notices, and account lockout messages all try to use negative consequences to coerce the victim into their trap for submitting information, money, or goods. In this case, verify that the sender is legitimate by checking the from email and verify the account itself by logging in using a browser. Do not use any of the links from the email.

Compromised passwords

Myspace, LinkedIn, MyFitnessPal, and other known websites have suffered data breaches of email and password combinations which are then sold on the deep web. Sometimes attackers will include these details in the subject of the message claiming they have hacked your system, hoping that you have reused that email & password combination. They usually claim to have hacked your system and recorded you watching explicit material, counting on the combination of embarrassment and password reuse to make you not question their claim and follow their instructions. These sorts of emails are most likely a scam and can simply be deleted. However, in this case its always good practice to change passwords regularly. You can check your password has not been part of a breach by going to https://haveibeenpwned.com/. If your email  - password combination has been breached then change your password immediately for that account if its still used.

Tactic 3 : Check any links or attachments (this doesn't mean open them)

Malicious links

Links are often shortened to obscure where they’re trying to direct you to as in the example below. Attackers also hyperlink words in the email to make them look less suspicious, this is called “embedding”. You can reveal an embedded link by hovering your mouse over it without clicking however, this can’t be done with shortened links.

detect-a-phishing-email-malicious-shortened-link Example of shortened link in email

detect-a-phishing-email-embedded-link Example of embedded link in email

In the TV License example, hovering over the embedded link reveals some odd website domain totally unrelated to TV License website. Verified no trust.

PhishingEmailLink

Attachments

Any attachment other than a .txt can contain malicious content, the typical ones to watch out for are .docm, .doc, .xlsxm, .xls, .ppt, .pptm as these are ‘macro enabled’ which means they have code in them which will run when the document is opened. PDFs are commonly embedded with malicious code which will exploit Adobe, this is a reason it’s important to keep your machine up to date. And .zip files can hide the fact that they have potentially macro enabled files within them. 

detect-a-phishing-email-attachmentExample of macro enabled word document attachment .docm

Always, be wary of any email containing attachments which hasn't been verified by the sender. A lot of companies have a policy not to use macro enabled documents, so this should be a no trust situation. 

In the image below, it describes the delivery of Ransomware to a persons machine from a phishing email with a zip attachment.  If the user downloads the ZIP attachment and opens the contained file then this series of prompts could happen. The attached ZIP file contains a PDF, which contains code to prompt the user to open Word, which prompts the user to enable macros held within the Word document, which allows the macro to run and downloads an EXE (executable file) that then starts to encrypt the users files. Once the files are encrypted the malicious agent requests money for the files to be restored.

detect-a-phishing-email-ransomeware-deliveryRansomware delivery through a phishing message containing a zip file

Share Links

Increasingly there are phishing emails which have share links to fake documents appearing to be SharePoint, OneDrive, or other share documents via Office 365. This is a common method of attackers for gathering victims' Office 365 credentials. Potentially providing them a route into a business network. To see through this ploy, inspect the URL of the link, they tend to go to a link that is not legitimately an Office or Microsoft webpage.

detect-a-phishing-email-o365-credentialsTo help with this kind of phishing attack, businesses can customise the Office 365 login screen to ensure their people don't fall foul of this method of attack.

Again even in this scenario, verify the url and sender to determine if this can be trusted.

How to detect a phishing email?

To be a Phishing Email Detective, verify an email so it can be trusted by doing these checks,  

  1. Checking who is it from? Verify that the display name is a known email address. Verify with the person directly if unsure.
  2. Checking what is it about? Is the subject too good to be true or creating urgency or panic? Does the content have spelling errors, extra spaces or language isn't right.
  3. Checking any links, hover over them to see where they link to.
  4. Don't open attachments, before you know it to be legitimate, always do the above three steps first.
  5. Think - "am I expecting this" or "is this "normal" for the sender"

If any one check fails, then it is not verified and there is no trust. You've been phished. In a business environment  inform your support team and delete the email.  In a personal situation, delete the email. You could even report the phishing attempt to the National Cyber Security Centre.

Reporting Phishing Emails

The National Cyber Security Centre provides a phishing email reporting service called SERS (Suspicious Email Reporting Service). They use this information to look for and monitor suspicious activity along with raising awareness and working with hosting companies to remove links and websites. 

Key Takeaways

  • 94% of all malicious attacks are via email.
  • These same kind of attacks can take place by phone (vishing) or SMS text messaging (smishing). use the same tactics as explained for phishing.
  • Trust but verify - always check before responding, clicking, opening or doing anything.
  • Be vigilant,  is the email expected, does it make me anxious unnecessarily, is it something urgent they are asking me to do
  • Protecting against phishing attacks requires education and awareness training.  Speak to Concise today about making that happen for the whole of your business 
  • Report suspected phishing emails to the NCSC SERS facility at https://www.ncsc.gov.uk/information/report-suspicious-emails 
  • For businesses, Cyber Essentials Certification goes a long way to putting some controls in place to prevent cyber crime.  Speak to Concise today about Cyber Essentials Certification.

Ensure your business is protected from Cyber Attacks.  Download: 12 ways to Protect your Business Infographic

protect your business from cyber attack 12 ways infographic

Get in touch and discover how we can help make things easier.

Call us on 01606 336200, or fill in the form below.