Phishing is booming business. Not only does over half of all internet users get at least one phishing email per day, research shows that also nine out of ten successful cyber-attacks start with a phishing email.

Phishing emails can have several forms including free software, unexpected prizes, lottery scams, password changes and unauthorized access to your account. If I’d believe every phishing email I’ve got in the last year I’d won about 37 iPhones and 12 iPads. So how come phishing attacks are still so effective?

Spear phishing attacks

Nowadays, people post so much information on social networks like LinkedIn, Facebook and Instagram. It’s hard to blame the attacker not to use your contacts, interests and backstories to make their phishing mail look more real. These so called targeted spear phishing attacks where recently in the news being used in big CEO fraud scandals. The attacker impersonated a high-level executive in order to divert payments to a fraudulent bank account, usually targeting a finance department. In some cases these Business Email Compromise even let to redundancies.

How to detect a sophisticated phishing email

No matter what companies do, some phishing emails will always make it to their employees inbox. Unfortunately, these messages can have far-reaching and mostly financial consequences. Even for a trained eye it’s sometimes difficult to identify a sophisticated phishing email. However, the following tips should help you identify what is real and what is not.

1. Don’t trust the display name

To: You
From: Bank Corp.
Subject: Important! Your Bank account will be closed.

A favorite phishing tactic is to confuse the receiver by spoofing the display name of an email. Most of the larger companies found that nearly half of the email threats had spoofed the company name as display name. In the above example it seems that you received an email from Bank Corp, but is in fact linked to a similar Gmail account.

2. Validate the sender

Do you expect this email? Is the sender someone you know? If you are in doubt – you are only one call away from validating the sender. Even if the sender address looks familiar, you might be taking the bait of a fake domain. Registering a .com top-level domain name with an registrar only costs about $9 a year. Domain names that look like yours are commonly registered to confuse their targets:

  • A common misspelling of the intended domain:
  • A misspelling based on typos:
  • A differently phrased domain:
  • A different top-level domain:
  • The abuse of country code top-level domains like .cm, .co or .om:
  • Receiving email from these phishing domains can easily be overlooked.

3. Urgent messages are not often send through email

The sense of priority or urgency is a common tactic in phishing. Beware of contents like log in now or your account has been suspended or unauthorized login.

4. Check for spelling and design mistakes

You may expect proper grammar and uniform designs from a respectable company. Spelling mistakes could indicate bad translations used in phishing. Look at the example below to see this looks nothing like an update advisory from ING Bank. Luckily a Secure Email Gateway tagged the message as [SPAM].

One of MANY Phishing CampaignsTargetting Customers of ING.

5. Identify malicious attachements

Malware is often spread as malicious email attachment in a zip file or weaponized office document. Did you expect a password protected zip archive or a macro-enabled Word document from this sender? No? Don’t open it and inform your security team immediately.

Opening the attachment in preview mode could be enough to inject malicious code into your memory. Most Secure Email Gateways support antivirus, but is often based on signature databases (which is not very effective).

6. Avoid the spam folder

It may be hard to believe, but some people actually search through their spam folder to check email they have received. Every now and then a legitimate email can end up in this folder. If they are – it probably is for a good reason. Please leave this right where it is: in the spam folder.

Is there more we can do?

Every day 14.5 billion spam messages are sent. Luckily spam filters and Secure Email Gateways catches most of them before they reach the recipient. Modern Email Gateways can help detect malicious attachments, impersonation, fraudulent emails, encryption and data loss prevention.

Your next step is to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) which is an important approach to ensure integrity of the inbound email domain.

DMARC is a protocol to improve email security and can be thought of as a policy layer for Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DKIM is all about preventing a domain being used for email spoofing, while SPF defines which email exchanges are allowed to send emails.

Implementing DMARC should be on your Cyber Security Roadmap, if it wasn’t already. It’s not that difficult! Maybe the next time you’ll actually win the newest iPhone!

Sven Mik

What drives me the most is helping companies and individuals to the next step in their cyber security maturity level. This drive, my technical knowledge and my passion for cyber security is why customers often see me as a trusted advisor.