Phishing is a common social engineering attack by which a fraudster sends out a malicious email and attempts to lure a recipient into clicking on an attachment or URL. These types of scam emails have been around for years, but according to Verizon's 2016 Data Breach Investigations Report, employees continue to struggle with identifying them.
Over the past year, Verizon recorded 9,576 phishing incidents, 916 of which were confirmed data breaches. Recipients opened the phishing messages 30 percent of the time. On average, they took one minute 40 seconds to open the attack email, and they took just three minutes 45 seconds to click on the malicious attachment.
Those figures clearly demonstrate the risk phishing attacks pose to organisations. But that's not the whole picture.
Let's look at those statistics again. Recipients took one minute 40 seconds to open the attack email and three minutes 45 seconds to click on the malicious attachment. According to Verizon, users targeted by phishing emails took at least two minutes to click on the malicious attachments after opening the emails, which means they potentially had time to investigate each phish further. Had they known what to look out for, they could have even spotted some of the more obvious and poorly crafted phishing emails sent to their inboxes.
Education goes a long way in preventing a successful phish. With that being said, here are nine tips you can use to spot a phishing scam.
Standard phishing emails provide recipients with a link that directs them to a malicious website. There, a fake login form often greets users and asks for their account credentials, though attackers have been known to customise the form to include additional fields for victims' addresses, Social Security numbers, credit card numbers, and other sensitive personal information.
Always remember that a reputable company will never ask for this type of information by email.
Attackers try to trick users into believing that a phishing link is the URL of a legitimate company. They do this by linking their malicious URL to familiar and trusted text, such as "www.microsoft.com." If users hover over the hyperlinked text, they will see the URL actually links to a malicious destination.
Attackers are familiar with that trick, so they commonly register malicious domains that are an exact copy of legitimate URLs except for the top-level domain. For example, phishers might hyperlink "www.microsoft.zip" to "www.microsoft.com." They might also use domains that add or remove characters or words from trusted URLs, such as "www.micros0ft.com," "www.microsof.com," and "www.orders.microsoft.com." Users can still spot the difference, but they must be vigilant when investigating suspicious links.
Nothing says phishing like a Nigerian prince offering huge sums of money to a user in exchange for their banking details.
Let's face it: in the real world, people don't give away luxury cars, expensive vacations, and millions of dollars. That being said, if a reward or offer seems too good to be true, it probably is.
In some cases, phishers might say they need a small payment to cover the expenses of transferring the prize money, shipping the luxury car, or booking the vacation. But don't be fooled. No legitimate contest would ever require you to pay a dime to receive your prize. With that being said, the only person who stands to win in this case is the phisher.
Not all phishing attacks rely on fake giveaways. Some announce the user has won a lottery or contest, whereas others originate from compromised business email accounts and try to trick the recipient into opening a malicious attachment masquerading as an invoice or purchase order. Those ploys are clever, but they all assume people are willing to overlook something about which they have no recollection.
If you don't remember buying a lottery ticket, entering a contest, or purchasing goods and services from a vendor, chances are you didn't, which makes that email a scam. On the other hand, if you do recall doing business with another company, it's a good idea to never finalize payment details via email. Call them or meet with a representative in person to confirm the specifics of a transaction.
Phishers like to use threats in an attempt to compel users to do what they want. As a result, attack emails commonly warn recipients that if they do not respond back to an email or confirm their login credentials, unspecified authorities will close their bank accounts, seize their assets, or even throw them in prison.
But don't fall for it! If the scenario specified in the phishing campaign were serious enough where you could actually end up serving prison time, someone wouldn't send you an email. They would call you, send you official documents by mail, and/or show up to your home in person. No one of any actual authority will ever make those kinds of threats by email.
What's worse than a threatening email? A threatening email that comes with a deadline.
Many phishing attacks incorporate a sense of urgency to ramp up their threats and scare the user into handing over their information. Don't give them the time of day! Legitimate organisations capable of closing your accounts, seizing your assets, and throwing you in prison would contact you days, weeks, or even months in advance. They would not contact you just hours before the deadline and demand you spring into action at a moment's notice.
Some phishing attacks don't rely on threats or a sense of urgency. Instead they play into people's curiosity by teasing an "impossible-to-believe" photograph or a celebrity sex tape. All the user needs to do is click on a URL, the email claims, and they'll be able to see the file. Don't do it; only fake login pages and malware await.
The vast majority of fraudsters who write phishing emails do not have advanced degrees in English composition. As a result, many attack emails suffer from multiple grammatical errors and spelling mistakes. Be on the lookout for these cringe-worthy emails, especially if they come from an organisation that should by all accounts have the resources necessary to proofread their official correspondence.
In this year's DBIR, Verizon found that recipients opened phishing messages only 30 percent of the time. Such a low success rate gives attackers an incentive to send out as many phishing messages as possible.
But doing so actually works against the attackers. There's no way phishers have the time (or patience) to personalise each and every one of those attack emails, so they'll send out the exact same generic attack email to each of their targets. Acknowledging that tendency, don't be surprised if you come across a phishing message that comes with the salutation "Dear Sir or Madam" and that never mentions your name.
You now have enough tools to successfully spot a phish! However, while you might be able to protect your data at home, the same cannot be said for your work files. After all, other people work at your company and share your organisation's computer system. Some of them might have neither the time nor patience to read this article. Who's going to teach them how to spot a phish?
Rather than worry about in-house training, organisations can instead opt for off-the-shelf phishing simulation software. Those solutions, such as Metacompliance's Metaphish package, allow organisations to improve their employees' phishing awareness more effectively than if they were to create their own program.