Email Phishing, what is it?

example of phising email

Blog #2 Email Phishing by Librarian Nicholas Saturno 

 

What is phishing? 

Phishing is one of the easiest forms of cyberattack for criminals to carry out, and one of the easiest to fall for. It's also one that can provide everything hackers need to ransack their targets' personal and work accounts. 

Usually carried out over email although the scam has now spread beyond suspicious emails to phone calls (so-called 'vishing') social media, messaging services (aka 'smishing') and apps, a basic phishing attack attempts to trick the target into doing what the scammer wants. 

That might be handing over passwords to make it easier to hack a company or altering bank details so that payments go to fraudsters instead of the correct account. 

Phishing is also a popular method for cyber attackers to deliver malware, by encouraging victims to download a document or visit a link that will secretly install the malicious payload in attacks that could be distributing trojan malware, ransomware (malware and ransomware will be explained in more detail in future blogs) or all manner of damaging and disruptive attacks. 

How does a phishing attack work? 

A basic phishing attack attempts to trick a user into entering personal details or other confidential information, and email is the most common method of performing these attacks. 

The sheer number of emails sent every single day means that it's an obvious attack vector for cyber criminals. It's estimated that 3.7 billion people send around 269 billion emails every single day. 

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day. 

Why is phishing called phishing? 

The overall term for these scams, phishing, is a modified version of 'fishing' except in this instance the one doing this fishing is the crook, and they're trying to catch you and reel you in with their sneaky email lure. 

It's also likely a reference to hacker history, some of the earliest hackers were known as 'phreaks' or 'phreakers' because they reverse engineered phones to make free calls. 

 

What do phishing scams look like? 

The 'spray and pray' is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the 'URGENT message from your bank and “You've won the lottery” messages that look to panic victims into making an error, or blind them with greed. Some emails attempt to use fear, suggesting there's a warrant out for the victim's arrest and they'll be thrown in jail if they don't click through. 

Schemes of this sort are so basic that there's often not even a fake web page involved; victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as a blank message with a malicious attachment to download. 

 

Signs of phishing: Poor spelling and grammar 

Many of the less professional phishing operators still make basic errors in their messages, notably when it comes to spelling and grammar. 

Official messages from any major organization are unlikely to contain bad spelling or grammar, and certainly not repeated instances throughout the body. A poorly written message should act as an immediate warning that the communication might not be legitimate. 

It's common for attackers to use a service like Google Translate to translate the text from their own first language, but despite the popularity of these services, they still struggle to make messages sound natural. 

 

How to spot a phishing link 

It's very common for email phishing messages to coerce the victim into clicking through a link to a malicious or fake website designed for malicious purposes. 

Many phishing attacks will contain what looks like an official-looking URL. However, it's worth taking a second careful look. 

In some instances, it can simply be a shortened URL, whereby the attackers hope the victim won't check the link and will just click through. In other instances, attackers will take a minor variation on a legitimate web address and hope the user doesn't notice. 

Ultimately, if you are suspicious of a URL in an email, hover over it to examine the landing page address and, if it looks fake, don't click on it. And check that it is the correct URL and not one that looks very similar but slightly different to one that that you'd usually expect. 

How to protect against phishing attacks 

Training, training and more training. It might seem like a simple idea, but training is effective. Teaching staff what to look out for when it comes to a phishing email can go a long way to protecting your organization from malicious attacks. 

Exercises allow staff to make errors, and crucially learn from them, in a protected environment. At a technical level, disabling macros from being run on computers in your network can play a big part in protecting employees from attacks. Macros aren't designed to be malicious,  they're designed to help users perform repetitive tasks with keyboard shortcuts. 

 

Recognizing phishing email scams 
 

What are some general clues that an email isn’t legitimate but is instead a phishing email? 

 

Grammatical errors 
 

Many phishing emails are filled with grammatical errors, odd capitalization, and misspellings. The emails might also contain odd phrases or sentences that sound a bit off. Read your email aloud. If something doesn’t sound right, or professional, be suspicious. It could be a phishing attack. 

Low-resolution logo 
 

Phishers will often cut and paste the logos of government agencies, banks and credit card providers in their phishing emails. If the logo is of low quality, it’s fuzzy, indistinct, or tiny, this is a sign that the person contacting you doesn’t really work for that company. 

Odd URL 
 

One of the easiest ways to tell if an email is a scam? Hover over whatever link the message is asking you to click. This will show the link’s URL. Often, you’ll see that the URL doesn’t belong to whatever company is supposedly sending you the message. 

Again, this is a sign that a scammer is trying to trick you. Just be careful when hovering. You don’t want to accidentally click on the link. 

How can you tell it’s fake? 
 

This is a well-done scam. There is one tell-tale sign that the email is fake, though. If you click on the link and access the spoofed website, the domain name displayed in your browser’s address bar will be “CF”. That is a country code for the Central African Republic. That’s why it’s smart not to click. Instead, hover over the link to see the true address. 

Phishing examples courtesy of https://us.norton.com/  

Phishing email example: Account temporarily suspended 

example of phishing email

You might receive a notice from your bank or another bank that you don’t even do business with stating that your account has been temporarily suspended. Why? According to the email, your bank has discovered unusual activity on your account and has decided to shut it down to protect you. 

The email will then ask you to click on a link to reactivate your account. This link will take you to a fake page that asks for your user ID and password. 

This, of course, is fake. When you enter your account information, you’ll be giving it directly to a scammer. 

How can you tell it’s fake? 
 

There are usually several clues that such emails are fake. First, look for spelling or grammatical errors. In the example above, supposedly sent by SunTrust, you’ll see that the sentence “We recently contacted you after noticing on your online account, which is been accessed unusually” doesn’t really make any sense. 

If you hovered over the Suntrust.com link in the live version of the image above, you’d see a link to a shortened URL at bit.ly. If you unshorten that link, you’ll discover that it leads to a pet-food company in Israel, not to SunTrust. 

Phishing email example: Tax refund scam 

example of phising email

 

Getting an unexpected windfall of cash? Who wouldn’t want that? Be careful, though: If someone sends you an email saying that you’re due a refund or cash prize of some sort, it’s usually a scam. Consider a common version of this, the IRS refund phishing attempt

You might receive an email that looks like it comes from the IRS. The headline will promise that you are owed a refund from the agency and that you can claim it online. The body of the message will usually state that the IRS made an error in calculating your tax bill, and now owes you money, maybe hundreds of dollars. 

When you click on the link included in the email to claim the alleged refund, you’ll either run into a spoof site designed to trick you into giving up personal and financial information or your computer or device could be exposed to malware. 

How can you tell it’s fake? 
 

There are clues to alert you that this message is fake. The biggest, though, is the message itself. The IRS will never email you to ask for your personal information. If you get a message saying that the IRS owes you money, call the government agency yourself to check. The odds are high that the IRS doesn’t owe you anything and that a scammer sent you the message. 

Phishing email example: Netflix phishing scam 

example of phising email

You never want your Netflix account to go down. But don’t worry about that email claiming your Netflix account is on hold. It’s a fake. 

The Netflix account-on-hold scam is a popular one, probably because so many of us rely so heavily on Netflix for entertainment today. In this scam, criminals send an email, supposedly from Netflix, complete with the company’s logo, saying that the company is having trouble with your current billing information. You’re then asked to click on a link to update your payment method. 

You know the rest: The link is a spoof site. When you enter your credit card information, you’re sending it directly to cybercriminals. 

How can you tell it’s fake? 
 

Again, Netflix won’t reach out to you through email to request your personal information. If you receive a message like this from Netflix, call the company directly to determine if you really do need to update your account. 

Also, pay attention to the language of emails like this. In this example, the scammers behind the email start their message with the salutation "Hi Dear." No business would address its customers in that way. 

Phishing email example: CEO phishing scam 

 

example of phising email

Some phishing attempts have limited targets but the potential for big paydays for crooks. A good example? The CEO phishing attempt. 

Scammers send these emails to the employees of specific companies. The trick is that these messages come from addresses that appear to belong to the chief executive officer, chief financial officer, or other highly placed executive in a company. The email will ask the employee to wire money — often thousands of dollars — to a vendor or client. Only later does the employee realize that the message was a scam.